kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Allow Garage and services to run on different machines

Browse source
This commit is contained in:
Nicolas Jeannerod 2025-02-15 11:19:10 +01:00
parent 1eeaa04df6
commit cd83536e2f
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
11 changed files with 359 additions and 276 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
deployment/flake-part.nix
View file

@ -71,24 +71,54 @@ in
};
};
## NOTE: All of these secrets are publicly available in this source file
## and will end up in the Nix store. We don't care as they are only ever
## used for testing anyway.
pixelfedS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
mastodonS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
peertubeS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
in
{
providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; };
resources = {
fedi100 = makeProcolixVmResource 100 (
{ pkgs, ... }:
{
fediversity = {
domain = "abundos.eu";
garage.enable = true;
pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
mastodon = mastodonS3KeyConfig { inherit pkgs; };
peertube = peertubeS3KeyConfig { inherit pkgs; };
};
}
);
fedi101 = makeProcolixVmResource 101 (
{ pkgs, ... }:
{
fediversity = {
domain = "fedi101.abundos.eu";
pixelfed = {
domain = "abundos.eu";
pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
enable = true;
## NOTE: Only ever used for testing anyway.
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
garage.enable = true;
};
}
);
@ -97,15 +127,10 @@ in
{ pkgs, ... }:
{
fediversity = {
domain = "fedi102.abundos.eu";
mastodon = {
domain = "abundos.eu";
mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
enable = true;
## NOTE: Only ever used for testing anyway.
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
garage.enable = true;
temp.cores = 1; # FIXME: should come from NixOps4 eventually
};
@ -116,16 +141,12 @@ in
{ pkgs, ... }:
{
fediversity = {
domain = "fedi103.abundos.eu";
peertube = {
domain = "abundos.eu";
peertube = peertubeS3KeyConfig { inherit pkgs; } // {
enable = true;
## NOTE: Only ever used for testing anyway.
secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
garage.enable = true;
};
}
);

12
services/fediversity/garage/default.nix
View file

@ -105,7 +105,15 @@ in
pkgs.awscli
];
networking.firewall.allowedTCPPorts = [ config.fediversity.garage.rpc.port ];
## REVIEW: Do we want to reverse proxy the RPC and API ports? In fact,
## shouldn't we just get rid of RPC at all, we're not using it.
networking.firewall.allowedTCPPorts = [
80
443
config.fediversity.garage.api.port
config.fediversity.garage.rpc.port
];
services.garage = {
enable = true;
package = pkgs.garage_0_9;
@ -126,6 +134,8 @@ in
};
};
services.nginx.enable = true;
## Create a proxy from <bucket>.web.garage.<domain> to localhost:3902 for
## each bucket that has `website = true`.
services.nginx.virtualHosts =

157
services/fediversity/mastodon/default.nix
View file

@ -6,96 +6,107 @@
}:
let
inherit (lib) readFile;
inherit (lib) mkIf mkMerge readFile;
inherit (pkgs) writeText;
in
{
imports = [ ./options.nix ];
config = lib.mkIf config.fediversity.mastodon.enable {
#### garage setup
fediversity.garage = {
ensureBuckets = {
mastodon = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
mastodon = {
inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
config = mkMerge [
(mkIf
(
config.fediversity.garage.enable
&& config.fediversity.mastodon.s3AccessKeyFile != null
&& config.fediversity.mastodon.s3SecretKeyFile != null
)
{
fediversity.garage = {
ensureBuckets = {
mastodon = {
read = true;
write = true;
owner = true;
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
mastodon = {
inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
mastodon = {
read = true;
write = true;
owner = true;
};
};
};
};
};
}
)
(mkIf config.fediversity.mastodon.enable {
services.mastodon.extraConfig = rec {
S3_ENABLED = "true";
# TODO: this shouldn't be hard-coded, it should come from the garage configuration
S3_ENDPOINT = config.fediversity.garage.api.url;
S3_REGION = "garage";
S3_BUCKET = "mastodon";
# use <S3_BUCKET>.<S3_ENDPOINT>
S3_OVERRIDE_PATH_STLE = "true";
S3_PROTOCOL = "http";
S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET;
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
# TODO: can we set up ACLs with garage?
S3_PERMISSION = "";
};
};
services.mastodon.extraConfig = rec {
S3_ENABLED = "true";
# TODO: this shouldn't be hard-coded, it should come from the garage configuration
S3_ENDPOINT = config.fediversity.garage.api.url;
S3_REGION = "garage";
S3_BUCKET = "mastodon";
# use <S3_BUCKET>.<S3_ENDPOINT>
S3_OVERRIDE_PATH_STLE = "true";
S3_PROTOCOL = "http";
S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET;
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
# TODO: can we set up ACLs with garage?
S3_PERMISSION = "";
};
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
services.mastodon.extraEnvFiles = [
(writeText "s3AccessKey" ''
AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile}
'')
(writeText "s3SecretKey" ''
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile}
'')
];
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
services.mastodon.extraEnvFiles = [
(writeText "s3AccessKey" ''
AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile}
'')
(writeText "s3SecretKey" ''
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile}
'')
];
# open up access to the mastodon web interface. 80 is necessary if only for ACME
networking.firewall.allowedTCPPorts = [
80
443
];
# open up access to the mastodon web interface. 80 is necessary if only for ACME
networking.firewall.allowedTCPPorts = [
80
443
];
services.mastodon = {
enable = true;
services.mastodon = {
enable = true;
localDomain = config.fediversity.mastodon.domain;
configureNginx = true;
localDomain = config.fediversity.mastodon.domain;
configureNginx = true;
# from the documentation: recommended is the amount of your CPU cores minus
# one. but it also must be a positive integer
streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1);
# from the documentation: recommended is the amount of your CPU cores minus
# one. but it also must be a positive integer
streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1);
# TODO: configure a mailserver so this works
smtp = {
fromAddress = "noreply@${config.fediversity.mastodon.domain}";
createLocally = false;
# TODO: configure a mailserver so this works
smtp = {
fromAddress = "noreply@${config.fediversity.mastodon.domain}";
createLocally = false;
};
};
};
security.acme = {
acceptTerms = true;
preliminarySelfsigned = true;
# TODO: configure a mailserver so we can set up acme
# defaults.email = "test@example.com";
};
};
security.acme = {
acceptTerms = true;
preliminarySelfsigned = true;
# TODO: configure a mailserver so we can set up acme
# defaults.email = "test@example.com";
};
})
];
}

205
services/fediversity/peertube/default.nix
View file

@ -1,124 +1,135 @@
{ config, lib, ... }:
let
inherit (lib) mkIf readFile;
inherit (lib) mkIf mkMerge readFile;
in
{
imports = [ ./options.nix ];
config = mkIf config.fediversity.peertube.enable {
networking.firewall.allowedTCPPorts = [
80
443
## For Live streaming and Live streaming when RTMPS is enabled.
1935
1936
];
fediversity.garage = {
ensureBuckets = {
peertube-videos = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
config = mkMerge [
(mkIf
(
config.fediversity.garage.enable
&& config.fediversity.peertube.s3AccessKeyFile != null
&& config.fediversity.peertube.s3SecretKeyFile != null
)
{
fediversity.garage = {
ensureBuckets = {
peertube-videos = {
read = true;
write = true;
owner = true;
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = {
read = true;
write = true;
owner = true;
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
peertube-videos = {
read = true;
write = true;
owner = true;
};
peertube-playlists = {
read = true;
write = true;
owner = true;
};
};
};
};
};
};
};
}
)
services.peertube = {
enable = true;
localDomain = config.fediversity.peertube.domain;
(mkIf config.fediversity.peertube.enable {
networking.firewall.allowedTCPPorts = [
80
443
# TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
redis.createLocally = true;
database.createLocally = true;
## For Live streaming and Live streaming when RTMPS is enabled.
1935
1936
];
secrets.secretsFile = config.fediversity.peertube.secretsFile;
services.peertube = {
enable = true;
localDomain = config.fediversity.peertube.domain;
settings = {
object_storage = {
enabled = true;
endpoint = config.fediversity.garage.api.url;
region = "garage";
upload_acl.public = null; # Garage does not support ACL
upload_acl.private = null; # Garage does not support ACL
# TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
redis.createLocally = true;
database.createLocally = true;
# not supported by garage
# SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
proxy.proxyify_private_files = false;
secrets.secretsFile = config.fediversity.peertube.secretsFile;
web_videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
streaming_playlists = rec {
bucket_name = "peertube-playlists";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
settings = {
object_storage = {
enabled = true;
endpoint = config.fediversity.garage.api.url;
region = "garage";
upload_acl.public = null; # Garage does not support ACL
upload_acl.private = null; # Garage does not support ACL
# not supported by garage
# SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
proxy.proxyify_private_files = false;
web_videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
streaming_playlists = rec {
bucket_name = "peertube-playlists";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
};
};
serviceEnvironmentFile = "/etc/peertube-env";
};
serviceEnvironmentFile = "/etc/peertube-env";
};
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile}
'';
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile}
'';
## Proxying through Nginx
## Proxying through Nginx
services.peertube = {
configureNginx = true;
listenWeb = 443;
enableWebHttps = true;
};
services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
forceSSL = true;
enableACME = true;
};
};
services.peertube = {
configureNginx = true;
listenWeb = 443;
enableWebHttps = true;
};
services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
forceSSL = true;
enableACME = true;
};
})
];
}

151
services/fediversity/pixelfed/default.nix
View file

@ -6,89 +6,100 @@
}:
let
inherit (lib) mkIf readFile;
inherit (lib) mkIf mkMerge readFile;
in
{
imports = [ ./options.nix ];
config = mkIf config.fediversity.pixelfed.enable {
fediversity.garage = {
ensureBuckets = {
pixelfed = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
pixelfed = {
inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
config = mkMerge [
(mkIf
(
config.fediversity.garage.enable
&& config.fediversity.pixelfed.s3AccessKeyFile != null
&& config.fediversity.pixelfed.s3SecretKeyFile != null
)
{
fediversity.garage = {
ensureBuckets = {
pixelfed = {
read = true;
write = true;
owner = true;
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
pixelfed = {
inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
pixelfed = {
read = true;
write = true;
owner = true;
};
};
};
};
};
}
)
(mkIf config.fediversity.pixelfed.enable {
services.pixelfed = {
enable = true;
domain = config.fediversity.pixelfed.domain;
## FIXME: secrets management; we should have a service that writes the
## `.env` file based on all the secrets that we need to put there.
secretFile = pkgs.writeText "secrets.env" ''
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}
'';
## Taeer feels like this way of configuring Nginx is odd; there should
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
## configuration should be in `services.nginx`. See eg. `pretix`.
##
## TODO: If that indeed makes sense, upstream.
nginx = {
forceSSL = true;
enableACME = true;
# locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
};
};
};
services.pixelfed = {
enable = true;
domain = config.fediversity.pixelfed.domain;
services.pixelfed.settings = {
## NOTE: This depends on the targets, eg. universities might want control
## over who has an account. We probably want a universal
## `fediversity.openRegistration` option.
OPEN_REGISTRATION = true;
## FIXME: secrets management; we should have a service that writes the
## `.env` file based on all the secrets that we need to put there.
secretFile = pkgs.writeText "secrets.env" ''
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}
'';
## Taeer feels like this way of configuring Nginx is odd; there should
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
## configuration should be in `services.nginx`. See eg. `pretix`.
##
## TODO: If that indeed makes sense, upstream.
nginx = {
forceSSL = true;
enableACME = true;
# locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
FILESYSTEM_CLOUD = "s3";
PF_ENABLE_CLOUD = true;
AWS_DEFAULT_REGION = "garage";
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
AWS_BUCKET = "pixelfed";
AWS_ENDPOINT = config.fediversity.garage.api.url;
AWS_USE_PATH_STYLE_ENDPOINT = false;
};
};
services.pixelfed.settings = {
## NOTE: This depends on the targets, eg. universities might want control
## over who has an account. We probably want a universal
## `fediversity.openRegistration` option.
OPEN_REGISTRATION = true;
## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
## Otherwise, everything crashed dramatically.
systemd.services.pixelfed-data-setup = {
after = [ "ensure-garage.service" ];
};
FILESYSTEM_CLOUD = "s3";
PF_ENABLE_CLOUD = true;
AWS_DEFAULT_REGION = "garage";
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
AWS_BUCKET = "pixelfed";
AWS_ENDPOINT = config.fediversity.garage.api.url;
AWS_USE_PATH_STYLE_ENDPOINT = false;
};
## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
## Otherwise, everything crashed dramatically.
systemd.services.pixelfed-data-setup = {
after = [ "ensure-garage.service" ];
};
networking.firewall.allowedTCPPorts = [
80
443
];
};
networking.firewall.allowedTCPPorts = [
80
443
];
})
];
}

12
services/fediversity/sharedOptions.nix
View file

@ -17,21 +17,25 @@ in
enable = mkEnableOption "Enable a ${serviceDocName} server on the machine";
s3AccessKeyFile = mkOption {
type = types.path;
type = types.nullOr types.path;
description = ''
S3 access key for ${serviceDocName}'s bucket/s
In AWS CLI, this would be AWS_ACCESS_KEY_ID.
In AWS CLI, this would be AWS_ACCESS_KEY_ID. The S3 bucket is only created
when non-`null`.
'';
default = null;
};
s3SecretKeyFile = mkOption {
type = types.path;
type = types.nullOr types.path;
description = ''
S3 secret key for ${serviceDocName}'s bucket/s
In AWS CLI, this would be AWS_SECRET_ACCESS_KEY.
In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. The S3 bucket is only
created when non-`null`.
'';
default = null;
};
domain = mkOption {

4
services/tests/peertube.nix
View file

@ -197,8 +197,8 @@ pkgs.nixosTest {
systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600;
environment.variables = {
AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.peertube.id;
AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.peertube.secret;
AWS_ACCESS_KEY_ID = "$(cat ${config.fediversity.peertube.s3AccessKeyFile})";
AWS_SECRET_ACCESS_KEY = "$(cat ${config.fediversity.peertube.s3SecretKeyFile})";
PT_INITIAL_ROOT_PASSWORD = "testtest";
};
};

2
services/vm/garage-vm.nix
View file

@ -12,6 +12,8 @@ in
{
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity.garage.enable = true;
services.nginx.virtualHosts =
let
value = {

9
services/vm/mastodon-vm.nix
View file

@ -1,6 +1,7 @@
{
modulesPath,
lib,
pkgs,
config,
...
}:
@ -11,9 +12,13 @@
config = lib.mkMerge [
{
fediversity = {
enable = true;
domain = "localhost";
mastodon.enable = true;
mastodon = {
enable = true;
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
temp.cores = config.virtualisation.cores;
};

7
services/vm/peertube-vm.nix
View file

@ -8,13 +8,12 @@
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity = {
enable = true;
domain = "localhost";
peertube = {
enable = true;
secretsFile = pkgs.writeText "secret" ''
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
'';
secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
};

15
services/vm/pixelfed-vm.nix
View file

@ -1,4 +1,9 @@
{ lib, modulesPath, ... }:
{
lib,
pkgs,
modulesPath,
...
}:
let
inherit (lib) mkVMOverride;
@ -9,9 +14,13 @@ in
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity = {
enable = true;
domain = "localhost";
pixelfed.enable = true;
pixelfed = {
enable = true;
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
};
services.pixelfed = {