kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Allow Garage and services to run on different machines

Browse source
This commit is contained in:
Nicolas Jeannerod 2025-02-15 11:19:10 +01:00
parent 1eeaa04df6
commit cd83536e2f
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
11 changed files with 359 additions and 276 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
deployment/flake-part.nix
View file

@ -71,24 +71,54 @@ in
}; };
}; };
## NOTE: All of these secrets are publicly available in this source file
## and will end up in the Nix store. We don't care as they are only ever
## used for testing anyway.
pixelfedS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
mastodonS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
peertubeS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
in in
{ {
providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; }; providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; };
resources = { resources = {
fedi100 = makeProcolixVmResource 100 (
{ pkgs, ... }:
{
fediversity = {
domain = "abundos.eu";
garage.enable = true;
pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
mastodon = mastodonS3KeyConfig { inherit pkgs; };
peertube = peertubeS3KeyConfig { inherit pkgs; };
};
}
);
fedi101 = makeProcolixVmResource 101 ( fedi101 = makeProcolixVmResource 101 (
{ pkgs, ... }: { pkgs, ... }:
{ {
fediversity = { fediversity = {
domain = "fedi101.abundos.eu"; domain = "abundos.eu";
pixelfed = { pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
enable = true; enable = true;
## NOTE: Only ever used for testing anyway.
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
}; };
garage.enable = true;
}; };
} }
); );
@ -97,15 +127,10 @@ in
{ pkgs, ... }: { pkgs, ... }:
{ {
fediversity = { fediversity = {
domain = "fedi102.abundos.eu"; domain = "abundos.eu";
mastodon = { mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
enable = true; enable = true;
## NOTE: Only ever used for testing anyway.
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
}; };
garage.enable = true;
temp.cores = 1; # FIXME: should come from NixOps4 eventually temp.cores = 1; # FIXME: should come from NixOps4 eventually
}; };
@ -116,16 +141,12 @@ in
{ pkgs, ... }: { pkgs, ... }:
{ {
fediversity = { fediversity = {
domain = "fedi103.abundos.eu"; domain = "abundos.eu";
peertube = { peertube = peertubeS3KeyConfig { inherit pkgs; } // {
enable = true; enable = true;
## NOTE: Only ever used for testing anyway. ## NOTE: Only ever used for testing anyway.
secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
}; };
garage.enable = true;
}; };
} }
); );

12
services/fediversity/garage/default.nix
View file

@ -105,7 +105,15 @@ in
pkgs.awscli pkgs.awscli
]; ];
networking.firewall.allowedTCPPorts = [ config.fediversity.garage.rpc.port ]; ## REVIEW: Do we want to reverse proxy the RPC and API ports? In fact,
## shouldn't we just get rid of RPC at all, we're not using it.
networking.firewall.allowedTCPPorts = [
80
443
config.fediversity.garage.api.port
config.fediversity.garage.rpc.port
];
services.garage = { services.garage = {
enable = true; enable = true;
package = pkgs.garage_0_9; package = pkgs.garage_0_9;
@ -126,6 +134,8 @@ in
}; };
}; };
services.nginx.enable = true;
## Create a proxy from <bucket>.web.garage.<domain> to localhost:3902 for ## Create a proxy from <bucket>.web.garage.<domain> to localhost:3902 for
## each bucket that has `website = true`. ## each bucket that has `website = true`.
services.nginx.virtualHosts = services.nginx.virtualHosts =

19
services/fediversity/mastodon/default.nix
View file

@ -6,15 +6,21 @@
}: }:
let let
inherit (lib) readFile; inherit (lib) mkIf mkMerge readFile;
inherit (pkgs) writeText; inherit (pkgs) writeText;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = lib.mkIf config.fediversity.mastodon.enable { config = mkMerge [
#### garage setup (mkIf
(
config.fediversity.garage.enable
&& config.fediversity.mastodon.s3AccessKeyFile != null
&& config.fediversity.mastodon.s3SecretKeyFile != null
)
{
fediversity.garage = { fediversity.garage = {
ensureBuckets = { ensureBuckets = {
mastodon = { mastodon = {
@ -41,6 +47,10 @@ in
}; };
}; };
}; };
}
)
(mkIf config.fediversity.mastodon.enable {
services.mastodon.extraConfig = rec { services.mastodon.extraConfig = rec {
S3_ENABLED = "true"; S3_ENABLED = "true";
@ -97,5 +107,6 @@ in
# TODO: configure a mailserver so we can set up acme # TODO: configure a mailserver so we can set up acme
# defaults.email = "test@example.com"; # defaults.email = "test@example.com";
}; };
}; })
];
} }

35
services/fediversity/peertube/default.nix
View file

@ -1,22 +1,20 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) mkIf readFile; inherit (lib) mkIf mkMerge readFile;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf config.fediversity.peertube.enable { config = mkMerge [
networking.firewall.allowedTCPPorts = [ (mkIf
80 (
443 config.fediversity.garage.enable
&& config.fediversity.peertube.s3AccessKeyFile != null
## For Live streaming and Live streaming when RTMPS is enabled. && config.fediversity.peertube.s3SecretKeyFile != null
1935 )
1936 {
];
fediversity.garage = { fediversity.garage = {
ensureBuckets = { ensureBuckets = {
peertube-videos = { peertube-videos = {
@ -59,6 +57,18 @@ in
}; };
}; };
}; };
}
)
(mkIf config.fediversity.peertube.enable {
networking.firewall.allowedTCPPorts = [
80
443
## For Live streaming and Live streaming when RTMPS is enabled.
1935
1936
];
services.peertube = { services.peertube = {
enable = true; enable = true;
@ -120,5 +130,6 @@ in
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };
}; })
];
} }

17
services/fediversity/pixelfed/default.nix
View file

@ -6,13 +6,20 @@
}: }:
let let
inherit (lib) mkIf readFile; inherit (lib) mkIf mkMerge readFile;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf config.fediversity.pixelfed.enable { config = mkMerge [
(mkIf
(
config.fediversity.garage.enable
&& config.fediversity.pixelfed.s3AccessKeyFile != null
&& config.fediversity.pixelfed.s3SecretKeyFile != null
)
{
fediversity.garage = { fediversity.garage = {
ensureBuckets = { ensureBuckets = {
pixelfed = { pixelfed = {
@ -40,7 +47,10 @@ in
}; };
}; };
}; };
}
)
(mkIf config.fediversity.pixelfed.enable {
services.pixelfed = { services.pixelfed = {
enable = true; enable = true;
domain = config.fediversity.pixelfed.domain; domain = config.fediversity.pixelfed.domain;
@ -90,5 +100,6 @@ in
80 80
443 443
]; ];
}; })
];
} }

12
services/fediversity/sharedOptions.nix
View file

@ -17,21 +17,25 @@ in
enable = mkEnableOption "Enable a ${serviceDocName} server on the machine"; enable = mkEnableOption "Enable a ${serviceDocName} server on the machine";
s3AccessKeyFile = mkOption { s3AccessKeyFile = mkOption {
type = types.path; type = types.nullOr types.path;
description = '' description = ''
S3 access key for ${serviceDocName}'s bucket/s S3 access key for ${serviceDocName}'s bucket/s
In AWS CLI, this would be AWS_ACCESS_KEY_ID. In AWS CLI, this would be AWS_ACCESS_KEY_ID. The S3 bucket is only created
when non-`null`.
''; '';
default = null;
}; };
s3SecretKeyFile = mkOption { s3SecretKeyFile = mkOption {
type = types.path; type = types.nullOr types.path;
description = '' description = ''
S3 secret key for ${serviceDocName}'s bucket/s S3 secret key for ${serviceDocName}'s bucket/s
In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. The S3 bucket is only
created when non-`null`.
''; '';
default = null;
}; };
domain = mkOption { domain = mkOption {

4
services/tests/peertube.nix
View file

@ -197,8 +197,8 @@ pkgs.nixosTest {
systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600; systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600;
environment.variables = { environment.variables = {
AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.peertube.id; AWS_ACCESS_KEY_ID = "$(cat ${config.fediversity.peertube.s3AccessKeyFile})";
AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.peertube.secret; AWS_SECRET_ACCESS_KEY = "$(cat ${config.fediversity.peertube.s3SecretKeyFile})";
PT_INITIAL_ROOT_PASSWORD = "testtest"; PT_INITIAL_ROOT_PASSWORD = "testtest";
}; };
}; };

2
services/vm/garage-vm.nix
View file

@ -12,6 +12,8 @@ in
{ {
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity.garage.enable = true;
services.nginx.virtualHosts = services.nginx.virtualHosts =
let let
value = { value = {

9
services/vm/mastodon-vm.nix
View file

@ -1,6 +1,7 @@
{ {
modulesPath, modulesPath,
lib, lib,
pkgs,
config, config,
... ...
}: }:
@ -11,9 +12,13 @@
config = lib.mkMerge [ config = lib.mkMerge [
{ {
fediversity = { fediversity = {
enable = true;
domain = "localhost"; domain = "localhost";
mastodon.enable = true; mastodon = {
enable = true;
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
temp.cores = config.virtualisation.cores; temp.cores = config.virtualisation.cores;
}; };

7
services/vm/peertube-vm.nix
View file

@ -8,13 +8,12 @@
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity = { fediversity = {
enable = true;
domain = "localhost"; domain = "localhost";
peertube = { peertube = {
enable = true; enable = true;
secretsFile = pkgs.writeText "secret" '' secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
''; s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
}; };
}; };

15
services/vm/pixelfed-vm.nix
View file

@ -1,4 +1,9 @@
{ lib, modulesPath, ... }: {
lib,
pkgs,
modulesPath,
...
}:
let let
inherit (lib) mkVMOverride; inherit (lib) mkVMOverride;
@ -9,9 +14,13 @@ in
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity = { fediversity = {
enable = true;
domain = "localhost"; domain = "localhost";
pixelfed.enable = true; pixelfed = {
enable = true;
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
}; };
services.pixelfed = { services.pixelfed = {