diff --git a/deployment/flake-part.nix b/deployment/flake-part.nix index 8560e9c3..208aebb4 100644 --- a/deployment/flake-part.nix +++ b/deployment/flake-part.nix @@ -71,24 +71,54 @@ in }; }; + ## NOTE: All of these secrets are publicly available in this source file + ## and will end up in the Nix store. We don't care as they are only ever + ## used for testing anyway. + pixelfedS3KeyConfig = + { pkgs, ... }: + { + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; + }; + mastodonS3KeyConfig = + { pkgs, ... }: + { + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; + }; + peertubeS3KeyConfig = + { pkgs, ... }: + { + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; + }; + in { providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; }; resources = { + fedi100 = makeProcolixVmResource 100 ( + { pkgs, ... }: + { + fediversity = { + domain = "abundos.eu"; + garage.enable = true; + pixelfed = pixelfedS3KeyConfig { inherit pkgs; }; + mastodon = mastodonS3KeyConfig { inherit pkgs; }; + peertube = peertubeS3KeyConfig { inherit pkgs; }; + }; + } + ); + fedi101 = makeProcolixVmResource 101 ( { pkgs, ... }: { fediversity = { - domain = "fedi101.abundos.eu"; - pixelfed = { + domain = "abundos.eu"; + pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // { enable = true; - - ## NOTE: Only ever used for testing anyway. - s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b"; - s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; }; - garage.enable = true; }; } ); @@ -97,15 +127,10 @@ in { pkgs, ... }: { fediversity = { - domain = "fedi102.abundos.eu"; - mastodon = { + domain = "abundos.eu"; + mastodon = mastodonS3KeyConfig { inherit pkgs; } // { enable = true; - - ## NOTE: Only ever used for testing anyway. - s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558"; - s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; }; - garage.enable = true; temp.cores = 1; # FIXME: should come from NixOps4 eventually }; @@ -116,16 +141,12 @@ in { pkgs, ... }: { fediversity = { - domain = "fedi103.abundos.eu"; - peertube = { + domain = "abundos.eu"; + peertube = peertubeS3KeyConfig { inherit pkgs; } // { enable = true; - ## NOTE: Only ever used for testing anyway. secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; - s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b"; - s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; }; - garage.enable = true; }; } ); diff --git a/services/fediversity/garage/default.nix b/services/fediversity/garage/default.nix index 4d7dc696..c8133b75 100644 --- a/services/fediversity/garage/default.nix +++ b/services/fediversity/garage/default.nix @@ -105,7 +105,15 @@ in pkgs.awscli ]; - networking.firewall.allowedTCPPorts = [ config.fediversity.garage.rpc.port ]; + ## REVIEW: Do we want to reverse proxy the RPC and API ports? In fact, + ## shouldn't we just get rid of RPC at all, we're not using it. + networking.firewall.allowedTCPPorts = [ + 80 + 443 + config.fediversity.garage.api.port + config.fediversity.garage.rpc.port + ]; + services.garage = { enable = true; package = pkgs.garage_0_9; @@ -126,6 +134,8 @@ in }; }; + services.nginx.enable = true; + ## Create a proxy from .web.garage. to localhost:3902 for ## each bucket that has `website = true`. services.nginx.virtualHosts = diff --git a/services/fediversity/mastodon/default.nix b/services/fediversity/mastodon/default.nix index 4fe5ef30..8c022ea7 100644 --- a/services/fediversity/mastodon/default.nix +++ b/services/fediversity/mastodon/default.nix @@ -6,96 +6,107 @@ }: let - inherit (lib) readFile; + inherit (lib) mkIf mkMerge readFile; inherit (pkgs) writeText; in { imports = [ ./options.nix ]; - config = lib.mkIf config.fediversity.mastodon.enable { - #### garage setup - fediversity.garage = { - ensureBuckets = { - mastodon = { - website = true; - corsRules = { - enable = true; - allowedHeaders = [ "*" ]; - allowedMethods = [ "GET" ]; - allowedOrigins = [ "*" ]; - }; - }; - }; - - ensureKeys = { - mastodon = { - inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile; - ensureAccess = { + config = mkMerge [ + (mkIf + ( + config.fediversity.garage.enable + && config.fediversity.mastodon.s3AccessKeyFile != null + && config.fediversity.mastodon.s3SecretKeyFile != null + ) + { + fediversity.garage = { + ensureBuckets = { mastodon = { - read = true; - write = true; - owner = true; + website = true; + corsRules = { + enable = true; + allowedHeaders = [ "*" ]; + allowedMethods = [ "GET" ]; + allowedOrigins = [ "*" ]; + }; + }; + }; + + ensureKeys = { + mastodon = { + inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile; + ensureAccess = { + mastodon = { + read = true; + write = true; + owner = true; + }; + }; }; }; }; + } + ) + + (mkIf config.fediversity.mastodon.enable { + + services.mastodon.extraConfig = rec { + S3_ENABLED = "true"; + # TODO: this shouldn't be hard-coded, it should come from the garage configuration + S3_ENDPOINT = config.fediversity.garage.api.url; + S3_REGION = "garage"; + S3_BUCKET = "mastodon"; + # use . + S3_OVERRIDE_PATH_STLE = "true"; + S3_PROTOCOL = "http"; + S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET; + # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ + # TODO: can we set up ACLs with garage? + S3_PERMISSION = ""; }; - }; - services.mastodon.extraConfig = rec { - S3_ENABLED = "true"; - # TODO: this shouldn't be hard-coded, it should come from the garage configuration - S3_ENDPOINT = config.fediversity.garage.api.url; - S3_REGION = "garage"; - S3_BUCKET = "mastodon"; - # use . - S3_OVERRIDE_PATH_STLE = "true"; - S3_PROTOCOL = "http"; - S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET; - # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ - # TODO: can we set up ACLs with garage? - S3_PERMISSION = ""; - }; + ## FIXME: secrets management; we should have a service that writes the + ## `.env` files based on all the secrets that we need to put there. + services.mastodon.extraEnvFiles = [ + (writeText "s3AccessKey" '' + AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile} + '') + (writeText "s3SecretKey" '' + AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile} + '') + ]; - ## FIXME: secrets management; we should have a service that writes the - ## `.env` files based on all the secrets that we need to put there. - services.mastodon.extraEnvFiles = [ - (writeText "s3AccessKey" '' - AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile} - '') - (writeText "s3SecretKey" '' - AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile} - '') - ]; + # open up access to the mastodon web interface. 80 is necessary if only for ACME + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; - # open up access to the mastodon web interface. 80 is necessary if only for ACME - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; + services.mastodon = { + enable = true; - services.mastodon = { - enable = true; + localDomain = config.fediversity.mastodon.domain; + configureNginx = true; - localDomain = config.fediversity.mastodon.domain; - configureNginx = true; + # from the documentation: recommended is the amount of your CPU cores minus + # one. but it also must be a positive integer + streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1); - # from the documentation: recommended is the amount of your CPU cores minus - # one. but it also must be a positive integer - streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1); - - # TODO: configure a mailserver so this works - smtp = { - fromAddress = "noreply@${config.fediversity.mastodon.domain}"; - createLocally = false; + # TODO: configure a mailserver so this works + smtp = { + fromAddress = "noreply@${config.fediversity.mastodon.domain}"; + createLocally = false; + }; }; - }; - security.acme = { - acceptTerms = true; - preliminarySelfsigned = true; - # TODO: configure a mailserver so we can set up acme - # defaults.email = "test@example.com"; - }; - }; + security.acme = { + acceptTerms = true; + preliminarySelfsigned = true; + # TODO: configure a mailserver so we can set up acme + # defaults.email = "test@example.com"; + }; + }) + ]; } diff --git a/services/fediversity/peertube/default.nix b/services/fediversity/peertube/default.nix index cb469691..9fa86cf3 100644 --- a/services/fediversity/peertube/default.nix +++ b/services/fediversity/peertube/default.nix @@ -1,124 +1,135 @@ { config, lib, ... }: let - inherit (lib) mkIf readFile; + inherit (lib) mkIf mkMerge readFile; in { imports = [ ./options.nix ]; - config = mkIf config.fediversity.peertube.enable { - networking.firewall.allowedTCPPorts = [ - 80 - 443 - - ## For Live streaming and Live streaming when RTMPS is enabled. - 1935 - 1936 - ]; - - fediversity.garage = { - ensureBuckets = { - peertube-videos = { - website = true; - # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want - corsRules = { - enable = true; - allowedHeaders = [ "*" ]; - allowedMethods = [ "GET" ]; - allowedOrigins = [ "*" ]; - }; - }; - # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want - peertube-playlists = { - website = true; - corsRules = { - enable = true; - allowedHeaders = [ "*" ]; - allowedMethods = [ "GET" ]; - allowedOrigins = [ "*" ]; - }; - }; - }; - - ensureKeys = { - peertube = { - inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile; - ensureAccess = { + config = mkMerge [ + (mkIf + ( + config.fediversity.garage.enable + && config.fediversity.peertube.s3AccessKeyFile != null + && config.fediversity.peertube.s3SecretKeyFile != null + ) + { + fediversity.garage = { + ensureBuckets = { peertube-videos = { - read = true; - write = true; - owner = true; + website = true; + # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want + corsRules = { + enable = true; + allowedHeaders = [ "*" ]; + allowedMethods = [ "GET" ]; + allowedOrigins = [ "*" ]; + }; }; + # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want peertube-playlists = { - read = true; - write = true; - owner = true; + website = true; + corsRules = { + enable = true; + allowedHeaders = [ "*" ]; + allowedMethods = [ "GET" ]; + allowedOrigins = [ "*" ]; + }; + }; + }; + + ensureKeys = { + peertube = { + inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile; + ensureAccess = { + peertube-videos = { + read = true; + write = true; + owner = true; + }; + peertube-playlists = { + read = true; + write = true; + owner = true; + }; + }; }; }; }; - }; - }; + } + ) - services.peertube = { - enable = true; - localDomain = config.fediversity.peertube.domain; + (mkIf config.fediversity.peertube.enable { + networking.firewall.allowedTCPPorts = [ + 80 + 443 - # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. - redis.createLocally = true; - database.createLocally = true; + ## For Live streaming and Live streaming when RTMPS is enabled. + 1935 + 1936 + ]; - secrets.secretsFile = config.fediversity.peertube.secretsFile; + services.peertube = { + enable = true; + localDomain = config.fediversity.peertube.domain; - settings = { - object_storage = { - enabled = true; - endpoint = config.fediversity.garage.api.url; - region = "garage"; - upload_acl.public = null; # Garage does not support ACL - upload_acl.private = null; # Garage does not support ACL + # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. + redis.createLocally = true; + database.createLocally = true; - # not supported by garage - # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube - proxy.proxyify_private_files = false; + secrets.secretsFile = config.fediversity.peertube.secretsFile; - web_videos = rec { - bucket_name = "peertube-videos"; - prefix = ""; - base_url = config.fediversity.garage.web.urlForBucket bucket_name; - }; - videos = rec { - bucket_name = "peertube-videos"; - prefix = ""; - base_url = config.fediversity.garage.web.urlForBucket bucket_name; - }; - streaming_playlists = rec { - bucket_name = "peertube-playlists"; - prefix = ""; - base_url = config.fediversity.garage.web.urlForBucket bucket_name; + settings = { + object_storage = { + enabled = true; + endpoint = config.fediversity.garage.api.url; + region = "garage"; + upload_acl.public = null; # Garage does not support ACL + upload_acl.private = null; # Garage does not support ACL + + # not supported by garage + # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube + proxy.proxyify_private_files = false; + + web_videos = rec { + bucket_name = "peertube-videos"; + prefix = ""; + base_url = config.fediversity.garage.web.urlForBucket bucket_name; + }; + videos = rec { + bucket_name = "peertube-videos"; + prefix = ""; + base_url = config.fediversity.garage.web.urlForBucket bucket_name; + }; + streaming_playlists = rec { + bucket_name = "peertube-playlists"; + prefix = ""; + base_url = config.fediversity.garage.web.urlForBucket bucket_name; + }; }; }; + serviceEnvironmentFile = "/etc/peertube-env"; }; - serviceEnvironmentFile = "/etc/peertube-env"; - }; - ## FIXME: secrets management; we should have a service that writes the - ## `.env` files based on all the secrets that we need to put there. - environment.etc.peertube-env.text = '' - AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile} - AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile} - ''; + ## FIXME: secrets management; we should have a service that writes the + ## `.env` files based on all the secrets that we need to put there. + environment.etc.peertube-env.text = '' + AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile} + AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile} + ''; - ## Proxying through Nginx + ## Proxying through Nginx - services.peertube = { - configureNginx = true; - listenWeb = 443; - enableWebHttps = true; - }; - services.nginx.virtualHosts.${config.services.peertube.localDomain} = { - forceSSL = true; - enableACME = true; - }; - }; + services.peertube = { + configureNginx = true; + listenWeb = 443; + enableWebHttps = true; + }; + services.nginx.virtualHosts.${config.services.peertube.localDomain} = { + forceSSL = true; + enableACME = true; + }; + }) + ]; } diff --git a/services/fediversity/pixelfed/default.nix b/services/fediversity/pixelfed/default.nix index 3198929d..2c3c2b7c 100644 --- a/services/fediversity/pixelfed/default.nix +++ b/services/fediversity/pixelfed/default.nix @@ -6,89 +6,100 @@ }: let - inherit (lib) mkIf readFile; + inherit (lib) mkIf mkMerge readFile; in { imports = [ ./options.nix ]; - config = mkIf config.fediversity.pixelfed.enable { - fediversity.garage = { - ensureBuckets = { - pixelfed = { - website = true; - # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want - corsRules = { - enable = true; - allowedHeaders = [ "*" ]; - allowedMethods = [ "GET" ]; - allowedOrigins = [ "*" ]; - }; - }; - }; - - ensureKeys = { - pixelfed = { - inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile; - ensureAccess = { + config = mkMerge [ + (mkIf + ( + config.fediversity.garage.enable + && config.fediversity.pixelfed.s3AccessKeyFile != null + && config.fediversity.pixelfed.s3SecretKeyFile != null + ) + { + fediversity.garage = { + ensureBuckets = { pixelfed = { - read = true; - write = true; - owner = true; + website = true; + # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want + corsRules = { + enable = true; + allowedHeaders = [ "*" ]; + allowedMethods = [ "GET" ]; + allowedOrigins = [ "*" ]; + }; + }; + }; + + ensureKeys = { + pixelfed = { + inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile; + ensureAccess = { + pixelfed = { + read = true; + write = true; + owner = true; + }; + }; }; }; }; + } + ) + + (mkIf config.fediversity.pixelfed.enable { + services.pixelfed = { + enable = true; + domain = config.fediversity.pixelfed.domain; + + ## FIXME: secrets management; we should have a service that writes the + ## `.env` file based on all the secrets that we need to put there. + secretFile = pkgs.writeText "secrets.env" '' + APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA + AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile} + AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile} + ''; + + ## Taeer feels like this way of configuring Nginx is odd; there should + ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx + ## configuration should be in `services.nginx`. See eg. `pretix`. + ## + ## TODO: If that indeed makes sense, upstream. + nginx = { + forceSSL = true; + enableACME = true; + # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/"; + }; }; - }; - services.pixelfed = { - enable = true; - domain = config.fediversity.pixelfed.domain; + services.pixelfed.settings = { + ## NOTE: This depends on the targets, eg. universities might want control + ## over who has an account. We probably want a universal + ## `fediversity.openRegistration` option. + OPEN_REGISTRATION = true; - ## FIXME: secrets management; we should have a service that writes the - ## `.env` file based on all the secrets that we need to put there. - secretFile = pkgs.writeText "secrets.env" '' - APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA - AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile} - AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile} - ''; - - ## Taeer feels like this way of configuring Nginx is odd; there should - ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx - ## configuration should be in `services.nginx`. See eg. `pretix`. - ## - ## TODO: If that indeed makes sense, upstream. - nginx = { - forceSSL = true; - enableACME = true; - # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/"; + FILESYSTEM_CLOUD = "s3"; + PF_ENABLE_CLOUD = true; + AWS_DEFAULT_REGION = "garage"; + AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; + AWS_BUCKET = "pixelfed"; + AWS_ENDPOINT = config.fediversity.garage.api.url; + AWS_USE_PATH_STYLE_ENDPOINT = false; }; - }; - services.pixelfed.settings = { - ## NOTE: This depends on the targets, eg. universities might want control - ## over who has an account. We probably want a universal - ## `fediversity.openRegistration` option. - OPEN_REGISTRATION = true; + ## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job. + ## Otherwise, everything crashed dramatically. + systemd.services.pixelfed-data-setup = { + after = [ "ensure-garage.service" ]; + }; - FILESYSTEM_CLOUD = "s3"; - PF_ENABLE_CLOUD = true; - AWS_DEFAULT_REGION = "garage"; - AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; - AWS_BUCKET = "pixelfed"; - AWS_ENDPOINT = config.fediversity.garage.api.url; - AWS_USE_PATH_STYLE_ENDPOINT = false; - }; - - ## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job. - ## Otherwise, everything crashed dramatically. - systemd.services.pixelfed-data-setup = { - after = [ "ensure-garage.service" ]; - }; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }) + ]; } diff --git a/services/fediversity/sharedOptions.nix b/services/fediversity/sharedOptions.nix index 10ddd5cc..413e2a7d 100644 --- a/services/fediversity/sharedOptions.nix +++ b/services/fediversity/sharedOptions.nix @@ -17,21 +17,25 @@ in enable = mkEnableOption "Enable a ${serviceDocName} server on the machine"; s3AccessKeyFile = mkOption { - type = types.path; + type = types.nullOr types.path; description = '' S3 access key for ${serviceDocName}'s bucket/s - In AWS CLI, this would be AWS_ACCESS_KEY_ID. + In AWS CLI, this would be AWS_ACCESS_KEY_ID. The S3 bucket is only created + when non-`null`. ''; + default = null; }; s3SecretKeyFile = mkOption { - type = types.path; + type = types.nullOr types.path; description = '' S3 secret key for ${serviceDocName}'s bucket/s - In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. + In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. The S3 bucket is only + created when non-`null`. ''; + default = null; }; domain = mkOption { diff --git a/services/tests/peertube.nix b/services/tests/peertube.nix index 23b002f2..26711384 100644 --- a/services/tests/peertube.nix +++ b/services/tests/peertube.nix @@ -197,8 +197,8 @@ pkgs.nixosTest { systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600; environment.variables = { - AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.peertube.id; - AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.peertube.secret; + AWS_ACCESS_KEY_ID = "$(cat ${config.fediversity.peertube.s3AccessKeyFile})"; + AWS_SECRET_ACCESS_KEY = "$(cat ${config.fediversity.peertube.s3SecretKeyFile})"; PT_INITIAL_ROOT_PASSWORD = "testtest"; }; }; diff --git a/services/vm/garage-vm.nix b/services/vm/garage-vm.nix index 174d23c0..8cad6598 100644 --- a/services/vm/garage-vm.nix +++ b/services/vm/garage-vm.nix @@ -12,6 +12,8 @@ in { imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; + fediversity.garage.enable = true; + services.nginx.virtualHosts = let value = { diff --git a/services/vm/mastodon-vm.nix b/services/vm/mastodon-vm.nix index 5a9daf2c..095f822e 100644 --- a/services/vm/mastodon-vm.nix +++ b/services/vm/mastodon-vm.nix @@ -1,6 +1,7 @@ { modulesPath, lib, + pkgs, config, ... }: @@ -11,9 +12,13 @@ config = lib.mkMerge [ { fediversity = { - enable = true; domain = "localhost"; - mastodon.enable = true; + mastodon = { + enable = true; + + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; + }; temp.cores = config.virtualisation.cores; }; diff --git a/services/vm/peertube-vm.nix b/services/vm/peertube-vm.nix index 758d64be..7aedbc3d 100644 --- a/services/vm/peertube-vm.nix +++ b/services/vm/peertube-vm.nix @@ -8,13 +8,12 @@ imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; fediversity = { - enable = true; domain = "localhost"; peertube = { enable = true; - secretsFile = pkgs.writeText "secret" '' - 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 - ''; + secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; }; }; diff --git a/services/vm/pixelfed-vm.nix b/services/vm/pixelfed-vm.nix index 927d042f..8c35aeec 100644 --- a/services/vm/pixelfed-vm.nix +++ b/services/vm/pixelfed-vm.nix @@ -1,4 +1,9 @@ -{ lib, modulesPath, ... }: +{ + lib, + pkgs, + modulesPath, + ... +}: let inherit (lib) mkVMOverride; @@ -9,9 +14,13 @@ in imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; fediversity = { - enable = true; domain = "localhost"; - pixelfed.enable = true; + pixelfed = { + enable = true; + + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; + }; }; services.pixelfed = {