2024-05-25 01:02:12 +02:00
|
|
|
let
|
|
|
|
snakeoil_key = {
|
|
|
|
id = "GKb5615457d44214411e673b7b";
|
|
|
|
secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
|
|
|
|
};
|
|
|
|
in
|
2024-09-17 14:30:59 +02:00
|
|
|
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
|
2024-05-25 01:02:12 +02:00
|
|
|
services.garage = {
|
|
|
|
ensureBuckets = {
|
|
|
|
pixelfed = {
|
|
|
|
website = true;
|
|
|
|
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
|
|
|
|
corsRules = {
|
|
|
|
enable = true;
|
|
|
|
allowedHeaders = [ "*" ];
|
|
|
|
allowedMethods = [ "GET" ];
|
|
|
|
allowedOrigins = [ "*" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
ensureKeys = {
|
|
|
|
pixelfed = {
|
|
|
|
inherit (snakeoil_key) id secret;
|
|
|
|
ensureAccess = {
|
|
|
|
pixelfed = {
|
|
|
|
read = true;
|
|
|
|
write = true;
|
|
|
|
owner = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-09-17 17:58:09 +02:00
|
|
|
services.pixelfed = {
|
|
|
|
enable = true;
|
2024-09-20 17:13:35 +02:00
|
|
|
domain = config.fediversity.internal.pixelfed.domain;
|
2024-09-20 17:56:40 +02:00
|
|
|
|
|
|
|
# TODO: secrets management!!!
|
|
|
|
secretFile = pkgs.writeText "secrets.env" ''
|
|
|
|
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
|
|
|
|
'';
|
|
|
|
|
|
|
|
## Taeer feels like this way of configuring Nginx is odd; there should
|
|
|
|
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
|
|
|
|
## configuration should be in `services.nginx`. See eg. `pretix`.
|
|
|
|
##
|
|
|
|
## TODO: If that indeed makes sense, upstream.
|
|
|
|
nginx = {
|
|
|
|
# locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
|
|
|
|
};
|
2024-09-17 17:58:09 +02:00
|
|
|
};
|
2024-09-02 18:09:10 +02:00
|
|
|
|
2024-05-25 01:02:12 +02:00
|
|
|
services.pixelfed.settings = {
|
2024-09-20 17:56:40 +02:00
|
|
|
## NOTE: This depends on the targets, eg. universities might want control
|
|
|
|
## over who has an account. We probably want a universal
|
|
|
|
## `fediversity.openRegistration` option.
|
|
|
|
OPEN_REGISTRATION = true;
|
|
|
|
|
2024-09-05 18:03:35 +02:00
|
|
|
# DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
|
2024-05-25 01:02:12 +02:00
|
|
|
FILESYSTEM_CLOUD = "s3";
|
|
|
|
PF_ENABLE_CLOUD = true;
|
|
|
|
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
|
|
|
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
|
|
|
AWS_DEFAULT_REGION = "garage";
|
2024-09-20 17:13:35 +02:00
|
|
|
AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed";
|
2024-05-25 01:02:12 +02:00
|
|
|
AWS_BUCKET = "pixelfed";
|
2024-09-20 17:13:35 +02:00
|
|
|
AWS_ENDPOINT = config.fediversity.internal.garage.api.url;
|
2024-05-25 01:02:12 +02:00
|
|
|
AWS_USE_PATH_STYLE_ENDPOINT = false;
|
|
|
|
};
|
2024-09-05 15:33:47 +02:00
|
|
|
|
|
|
|
## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
|
|
|
|
## Otherwise, everything crashed dramatically.
|
|
|
|
systemd.services.pixelfed-data-setup = {
|
|
|
|
after = [ "ensure-garage.service" ];
|
|
|
|
};
|
2024-09-05 18:03:35 +02:00
|
|
|
|
|
|
|
services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
|
|
|
|
patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
|
|
|
|
});
|
2024-09-20 17:56:40 +02:00
|
|
|
|
2024-09-20 18:44:47 +02:00
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
2024-03-20 01:39:59 +01:00
|
|
|
}
|