diff --git a/fediversity/default.nix b/fediversity/default.nix index c8bc0f1..768fb37 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -64,17 +64,13 @@ in { type = types.str; default = "web.garage.${config.fediversity.domain}"; }; - port = mkOption { + internalPort = mkOption { type = types.int; default = 3902; }; - rootDomainAndPort = mkOption { - type = types.str; - default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}"; - }; urlFor = mkOption { type = types.functionTo types.str; - default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}"; + default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomain}"; }; }; }; diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 9822da7..811bf9a 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -5,6 +5,7 @@ let id = "GK22a15201acacbd51cd43e327"; secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e"; }; + cfg = config.fediversity.internal.garage; in # TODO: expand to a multi-machine setup @@ -42,7 +43,7 @@ let ${optionalString corsRules.enable '' garage bucket allow --read --write --owner ${bucketArg} --key tmp # TODO: endpoin-url should not be hard-coded - aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} + aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${cfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} garage bucket deny --read --write --owner ${bucketArg} --key tmp ''} ''; @@ -137,21 +138,20 @@ in # virtualisation.forwardPorts = [ # { # from = "host"; - # host.port = config.fediversity.internal.garage.rpc.port; - # guest.port = config.fediversity.internal.garage.rpc.port; + # host.port = cfg.rpc.port; + # guest.port = cfg.rpc.port; # } # { # from = "host"; - # host.port = config.fediversity.internal.garage.web.port; - # guest.port = config.fediversity.internal.garage.web.port; + # host.port = cfg.web.port; + # guest.port = cfg.web.port; # } # ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; networking.firewall.allowedTCPPorts = [ - config.fediversity.internal.garage.rpc.port - config.fediversity.internal.garage.web.port + cfg.rpc.port ]; services.garage = { enable = true; @@ -161,15 +161,24 @@ in # TODO: use a secret file rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; # TODO: why does this have to be set? is there not a sensible default? - rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}"; - rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}"; - s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}"; - s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}"; - s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}"; + rpc_bind_addr = "[::]:${toString cfg.rpc.port}"; + rpc_public_addr = "[::1]:${toString cfg.rpc.port}"; + s3_api.api_bind_addr = "[::]:${toString cfg.api.port}"; + s3_web.bind_addr = "[::]:${toString cfg.web.port}"; + s3_web.root_domain = ".${cfg.web.rootDomain}"; index = "index.html"; s3_api.s3_region = "garage"; - s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}"; + s3_api.root_domain = ".${cfg.api.domain}"; + }; + }; + services.nginx.virtualHosts."garagePortProxy" = { + serverName = "${cfg.web.urlFor "*"}"; # wildcard bucket *.foo.com + locations."/" = { + proxyPass = "localhost:3902" + extraConfig = '' + proxy_set_header Host $host; + ''; }; }; systemd.services.ensure-garage = { @@ -184,7 +193,7 @@ in # Give Garage time to start up by waiting until somethings speaks HTTP # behind Garage's API URL. - until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done + until ${pkgs.curl}/bin/curl -sio /dev/null ${cfg.api.url}; do sleep 1; done # XXX: this is very sensitive to being a single instance # (doing the bare minimum to get garage up and running) diff --git a/fediversity/mastodon.nix b/fediversity/mastodon.nix index 62599b5..d19edca 100644 --- a/fediversity/mastodon.nix +++ b/fediversity/mastodon.nix @@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; S3_PROTOCOL = "http"; - S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort; + S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain; # by default it tries to use "/" S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/