Fediversity/services/vm/mastodon-vm.nix

{
  modulesPath,
  lib,
  pkgs,
  config,
  ...
}:
{
  _class = "nixos";

  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];

  config = lib.mkMerge [
    {
      fediversity = {
        domain = "localhost";
        mastodon = {
          enable = true;

          s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
          s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
        };

        temp.cores = config.virtualisation.cores;
      };

      services.mastodon = {
        extraConfig = {
          EMAIL_DOMAIN_ALLOWLIST = "example.com";
        };
      };

      security.acme = lib.mkVMOverride {
        defaults = {
          # invalid server; the systemd service will fail, and we won't get
          # properly signed certificates. but let's not spam the letsencrypt
          # servers (and we don't own this domain anyways)
          server = "https://127.0.0.1";
          email = "none";
        };
      };
    }

    #### run mastodon as development environment
    {

      networking.firewall.allowedTCPPorts = [ 55001 ];
      services.mastodon = {
        # needed so we can directly access mastodon at port 55001
        # otherwise, mastodon has to be accessed *from* port 443, which we can't do via port forwarding
        enableUnixSocket = false;
        extraConfig = {
          RAILS_ENV = "development";
          # to be accessible from outside the VM
          BIND = "0.0.0.0";
          # for letter_opener (still doesn't work though)
          REMOTE_DEV = "true";
        };
      };

      services.postgresql = {
        enable = true;
        ensureUsers = [
          {
            name = config.services.mastodon.database.user;
            ensureClauses.createdb = true;
            # ensurePermissions doesn't work anymore
            # ensurePermissions = {
            #   "mastodon_development.*" = "ALL PRIVILEGES";
            #   "mastodon_test.*" = "ALL PRIVILEGES";
            # }
          }
        ];
        # ensureDatabases = [ "mastodon_development_test" "mastodon_test" ];
      };

      # Currently, nixos seems to be able to create a single database per
      # postgres user. This works for the production version of mastodon, which
      # is what's packaged in nixpkgs. For development, we need two databases,
      # mastodon_development and mastodon_test. This used to be possible with
      # ensurePermissions, but that's broken and has been removed. Here I copy
      # the mastodon-init-db script from upstream nixpkgs, but add the single
      # line `rails db:setup`, which asks mastodon to create the postgres
      # databases for us.
      # FIXME: the commented out lines were breaking things, but presumably they're necessary for something.
      # TODO: see if we can fix the upstream ensurePermissions stuff. See commented out lines in services.postgresql above for what that config would look like.
      systemd.services.mastodon-init-db.script = lib.mkForce ''
        result="$(psql -t --csv -c \
            "select count(*) from pg_class c \
            join pg_namespace s on s.oid = c.relnamespace \
            where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
            and s.nspname not like 'pg_temp%';")" || error_code=$?
        if [ "''${error_code:-0}" -ne 0 ]; then
          echo "Failure checking if database is seeded. psql gave exit code $error_code"
          exit "$error_code"
        fi
        if [ "$result" -eq 0 ]; then
          echo "Seeding database"
          rails db:setup
          # SAFETY_ASSURED=1 rails db:schema:load
          rails db:seed
        # else
          # echo "Migrating database (this might be a noop)"
          # rails db:migrate
        fi
      '';
      virtualisation.forwardPorts = [
        {
          from = "host";
          host.port = 55001;
          guest.port = 55001;
        }
      ];
    }
  ];
}