diff --git a/services/fediversity/default.nix b/services/fediversity/default.nix
index a8c9f69b..5147c8f9 100644
--- a/services/fediversity/default.nix
+++ b/services/fediversity/default.nix
@@ -9,7 +9,7 @@ in
imports = [
./garage
./mastodon
- ./pixelfed.nix
+ ./pixelfed
./peertube
];
@@ -27,8 +27,6 @@ in
'';
};
- pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration";
-
temp = mkOption {
description = "options that are only used while developing; should be removed eventually";
default = { };
@@ -41,23 +39,6 @@ in
};
};
};
-
- internal = mkOption {
- description = "options that are only meant to be used internally; change at your own risk";
- default = { };
- type = types.submodule {
- options = {
- ## REVIEW: Do we want to recreate options under
- ## `fediversity.internal` or would we rather use the options from
- ## the respective services? See Taeer's comment:
- ## https://git.fediversity.eu/taeer/simple-nixos-fediverse/pulls/22#issuecomment-124
- pixelfed.domain = mkOption {
- type = types.str;
- default = "pixelfed.${config.fediversity.domain}";
- };
- };
- };
- };
};
};
diff --git a/services/fediversity/pixelfed.nix b/services/fediversity/pixelfed.nix
deleted file mode 100644
index 0b1be364..00000000
--- a/services/fediversity/pixelfed.nix
+++ /dev/null
@@ -1,92 +0,0 @@
-let
- snakeoil_key = {
- id = "GKb5615457d44214411e673b7b";
- secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
- };
-in
-
-{
- config,
- lib,
- pkgs,
- ...
-}:
-
-lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
- fediversity.garage = {
- ensureBuckets = {
- pixelfed = {
- website = true;
- # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
- corsRules = {
- enable = true;
- allowedHeaders = [ "*" ];
- allowedMethods = [ "GET" ];
- allowedOrigins = [ "*" ];
- };
- };
- };
- ensureKeys = {
- pixelfed = {
- inherit (snakeoil_key) id secret;
- ensureAccess = {
- pixelfed = {
- read = true;
- write = true;
- owner = true;
- };
- };
- };
- };
- };
-
- services.pixelfed = {
- enable = true;
- domain = config.fediversity.internal.pixelfed.domain;
-
- # TODO: secrets management!!!
- secretFile = pkgs.writeText "secrets.env" ''
- APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
- '';
-
- ## Taeer feels like this way of configuring Nginx is odd; there should
- ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
- ## configuration should be in `services.nginx`. See eg. `pretix`.
- ##
- ## TODO: If that indeed makes sense, upstream.
- nginx = {
- forceSSL = true;
- enableACME = true;
- # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
- };
- };
-
- services.pixelfed.settings = {
- ## NOTE: This depends on the targets, eg. universities might want control
- ## over who has an account. We probably want a universal
- ## `fediversity.openRegistration` option.
- OPEN_REGISTRATION = true;
-
- # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
- FILESYSTEM_CLOUD = "s3";
- PF_ENABLE_CLOUD = true;
- AWS_ACCESS_KEY_ID = snakeoil_key.id;
- AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
- AWS_DEFAULT_REGION = "garage";
- AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
- AWS_BUCKET = "pixelfed";
- AWS_ENDPOINT = config.fediversity.garage.api.url;
- AWS_USE_PATH_STYLE_ENDPOINT = false;
- };
-
- ## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
- ## Otherwise, everything crashed dramatically.
- systemd.services.pixelfed-data-setup = {
- after = [ "ensure-garage.service" ];
- };
-
- networking.firewall.allowedTCPPorts = [
- 80
- 443
- ];
-}
diff --git a/services/fediversity/pixelfed/default.nix b/services/fediversity/pixelfed/default.nix
new file mode 100644
index 00000000..4ce28871
--- /dev/null
+++ b/services/fediversity/pixelfed/default.nix
@@ -0,0 +1,96 @@
+let
+ snakeoil_key = {
+ id = "GKb5615457d44214411e673b7b";
+ secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
+ };
+in
+
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+
+{
+ imports = [ ./options.nix ];
+
+ config = lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
+ fediversity.garage = {
+ ensureBuckets = {
+ pixelfed = {
+ website = true;
+ # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
+ corsRules = {
+ enable = true;
+ allowedHeaders = [ "*" ];
+ allowedMethods = [ "GET" ];
+ allowedOrigins = [ "*" ];
+ };
+ };
+ };
+ ensureKeys = {
+ pixelfed = {
+ inherit (snakeoil_key) id secret;
+ ensureAccess = {
+ pixelfed = {
+ read = true;
+ write = true;
+ owner = true;
+ };
+ };
+ };
+ };
+ };
+
+ services.pixelfed = {
+ enable = true;
+ domain = config.fediversity.pixelfed.domain;
+
+ # TODO: secrets management!!!
+ secretFile = pkgs.writeText "secrets.env" ''
+ APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
+ '';
+
+ ## Taeer feels like this way of configuring Nginx is odd; there should
+ ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
+ ## configuration should be in `services.nginx`. See eg. `pretix`.
+ ##
+ ## TODO: If that indeed makes sense, upstream.
+ nginx = {
+ forceSSL = true;
+ enableACME = true;
+ # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
+ };
+ };
+
+ services.pixelfed.settings = {
+ ## NOTE: This depends on the targets, eg. universities might want control
+ ## over who has an account. We probably want a universal
+ ## `fediversity.openRegistration` option.
+ OPEN_REGISTRATION = true;
+
+ # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
+ FILESYSTEM_CLOUD = "s3";
+ PF_ENABLE_CLOUD = true;
+ AWS_ACCESS_KEY_ID = snakeoil_key.id;
+ AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
+ AWS_DEFAULT_REGION = "garage";
+ AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
+ AWS_BUCKET = "pixelfed";
+ AWS_ENDPOINT = config.fediversity.garage.api.url;
+ AWS_USE_PATH_STYLE_ENDPOINT = false;
+ };
+
+ ## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
+ ## Otherwise, everything crashed dramatically.
+ systemd.services.pixelfed-data-setup = {
+ after = [ "ensure-garage.service" ];
+ };
+
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+ };
+}
diff --git a/services/fediversity/pixelfed-group-permissions.patch b/services/fediversity/pixelfed/group-permissions.patch
similarity index 100%
rename from services/fediversity/pixelfed-group-permissions.patch
rename to services/fediversity/pixelfed/group-permissions.patch
diff --git a/services/fediversity/pixelfed/options.nix b/services/fediversity/pixelfed/options.nix
new file mode 100644
index 00000000..1a36ea27
--- /dev/null
+++ b/services/fediversity/pixelfed/options.nix
@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+let
+ inherit (lib) mkOption mkEnableOption;
+ inherit (lib.types) types;
+
+in
+{
+ options.fediversity.pixelfed = {
+ enable = mkEnableOption "Enable a Pixelfed server on the machine";
+
+ domain = mkOption {
+ type = types.str;
+ description = "Internal option — change at your own risk";
+ default = "pixelfed.${config.fediversity.domain}";
+ };
+ };
+}