From b547912794b09a47c0d3ce1ad71f084ee68bab0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 14 Feb 2025 19:01:54 +0100 Subject: [PATCH] Make access and secret keys parameters --- deployment/flake-part.nix | 24 ++++++++++++++++++----- services/fediversity/garage/default.nix | 6 +++--- services/fediversity/garage/options.nix | 4 ++-- services/fediversity/mastodon/default.nix | 15 +++++--------- services/fediversity/mastodon/options.nix | 17 ++++++++++++++++ services/fediversity/peertube/default.nix | 14 ++++--------- services/fediversity/peertube/options.nix | 17 ++++++++++++++++ services/fediversity/pixelfed/default.nix | 21 +++++++++----------- services/fediversity/pixelfed/options.nix | 17 ++++++++++++++++ 9 files changed, 93 insertions(+), 42 deletions(-) diff --git a/deployment/flake-part.nix b/deployment/flake-part.nix index a0e42ae5..d215a22b 100644 --- a/deployment/flake-part.nix +++ b/deployment/flake-part.nix @@ -80,7 +80,13 @@ in fediversity = { enable = true; domain = "fedi101.abundos.eu"; - pixelfed.enable = true; + pixelfed = { + enable = true; + + ## NOTE: Only ever used for testing anyway. + s3AccessKey = "GKb5615457d44214411e673b7b"; + s3SecretKey = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; + }; }; }; @@ -88,7 +94,13 @@ in fediversity = { enable = true; domain = "fedi102.abundos.eu"; - mastodon.enable = true; + mastodon = { + enable = true; + + ## NOTE: Only ever used for testing anyway. + s3AccessKey = "GK3515373e4c851ebaad366558"; + s3SecretKey = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; + }; temp.cores = 1; # FIXME: should come from NixOps4 eventually }; @@ -102,9 +114,11 @@ in domain = "fedi103.abundos.eu"; peertube = { enable = true; - secretsFile = pkgs.writeText "secret" '' - 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 - ''; + + ## NOTE: Only ever used for testing anyway. + secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; + s3AccessKey = "GK1f9feea9960f6f95ff404c9b"; + s3SecretKey = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; }; }; } diff --git a/services/fediversity/garage/default.nix b/services/fediversity/garage/default.nix index 51910164..da0a7e46 100644 --- a/services/fediversity/garage/default.nix +++ b/services/fediversity/garage/default.nix @@ -83,13 +83,13 @@ let ensureKeyScriptFn = key: { - id, - secret, + s3AccessKey, + s3SecretKey, ensureAccess, }: '' ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :` - garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || : + garage key import --yes -n ${escapeShellArg key} ${escapeShellArg s3AccessKey} ${escapeShellArg s3SecretKey} || : ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess} ''; diff --git a/services/fediversity/garage/options.nix b/services/fediversity/garage/options.nix index ad3d5551..c93534e5 100644 --- a/services/fediversity/garage/options.nix +++ b/services/fediversity/garage/options.nix @@ -45,8 +45,8 @@ in types.submodule { # TODO: these should be managed as secrets, not in the nix store options = { - id = mkOption { type = types.str; }; - secret = mkOption { type = types.str; }; + s3AccessKey = mkOption { type = types.str; }; + s3SecretKey = mkOption { type = types.str; }; # TODO: assert at least one of these is true # NOTE: this currently needs to be done at the top level module ensureAccess = mkOption { diff --git a/services/fediversity/mastodon/default.nix b/services/fediversity/mastodon/default.nix index 083cf91b..cd1846a0 100644 --- a/services/fediversity/mastodon/default.nix +++ b/services/fediversity/mastodon/default.nix @@ -1,10 +1,3 @@ -let - snakeoil_key = { - id = "GK3515373e4c851ebaad366558"; - secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; - }; -in - { config, lib, ... }: { @@ -24,9 +17,10 @@ in }; }; }; + ensureKeys = { mastodon = { - inherit (snakeoil_key) id secret; + inherit (config.fediversity.mastodon) s3AccessKey s3SecretKey; ensureAccess = { mastodon = { read = true; @@ -37,6 +31,7 @@ in }; }; }; + services.mastodon = { extraConfig = rec { S3_ENABLED = "true"; @@ -46,8 +41,8 @@ in S3_BUCKET = "mastodon"; # use . S3_OVERRIDE_PATH_STLE = "true"; - AWS_ACCESS_KEY_ID = snakeoil_key.id; - AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; + AWS_ACCESS_KEY_ID = config.fediversity.mastodon.s3AccessKey; + AWS_SECRET_ACCESS_KEY = config.fediversity.mastodon.s3SecretKey; S3_PROTOCOL = "http"; S3_ALIAS_HOST = "${S3_BUCKET}.${config.fediversity.garage.web.rootDomain}"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ diff --git a/services/fediversity/mastodon/options.nix b/services/fediversity/mastodon/options.nix index 882b96eb..16b148d7 100644 --- a/services/fediversity/mastodon/options.nix +++ b/services/fediversity/mastodon/options.nix @@ -9,6 +9,23 @@ in options.fediversity.mastodon = { enable = mkEnableOption "Enable a Mastodon server on the machine"; + s3AccessKey = mkOption { + type = types.str; + description = '' + S3 access key + + In AWS CLI, this would be AWS_ACCESS_KEY_ID. + ''; + }; + + s3SecretKey = mkOption { + description = '' + S3 secret key + + In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. + ''; + }; + domain = mkOption { type = types.str; description = "Internal option — change at your own risk"; diff --git a/services/fediversity/peertube/default.nix b/services/fediversity/peertube/default.nix index e649c568..cf7c6205 100644 --- a/services/fediversity/peertube/default.nix +++ b/services/fediversity/peertube/default.nix @@ -1,10 +1,3 @@ -let - snakeoil_key = { - id = "GK1f9feea9960f6f95ff404c9b"; - secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; - }; -in - { config, lib, ... }: { @@ -43,9 +36,10 @@ in }; }; }; + ensureKeys = { peertube = { - inherit (snakeoil_key) id secret; + inherit (config.fediversity.peertube) s3AccessKey s3SecretKey; ensureAccess = { peertube-videos = { read = true; @@ -104,8 +98,8 @@ in serviceEnvironmentFile = "/etc/peertube-env"; }; environment.etc.peertube-env.text = '' - AWS_ACCESS_KEY_ID=${snakeoil_key.id} - AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret} + AWS_ACCESS_KEY_ID=${config.fediversity.peertube.s3AccessKey} + AWS_SECRET_ACCESS_KEY=${config.fediversity.peertube.s3SecretKey} ''; ## Proxying through Nginx diff --git a/services/fediversity/peertube/options.nix b/services/fediversity/peertube/options.nix index feedcad5..b4864372 100644 --- a/services/fediversity/peertube/options.nix +++ b/services/fediversity/peertube/options.nix @@ -9,6 +9,23 @@ in options.fediversity.peertube = { enable = mkEnableOption "Enable a PeerTube server on the machine"; + s3AccessKey = mkOption { + type = types.str; + description = '' + S3 access key + + In AWS CLI, this would be AWS_ACCESS_KEY_ID. + ''; + }; + + s3SecretKey = mkOption { + description = '' + S3 secret key + + In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. + ''; + }; + domain = mkOption { type = types.str; description = "Internal option — change at your own risk"; diff --git a/services/fediversity/pixelfed/default.nix b/services/fediversity/pixelfed/default.nix index 4ce28871..e12a5e1c 100644 --- a/services/fediversity/pixelfed/default.nix +++ b/services/fediversity/pixelfed/default.nix @@ -1,10 +1,3 @@ -let - snakeoil_key = { - id = "GKb5615457d44214411e673b7b"; - secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; - }; -in - { config, lib, @@ -12,10 +5,14 @@ in ... }: +let + inherit (lib) mkIf; + +in { imports = [ ./options.nix ]; - config = lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { + config = mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { fediversity.garage = { ensureBuckets = { pixelfed = { @@ -29,9 +26,10 @@ in }; }; }; + ensureKeys = { pixelfed = { - inherit (snakeoil_key) id secret; + inherit (config.fediversity.pixelfed) s3AccessKey s3SecretKey; ensureAccess = { pixelfed = { read = true; @@ -70,11 +68,10 @@ in ## `fediversity.openRegistration` option. OPEN_REGISTRATION = true; - # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3"; FILESYSTEM_CLOUD = "s3"; PF_ENABLE_CLOUD = true; - AWS_ACCESS_KEY_ID = snakeoil_key.id; - AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; + AWS_ACCESS_KEY_ID = config.fediversity.pixelfed.s3AccessKey; + AWS_SECRET_ACCESS_KEY = config.fediversity.pixelfed.s3SecretKey; AWS_DEFAULT_REGION = "garage"; AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; AWS_BUCKET = "pixelfed"; diff --git a/services/fediversity/pixelfed/options.nix b/services/fediversity/pixelfed/options.nix index 1a36ea27..27eff699 100644 --- a/services/fediversity/pixelfed/options.nix +++ b/services/fediversity/pixelfed/options.nix @@ -9,6 +9,23 @@ in options.fediversity.pixelfed = { enable = mkEnableOption "Enable a Pixelfed server on the machine"; + s3AccessKey = mkOption { + type = types.str; + description = '' + S3 access key + + In AWS CLI, this would be AWS_ACCESS_KEY_ID. + ''; + }; + + s3SecretKey = mkOption { + description = '' + S3 secret key + + In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. + ''; + }; + domain = mkOption { type = types.str; description = "Internal option — change at your own risk";