lois/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity

services.garage -> fediversity.garage

Browse source 
for the options that are ours; we want to avoid clashes if possible
This commit is contained in:
Nicolas Jeannerod 2025-02-14 16:25:52 +01:00
parent b68a821b77
commit d9188427ed
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
9 changed files with 81 additions and 86 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
services/fediversity/garage/default.nix
View file

@ -7,7 +7,6 @@ let
};
in
# TODO: expand to a multi-machine setup
{
config,
lib,
@ -66,7 +65,7 @@ let
garage bucket deny --read --write --owner ${bucketArg} --key tmp
''}
'';
ensureBucketsScript = concatMapAttrs ensureBucketScriptFn cfg.ensureBuckets;
ensureBucketsScript = concatMapAttrs ensureBucketScriptFn config.fediversity.garage.ensureBuckets;
ensureAccessScriptFn =
key: bucket:
{
@ -90,7 +89,7 @@ let
garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || :
${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
'';
ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys;
ensureKeysScript = concatMapAttrs ensureKeyScriptFn config.fediversity.garage.ensureKeys;
in
{
@ -149,7 +148,7 @@ in
mapAttrs' (bucket: _: {
name = fedicfg.web.domainForBucket bucket;
inherit value;
}) (filterAttrs (_: { website, ... }: website) cfg.ensureBuckets);
}) (filterAttrs (_: { website, ... }: website) config.fediversity.garage.ensureBuckets);
systemd.services.ensure-garage = {
after = [ "garage.service" ];

125
services/fediversity/garage/options.nix
View file

@ -5,76 +5,75 @@ let
in
{
options = {
services.garage = {
ensureBuckets = mkOption {
type = types.attrsOf (
types.submodule {
options = {
website = mkOption {
type = types.bool;
default = false;
options.fediversity.garage = {
ensureBuckets = mkOption {
type = types.attrsOf (
types.submodule {
options = {
website = mkOption {
type = types.bool;
default = false;
};
# I think setting corsRules should allow another website to show images from your bucket
corsRules = {
enable = mkEnableOption "CORS Rules";
allowedHeaders = mkOption {
type = types.listOf types.str;
default = [ ];
};
# I think setting corsRules should allow another website to show images from your bucket
corsRules = {
enable = mkEnableOption "CORS Rules";
allowedHeaders = mkOption {
type = types.listOf types.str;
default = [ ];
};
allowedMethods = mkOption {
type = types.listOf types.str;
default = [ ];
};
allowedOrigins = mkOption {
type = types.listOf types.str;
default = [ ];
};
allowedMethods = mkOption {
type = types.listOf types.str;
default = [ ];
};
aliases = mkOption {
allowedOrigins = mkOption {
type = types.listOf types.str;
default = [ ];
};
};
}
);
default = { };
};
ensureKeys = mkOption {
type = types.attrsOf (
types.submodule {
# TODO: these should be managed as secrets, not in the nix store
options = {
id = mkOption { type = types.str; };
secret = mkOption { type = types.str; };
# TODO: assert at least one of these is true
# NOTE: this currently needs to be done at the top level module
ensureAccess = mkOption {
type = types.attrsOf (
types.submodule {
options = {
read = mkOption {
type = types.bool;
default = false;
};
write = mkOption {
type = types.bool;
default = false;
};
owner = mkOption {
type = types.bool;
default = false;
};
};
}
);
default = [ ];
};
aliases = mkOption {
type = types.listOf types.str;
default = [ ];
};
}
);
default = { };
};
};
}
);
default = { };
};
ensureKeys = mkOption {
type = types.attrsOf (
types.submodule {
# TODO: these should be managed as secrets, not in the nix store
options = {
id = mkOption { type = types.str; };
secret = mkOption { type = types.str; };
# TODO: assert at least one of these is true
# NOTE: this currently needs to be done at the top level module
ensureAccess = mkOption {
type = types.attrsOf (
types.submodule {
options = {
read = mkOption {
type = types.bool;
default = false;
};
write = mkOption {
type = types.bool;
default = false;
};
owner = mkOption {
type = types.bool;
default = false;
};
};
}
);
default = [ ];
};
};
}
);
default = { };
};
};
}

2
services/fediversity/mastodon.nix
View file

@ -9,7 +9,7 @@ in
lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
#### garage setup
services.garage = {
fediversity.garage = {
ensureBuckets = {
mastodon = {
website = true;

2
services/fediversity/peertube.nix
View file

@ -17,7 +17,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
1936
];
services.garage = {
fediversity.garage = {
ensureBuckets = {
peertube-videos = {
website = true;

2
services/fediversity/pixelfed.nix
View file

@ -13,7 +13,7 @@ in
}:
lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
services.garage = {
fediversity.garage = {
ensureBuckets = {
pixelfed = {
website = true;

4
services/tests/mastodon.nix
View file

@ -69,8 +69,8 @@ pkgs.nixosTest {
expect
];
environment.variables = {
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.mastodon.id;
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.mastodon.secret;
AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.mastodon.id;
AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.mastodon.secret;
};
};
};

4
services/tests/peertube.nix
View file

@ -197,8 +197,8 @@ pkgs.nixosTest {
systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600;
environment.variables = {
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.peertube.id;
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.peertube.secret;
AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.peertube.id;
AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.peertube.secret;
PT_INITIAL_ROOT_PASSWORD = "testtest";
};
};

5
services/tests/pixelfed-garage.nix
View file

@ -1,4 +1,5 @@
{ pkgs, self }:
let
lib = pkgs.lib;
@ -160,8 +161,8 @@ pkgs.nixosTest {
];
environment.variables = {
POST_MEDIA = ./fediversity.png;
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.pixelfed.id;
AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.pixelfed.secret;
## without this we get frivolous errors in the logs
MC_REGION = "garage";
};

16
services/vm/garage-vm.nix
View file

@ -8,10 +8,6 @@
let
inherit (lib) mkVMOverride mapAttrs' filterAttrs;
cfg = config.services.garage;
fedicfg = config.fediversity.internal.garage;
in
{
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
@ -24,21 +20,21 @@ in
};
in
mapAttrs' (bucket: _: {
name = fedicfg.web.domainForBucket bucket;
name = config.fediversity.internal.garage.web.domainForBucket bucket;
inherit value;
}) (filterAttrs (_: { website, ... }: website) cfg.ensureBuckets);
}) (filterAttrs (_: { website, ... }: website) config.fediversity.garage.ensureBuckets);
virtualisation.diskSize = 2048;
virtualisation.forwardPorts = [
{
from = "host";
host.port = fedicfg.rpc.port;
guest.port = fedicfg.rpc.port;
host.port = config.fediversity.internal.garage.rpc.port;
guest.port = config.fediversity.internal.garage.rpc.port;
}
{
from = "host";
host.port = fedicfg.web.internalPort;
guest.port = fedicfg.web.internalPort;
host.port = config.fediversity.internal.garage.web.internalPort;
guest.port = config.fediversity.internal.garage.web.internalPort;
}
];
}