kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Make access and secret keys parameters

Browse source
This commit is contained in:
Nicolas Jeannerod 2025-02-14 19:01:54 +01:00
parent 1965e83e5d
commit b547912794
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
9 changed files with 93 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
deployment/flake-part.nix
View file

@ -80,7 +80,13 @@ in
fediversity = {
enable = true;
domain = "fedi101.abundos.eu";
pixelfed.enable = true;
pixelfed = {
enable = true;
## NOTE: Only ever used for testing anyway.
s3AccessKey = "GKb5615457d44214411e673b7b";
s3SecretKey = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
};
};
@ -88,7 +94,13 @@ in
fediversity = {
enable = true;
domain = "fedi102.abundos.eu";
mastodon.enable = true;
mastodon = {
enable = true;
## NOTE: Only ever used for testing anyway.
s3AccessKey = "GK3515373e4c851ebaad366558";
s3SecretKey = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
temp.cores = 1; # FIXME: should come from NixOps4 eventually
};
@ -102,9 +114,11 @@ in
domain = "fedi103.abundos.eu";
peertube = {
enable = true;
secretsFile = pkgs.writeText "secret" ''
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
'';
## NOTE: Only ever used for testing anyway.
secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
s3AccessKey = "GK1f9feea9960f6f95ff404c9b";
s3SecretKey = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
};
}

6
services/fediversity/garage/default.nix
View file

@ -83,13 +83,13 @@ let
ensureKeyScriptFn =
key:
{
id,
secret,
s3AccessKey,
s3SecretKey,
ensureAccess,
}:
''
## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :`
garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || :
garage key import --yes -n ${escapeShellArg key} ${escapeShellArg s3AccessKey} ${escapeShellArg s3SecretKey} || :
${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
'';

4
services/fediversity/garage/options.nix
View file

@ -45,8 +45,8 @@ in
types.submodule {
# TODO: these should be managed as secrets, not in the nix store
options = {
id = mkOption { type = types.str; };
secret = mkOption { type = types.str; };
s3AccessKey = mkOption { type = types.str; };
s3SecretKey = mkOption { type = types.str; };
# TODO: assert at least one of these is true
# NOTE: this currently needs to be done at the top level module
ensureAccess = mkOption {

15
services/fediversity/mastodon/default.nix
View file

@ -1,10 +1,3 @@
let
snakeoil_key = {
id = "GK3515373e4c851ebaad366558";
secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
in
{ config, lib, ... }:
{
@ -24,9 +17,10 @@ in
};
};
};
ensureKeys = {
mastodon = {
inherit (snakeoil_key) id secret;
inherit (config.fediversity.mastodon) s3AccessKey s3SecretKey;
ensureAccess = {
mastodon = {
read = true;
@ -37,6 +31,7 @@ in
};
};
};
services.mastodon = {
extraConfig = rec {
S3_ENABLED = "true";
@ -46,8 +41,8 @@ in
S3_BUCKET = "mastodon";
# use <S3_BUCKET>.<S3_ENDPOINT>
S3_OVERRIDE_PATH_STLE = "true";
AWS_ACCESS_KEY_ID = snakeoil_key.id;
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
AWS_ACCESS_KEY_ID = config.fediversity.mastodon.s3AccessKey;
AWS_SECRET_ACCESS_KEY = config.fediversity.mastodon.s3SecretKey;
S3_PROTOCOL = "http";
S3_ALIAS_HOST = "${S3_BUCKET}.${config.fediversity.garage.web.rootDomain}";
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/

17
services/fediversity/mastodon/options.nix
View file

@ -9,6 +9,23 @@ in
options.fediversity.mastodon = {
enable = mkEnableOption "Enable a Mastodon server on the machine";
s3AccessKey = mkOption {
type = types.str;
description = ''
S3 access key
In AWS CLI, this would be AWS_ACCESS_KEY_ID.
'';
};
s3SecretKey = mkOption {
description = ''
S3 secret key
In AWS CLI, this would be AWS_SECRET_ACCESS_KEY.
'';
};
domain = mkOption {
type = types.str;
description = "Internal option change at your own risk";

14
services/fediversity/peertube/default.nix
View file

@ -1,10 +1,3 @@
let
snakeoil_key = {
id = "GK1f9feea9960f6f95ff404c9b";
secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
in
{ config, lib, ... }:
{
@ -43,9 +36,10 @@ in
};
};
};
ensureKeys = {
peertube = {
inherit (snakeoil_key) id secret;
inherit (config.fediversity.peertube) s3AccessKey s3SecretKey;
ensureAccess = {
peertube-videos = {
read = true;
@ -104,8 +98,8 @@ in
serviceEnvironmentFile = "/etc/peertube-env";
};
environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${snakeoil_key.id}
AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}
AWS_ACCESS_KEY_ID=${config.fediversity.peertube.s3AccessKey}
AWS_SECRET_ACCESS_KEY=${config.fediversity.peertube.s3SecretKey}
'';
## Proxying through Nginx

17
services/fediversity/peertube/options.nix
View file

@ -9,6 +9,23 @@ in
options.fediversity.peertube = {
enable = mkEnableOption "Enable a PeerTube server on the machine";
s3AccessKey = mkOption {
type = types.str;
description = ''
S3 access key
In AWS CLI, this would be AWS_ACCESS_KEY_ID.
'';
};
s3SecretKey = mkOption {
description = ''
S3 secret key
In AWS CLI, this would be AWS_SECRET_ACCESS_KEY.
'';
};
domain = mkOption {
type = types.str;
description = "Internal option change at your own risk";

21
services/fediversity/pixelfed/default.nix
View file

@ -1,10 +1,3 @@
let
snakeoil_key = {
id = "GKb5615457d44214411e673b7b";
secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
in
{
config,
lib,
@ -12,10 +5,14 @@ in
...
}:
let
inherit (lib) mkIf;
in
{
imports = [ ./options.nix ];
config = lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
config = mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
fediversity.garage = {
ensureBuckets = {
pixelfed = {
@ -29,9 +26,10 @@ in
};
};
};
ensureKeys = {
pixelfed = {
inherit (snakeoil_key) id secret;
inherit (config.fediversity.pixelfed) s3AccessKey s3SecretKey;
ensureAccess = {
pixelfed = {
read = true;
@ -70,11 +68,10 @@ in
## `fediversity.openRegistration` option.
OPEN_REGISTRATION = true;
# DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
FILESYSTEM_CLOUD = "s3";
PF_ENABLE_CLOUD = true;
AWS_ACCESS_KEY_ID = snakeoil_key.id;
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
AWS_ACCESS_KEY_ID = config.fediversity.pixelfed.s3AccessKey;
AWS_SECRET_ACCESS_KEY = config.fediversity.pixelfed.s3SecretKey;
AWS_DEFAULT_REGION = "garage";
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
AWS_BUCKET = "pixelfed";

17
services/fediversity/pixelfed/options.nix
View file

@ -9,6 +9,23 @@ in
options.fediversity.pixelfed = {
enable = mkEnableOption "Enable a Pixelfed server on the machine";
s3AccessKey = mkOption {
type = types.str;
description = ''
S3 access key
In AWS CLI, this would be AWS_ACCESS_KEY_ID.
'';
};
s3SecretKey = mkOption {
description = ''
S3 secret key
In AWS CLI, this would be AWS_SECRET_ACCESS_KEY.
'';
};
domain = mkOption {
type = types.str;
description = "Internal option change at your own risk";