kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Allow Garage and services to run on different machines

Browse source
This commit is contained in:
Nicolas Jeannerod 2025-02-15 11:19:10 +01:00
parent 1eeaa04df6
commit cd83536e2f
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
11 changed files with 359 additions and 276 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
deployment/flake-part.nix
View file

@ -71,24 +71,54 @@ in
}; };
}; };
## NOTE: All of these secrets are publicly available in this source file
## and will end up in the Nix store. We don't care as they are only ever
## used for testing anyway.
pixelfedS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
mastodonS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
peertubeS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
in in
{ {
providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; }; providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; };
resources = { resources = {
fedi100 = makeProcolixVmResource 100 (
{ pkgs, ... }:
{
fediversity = {
domain = "abundos.eu";
garage.enable = true;
pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
mastodon = mastodonS3KeyConfig { inherit pkgs; };
peertube = peertubeS3KeyConfig { inherit pkgs; };
};
}
);
fedi101 = makeProcolixVmResource 101 ( fedi101 = makeProcolixVmResource 101 (
{ pkgs, ... }: { pkgs, ... }:
{ {
fediversity = { fediversity = {
domain = "fedi101.abundos.eu"; domain = "abundos.eu";
pixelfed = { pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
enable = true; enable = true;
## NOTE: Only ever used for testing anyway.
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
}; };
garage.enable = true;
}; };
} }
); );
@ -97,15 +127,10 @@ in
{ pkgs, ... }: { pkgs, ... }:
{ {
fediversity = { fediversity = {
domain = "fedi102.abundos.eu"; domain = "abundos.eu";
mastodon = { mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
enable = true; enable = true;
## NOTE: Only ever used for testing anyway.
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
}; };
garage.enable = true;
temp.cores = 1; # FIXME: should come from NixOps4 eventually temp.cores = 1; # FIXME: should come from NixOps4 eventually
}; };
@ -116,16 +141,12 @@ in
{ pkgs, ... }: { pkgs, ... }:
{ {
fediversity = { fediversity = {
domain = "fedi103.abundos.eu"; domain = "abundos.eu";
peertube = { peertube = peertubeS3KeyConfig { inherit pkgs; } // {
enable = true; enable = true;
## NOTE: Only ever used for testing anyway. ## NOTE: Only ever used for testing anyway.
secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
}; };
garage.enable = true;
}; };
} }
); );

12
services/fediversity/garage/default.nix
View file

@ -105,7 +105,15 @@ in
pkgs.awscli pkgs.awscli
]; ];
networking.firewall.allowedTCPPorts = [ config.fediversity.garage.rpc.port ]; ## REVIEW: Do we want to reverse proxy the RPC and API ports? In fact,
## shouldn't we just get rid of RPC at all, we're not using it.
networking.firewall.allowedTCPPorts = [
80
443
config.fediversity.garage.api.port
config.fediversity.garage.rpc.port
];
services.garage = { services.garage = {
enable = true; enable = true;
package = pkgs.garage_0_9; package = pkgs.garage_0_9;
@ -126,6 +134,8 @@ in
}; };
}; };
services.nginx.enable = true;
## Create a proxy from <bucket>.web.garage.<domain> to localhost:3902 for ## Create a proxy from <bucket>.web.garage.<domain> to localhost:3902 for
## each bucket that has `website = true`. ## each bucket that has `website = true`.
services.nginx.virtualHosts = services.nginx.virtualHosts =

157
services/fediversity/mastodon/default.nix
View file

@ -6,96 +6,107 @@
}: }:
let let
inherit (lib) readFile; inherit (lib) mkIf mkMerge readFile;
inherit (pkgs) writeText; inherit (pkgs) writeText;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = lib.mkIf config.fediversity.mastodon.enable { config = mkMerge [
#### garage setup (mkIf
fediversity.garage = { (
ensureBuckets = { config.fediversity.garage.enable
mastodon = { && config.fediversity.mastodon.s3AccessKeyFile != null
website = true; && config.fediversity.mastodon.s3SecretKeyFile != null
corsRules = { )
enable = true; {
allowedHeaders = [ "*" ]; fediversity.garage = {
allowedMethods = [ "GET" ]; ensureBuckets = {
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
mastodon = {
inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
mastodon = { mastodon = {
read = true; website = true;
write = true; corsRules = {
owner = true; enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
mastodon = {
inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
mastodon = {
read = true;
write = true;
owner = true;
};
};
}; };
}; };
}; };
}
)
(mkIf config.fediversity.mastodon.enable {
services.mastodon.extraConfig = rec {
S3_ENABLED = "true";
# TODO: this shouldn't be hard-coded, it should come from the garage configuration
S3_ENDPOINT = config.fediversity.garage.api.url;
S3_REGION = "garage";
S3_BUCKET = "mastodon";
# use <S3_BUCKET>.<S3_ENDPOINT>
S3_OVERRIDE_PATH_STLE = "true";
S3_PROTOCOL = "http";
S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET;
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
# TODO: can we set up ACLs with garage?
S3_PERMISSION = "";
}; };
};
services.mastodon.extraConfig = rec { ## FIXME: secrets management; we should have a service that writes the
S3_ENABLED = "true"; ## `.env` files based on all the secrets that we need to put there.
# TODO: this shouldn't be hard-coded, it should come from the garage configuration services.mastodon.extraEnvFiles = [
S3_ENDPOINT = config.fediversity.garage.api.url; (writeText "s3AccessKey" ''
S3_REGION = "garage"; AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile}
S3_BUCKET = "mastodon"; '')
# use <S3_BUCKET>.<S3_ENDPOINT> (writeText "s3SecretKey" ''
S3_OVERRIDE_PATH_STLE = "true"; AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile}
S3_PROTOCOL = "http"; '')
S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET; ];
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
# TODO: can we set up ACLs with garage?
S3_PERMISSION = "";
};
## FIXME: secrets management; we should have a service that writes the # open up access to the mastodon web interface. 80 is necessary if only for ACME
## `.env` files based on all the secrets that we need to put there. networking.firewall.allowedTCPPorts = [
services.mastodon.extraEnvFiles = [ 80
(writeText "s3AccessKey" '' 443
AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile} ];
'')
(writeText "s3SecretKey" ''
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile}
'')
];
# open up access to the mastodon web interface. 80 is necessary if only for ACME services.mastodon = {
networking.firewall.allowedTCPPorts = [ enable = true;
80
443
];
services.mastodon = { localDomain = config.fediversity.mastodon.domain;
enable = true; configureNginx = true;
localDomain = config.fediversity.mastodon.domain; # from the documentation: recommended is the amount of your CPU cores minus
configureNginx = true; # one. but it also must be a positive integer
streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1);
# from the documentation: recommended is the amount of your CPU cores minus # TODO: configure a mailserver so this works
# one. but it also must be a positive integer smtp = {
streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1); fromAddress = "noreply@${config.fediversity.mastodon.domain}";
createLocally = false;
# TODO: configure a mailserver so this works };
smtp = {
fromAddress = "noreply@${config.fediversity.mastodon.domain}";
createLocally = false;
}; };
};
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
preliminarySelfsigned = true; preliminarySelfsigned = true;
# TODO: configure a mailserver so we can set up acme # TODO: configure a mailserver so we can set up acme
# defaults.email = "test@example.com"; # defaults.email = "test@example.com";
}; };
}; })
];
} }

205
services/fediversity/peertube/default.nix
View file

@ -1,124 +1,135 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) mkIf readFile; inherit (lib) mkIf mkMerge readFile;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf config.fediversity.peertube.enable { config = mkMerge [
networking.firewall.allowedTCPPorts = [ (mkIf
80 (
443 config.fediversity.garage.enable
&& config.fediversity.peertube.s3AccessKeyFile != null
## For Live streaming and Live streaming when RTMPS is enabled. && config.fediversity.peertube.s3SecretKeyFile != null
1935 )
1936 {
]; fediversity.garage = {
ensureBuckets = {
fediversity.garage = {
ensureBuckets = {
peertube-videos = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
peertube-videos = { peertube-videos = {
read = true; website = true;
write = true; # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
owner = true; corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
}; };
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = { peertube-playlists = {
read = true; website = true;
write = true; corsRules = {
owner = true; enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
peertube-videos = {
read = true;
write = true;
owner = true;
};
peertube-playlists = {
read = true;
write = true;
owner = true;
};
};
}; };
}; };
}; };
}; }
}; )
services.peertube = { (mkIf config.fediversity.peertube.enable {
enable = true; networking.firewall.allowedTCPPorts = [
localDomain = config.fediversity.peertube.domain; 80
443
# TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. ## For Live streaming and Live streaming when RTMPS is enabled.
redis.createLocally = true; 1935
database.createLocally = true; 1936
];
secrets.secretsFile = config.fediversity.peertube.secretsFile; services.peertube = {
enable = true;
localDomain = config.fediversity.peertube.domain;
settings = { # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
object_storage = { redis.createLocally = true;
enabled = true; database.createLocally = true;
endpoint = config.fediversity.garage.api.url;
region = "garage";
upload_acl.public = null; # Garage does not support ACL
upload_acl.private = null; # Garage does not support ACL
# not supported by garage secrets.secretsFile = config.fediversity.peertube.secretsFile;
# SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
proxy.proxyify_private_files = false;
web_videos = rec { settings = {
bucket_name = "peertube-videos"; object_storage = {
prefix = ""; enabled = true;
base_url = config.fediversity.garage.web.urlForBucket bucket_name; endpoint = config.fediversity.garage.api.url;
}; region = "garage";
videos = rec { upload_acl.public = null; # Garage does not support ACL
bucket_name = "peertube-videos"; upload_acl.private = null; # Garage does not support ACL
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name; # not supported by garage
}; # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
streaming_playlists = rec { proxy.proxyify_private_files = false;
bucket_name = "peertube-playlists";
prefix = ""; web_videos = rec {
base_url = config.fediversity.garage.web.urlForBucket bucket_name; bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
streaming_playlists = rec {
bucket_name = "peertube-playlists";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
}; };
}; };
serviceEnvironmentFile = "/etc/peertube-env";
}; };
serviceEnvironmentFile = "/etc/peertube-env";
};
## FIXME: secrets management; we should have a service that writes the ## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there. ## `.env` files based on all the secrets that we need to put there.
environment.etc.peertube-env.text = '' environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile} AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile} AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile}
''; '';
## Proxying through Nginx ## Proxying through Nginx
services.peertube = { services.peertube = {
configureNginx = true; configureNginx = true;
listenWeb = 443; listenWeb = 443;
enableWebHttps = true; enableWebHttps = true;
}; };
services.nginx.virtualHosts.${config.services.peertube.localDomain} = { services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };
}; })
];
} }

151
services/fediversity/pixelfed/default.nix
View file

@ -6,89 +6,100 @@
}: }:
let let
inherit (lib) mkIf readFile; inherit (lib) mkIf mkMerge readFile;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf config.fediversity.pixelfed.enable { config = mkMerge [
fediversity.garage = { (mkIf
ensureBuckets = { (
pixelfed = { config.fediversity.garage.enable
website = true; && config.fediversity.pixelfed.s3AccessKeyFile != null
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want && config.fediversity.pixelfed.s3SecretKeyFile != null
corsRules = { )
enable = true; {
allowedHeaders = [ "*" ]; fediversity.garage = {
allowedMethods = [ "GET" ]; ensureBuckets = {
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
pixelfed = {
inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
pixelfed = { pixelfed = {
read = true; website = true;
write = true; # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
owner = true; corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
pixelfed = {
inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
pixelfed = {
read = true;
write = true;
owner = true;
};
};
}; };
}; };
}; };
}
)
(mkIf config.fediversity.pixelfed.enable {
services.pixelfed = {
enable = true;
domain = config.fediversity.pixelfed.domain;
## FIXME: secrets management; we should have a service that writes the
## `.env` file based on all the secrets that we need to put there.
secretFile = pkgs.writeText "secrets.env" ''
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}
'';
## Taeer feels like this way of configuring Nginx is odd; there should
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
## configuration should be in `services.nginx`. See eg. `pretix`.
##
## TODO: If that indeed makes sense, upstream.
nginx = {
forceSSL = true;
enableACME = true;
# locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
};
}; };
};
services.pixelfed = { services.pixelfed.settings = {
enable = true; ## NOTE: This depends on the targets, eg. universities might want control
domain = config.fediversity.pixelfed.domain; ## over who has an account. We probably want a universal
## `fediversity.openRegistration` option.
OPEN_REGISTRATION = true;
## FIXME: secrets management; we should have a service that writes the FILESYSTEM_CLOUD = "s3";
## `.env` file based on all the secrets that we need to put there. PF_ENABLE_CLOUD = true;
secretFile = pkgs.writeText "secrets.env" '' AWS_DEFAULT_REGION = "garage";
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile} AWS_BUCKET = "pixelfed";
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile} AWS_ENDPOINT = config.fediversity.garage.api.url;
''; AWS_USE_PATH_STYLE_ENDPOINT = false;
## Taeer feels like this way of configuring Nginx is odd; there should
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
## configuration should be in `services.nginx`. See eg. `pretix`.
##
## TODO: If that indeed makes sense, upstream.
nginx = {
forceSSL = true;
enableACME = true;
# locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
}; };
};
services.pixelfed.settings = { ## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
## NOTE: This depends on the targets, eg. universities might want control ## Otherwise, everything crashed dramatically.
## over who has an account. We probably want a universal systemd.services.pixelfed-data-setup = {
## `fediversity.openRegistration` option. after = [ "ensure-garage.service" ];
OPEN_REGISTRATION = true; };
FILESYSTEM_CLOUD = "s3"; networking.firewall.allowedTCPPorts = [
PF_ENABLE_CLOUD = true; 80
AWS_DEFAULT_REGION = "garage"; 443
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; ];
AWS_BUCKET = "pixelfed"; })
AWS_ENDPOINT = config.fediversity.garage.api.url; ];
AWS_USE_PATH_STYLE_ENDPOINT = false;
};
## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
## Otherwise, everything crashed dramatically.
systemd.services.pixelfed-data-setup = {
after = [ "ensure-garage.service" ];
};
networking.firewall.allowedTCPPorts = [
80
443
];
};
} }

12
services/fediversity/sharedOptions.nix
View file

@ -17,21 +17,25 @@ in
enable = mkEnableOption "Enable a ${serviceDocName} server on the machine"; enable = mkEnableOption "Enable a ${serviceDocName} server on the machine";
s3AccessKeyFile = mkOption { s3AccessKeyFile = mkOption {
type = types.path; type = types.nullOr types.path;
description = '' description = ''
S3 access key for ${serviceDocName}'s bucket/s S3 access key for ${serviceDocName}'s bucket/s
In AWS CLI, this would be AWS_ACCESS_KEY_ID. In AWS CLI, this would be AWS_ACCESS_KEY_ID. The S3 bucket is only created
when non-`null`.
''; '';
default = null;
}; };
s3SecretKeyFile = mkOption { s3SecretKeyFile = mkOption {
type = types.path; type = types.nullOr types.path;
description = '' description = ''
S3 secret key for ${serviceDocName}'s bucket/s S3 secret key for ${serviceDocName}'s bucket/s
In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. The S3 bucket is only
created when non-`null`.
''; '';
default = null;
}; };
domain = mkOption { domain = mkOption {

4
services/tests/peertube.nix
View file

@ -197,8 +197,8 @@ pkgs.nixosTest {
systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600; systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600;
environment.variables = { environment.variables = {
AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.peertube.id; AWS_ACCESS_KEY_ID = "$(cat ${config.fediversity.peertube.s3AccessKeyFile})";
AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.peertube.secret; AWS_SECRET_ACCESS_KEY = "$(cat ${config.fediversity.peertube.s3SecretKeyFile})";
PT_INITIAL_ROOT_PASSWORD = "testtest"; PT_INITIAL_ROOT_PASSWORD = "testtest";
}; };
}; };

2
services/vm/garage-vm.nix
View file

@ -12,6 +12,8 @@ in
{ {
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity.garage.enable = true;
services.nginx.virtualHosts = services.nginx.virtualHosts =
let let
value = { value = {

9
services/vm/mastodon-vm.nix
View file

@ -1,6 +1,7 @@
{ {
modulesPath, modulesPath,
lib, lib,
pkgs,
config, config,
... ...
}: }:
@ -11,9 +12,13 @@
config = lib.mkMerge [ config = lib.mkMerge [
{ {
fediversity = { fediversity = {
enable = true;
domain = "localhost"; domain = "localhost";
mastodon.enable = true; mastodon = {
enable = true;
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
temp.cores = config.virtualisation.cores; temp.cores = config.virtualisation.cores;
}; };

7
services/vm/peertube-vm.nix
View file

@ -8,13 +8,12 @@
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity = { fediversity = {
enable = true;
domain = "localhost"; domain = "localhost";
peertube = { peertube = {
enable = true; enable = true;
secretsFile = pkgs.writeText "secret" '' secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
''; s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
}; };
}; };

15
services/vm/pixelfed-vm.nix
View file

@ -1,4 +1,9 @@
{ lib, modulesPath, ... }: {
lib,
pkgs,
modulesPath,
...
}:
let let
inherit (lib) mkVMOverride; inherit (lib) mkVMOverride;
@ -9,9 +14,13 @@ in
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity = { fediversity = {
enable = true;
domain = "localhost"; domain = "localhost";
pixelfed.enable = true; pixelfed = {
enable = true;
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
}; };
services.pixelfed = { services.pixelfed = {