review
This commit is contained in:
parent
2c7e3603b8
commit
3e329b4254
|
@ -2,7 +2,7 @@
|
|||
|
||||
This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. The goal is something in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) but for fediversity.
|
||||
|
||||
Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small configuration to run in VMs.
|
||||
Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small set of configurations to run in VMs.
|
||||
|
||||
## Running the VMs
|
||||
|
||||
|
@ -76,6 +76,10 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti
|
|||
When mastodon is running in production mode, we have a few problems:
|
||||
- you have to click "accept the security risk"
|
||||
- it takes a while for the webpage to come online. Until then you see "502 Bad Gateway"
|
||||
- reverse proxy should produce a user friendly page regardless
|
||||
- might be needed for upgrade downtime too?
|
||||
- don't send users over until it's up
|
||||
- email sent from the mastodon instance (e.g. for account confirmation) should be accessible at <https://mastodon.localhost:55001/letter_opener>, but it's not working.
|
||||
- maybe the admin account should be managed entirely by fediversity anyway?
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
{ pkgs, ... }: {
|
||||
|
||||
# Customize nixos-rebuild build-vm to be a bit more convenient
|
||||
virtualisation.vmVariant = {
|
||||
# let us log in
|
||||
users.mutableUsers = false;
|
||||
|
|
|
@ -55,6 +55,7 @@ in
|
|||
type = types.str;
|
||||
};
|
||||
# TODO: assert at least one of these is true
|
||||
# currently, needs to be done in the top level module
|
||||
ensureAccess = mkOption {
|
||||
type = types.attrsOf (types.submodule {
|
||||
options = {
|
||||
|
@ -106,6 +107,8 @@ in
|
|||
settings = {
|
||||
replication_mode = "none";
|
||||
# TODO: use a secret file
|
||||
# I'd like to have a NixOS module that declares the need for a secret file
|
||||
# that way, the need can be met by any secrets solution (agenix, sops-nix, colmena, a nixops4 module, ...)
|
||||
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
||||
# TODO: why does this have to be set? is there not a sensible default?
|
||||
rpc_bind_addr = "[::]:3901";
|
||||
|
@ -133,6 +136,7 @@ in
|
|||
# also, it's crazy that we have to parse command output like this
|
||||
# TODO: talk to garage maintainer about making this nicer to work with in Nix
|
||||
# before I do that though, I should figure out how setting it up across multiple machines will work
|
||||
# You could ask for a change or `--json` flag anyway, and maybe tell them what you're working on.
|
||||
GARAGE_ID=$(garage node id 2>/dev/null | perl -ne '/(.*)@.*/ && print $1')
|
||||
garage layout assign -z g1 -c 1G $GARAGE_ID
|
||||
LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
|
||||
|
@ -151,7 +155,7 @@ in
|
|||
|
||||
# TODO: should this --deny the website if `website` is false?
|
||||
${lib.optionalString website ''
|
||||
garage bucket website --allow ${bucket}
|
||||
garage bucket website --allow ${/* more robust: */ lib.strings.escapeShellArg bucket}
|
||||
''}
|
||||
|
||||
${lib.concatStringsSep "\n" (map (alias: ''
|
||||
|
@ -160,6 +164,8 @@ in
|
|||
|
||||
${lib.optionalString corsRules.enable ''
|
||||
# TODO: can i turn this whole thing into one builtins.toJSON?
|
||||
# why not :D
|
||||
# we also have `lib.strings.escapeShellArg` for the quoting
|
||||
export CORS=${lib.concatStrings [
|
||||
"'"
|
||||
''{"CORSRules":[{''
|
||||
|
@ -175,6 +181,7 @@ in
|
|||
garage bucket deny --read --write --owner ${bucket} --key tmp
|
||||
''}
|
||||
'') config.services.garage.ensureBuckets)
|
||||
# probably nice to factor this out into a function
|
||||
}
|
||||
${
|
||||
lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: ''
|
||||
|
|
|
@ -101,9 +101,8 @@ in
|
|||
# but it also must be a positive integer
|
||||
streamingProcesses = let
|
||||
ncores = config.virtualisation.cores;
|
||||
max = x: y: if x > y then x else y;
|
||||
in
|
||||
max 1 (ncores - 1);
|
||||
lib.max 1 (ncores - 1);
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
|
@ -160,7 +159,10 @@ in
|
|||
};
|
||||
|
||||
# run rails db:seed so that mastodon sets up the databases for us
|
||||
# iirc the postgresql module can also do this kind of thing
|
||||
systemd.services.mastodon-init-db.script = lib.mkForce ''
|
||||
# This conditional freaks me out
|
||||
# Maybe configure psql to output in a more machine-readable format?
|
||||
if [ `psql -c \
|
||||
"select count(*) from pg_class c \
|
||||
join pg_namespace s on s.oid = c.relnamespace \
|
||||
|
|
12
thoughts
Normal file
12
thoughts
Normal file
|
@ -0,0 +1,12 @@
|
|||
|
||||
# `ensureBuckets`
|
||||
|
||||
Should be replaced by a resource that creates the bucket, so that we can manage its whole lifecycle, including updates (authz?) and deletion; possibly a generic S3 bucket resource? - we'll see.
|
||||
Fine solution for now.
|
||||
Perhaps also useful in a NixOS module, but could also be tech debt if nobody uses it.
|
||||
|
||||
# More exploration
|
||||
|
||||
- Use NixOS test framework?
|
||||
- Write test that upgrades garage
|
||||
|
Loading…
Reference in a new issue