review
This commit is contained in:
parent
2c7e3603b8
commit
3e329b4254
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. The goal is something in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) but for fediversity.
|
This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. The goal is something in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) but for fediversity.
|
||||||
|
|
||||||
Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small configuration to run in VMs.
|
Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small set of configurations to run in VMs.
|
||||||
|
|
||||||
## Running the VMs
|
## Running the VMs
|
||||||
|
|
||||||
|
@ -76,6 +76,10 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti
|
||||||
When mastodon is running in production mode, we have a few problems:
|
When mastodon is running in production mode, we have a few problems:
|
||||||
- you have to click "accept the security risk"
|
- you have to click "accept the security risk"
|
||||||
- it takes a while for the webpage to come online. Until then you see "502 Bad Gateway"
|
- it takes a while for the webpage to come online. Until then you see "502 Bad Gateway"
|
||||||
|
- reverse proxy should produce a user friendly page regardless
|
||||||
|
- might be needed for upgrade downtime too?
|
||||||
|
- don't send users over until it's up
|
||||||
- email sent from the mastodon instance (e.g. for account confirmation) should be accessible at <https://mastodon.localhost:55001/letter_opener>, but it's not working.
|
- email sent from the mastodon instance (e.g. for account confirmation) should be accessible at <https://mastodon.localhost:55001/letter_opener>, but it's not working.
|
||||||
|
- maybe the admin account should be managed entirely by fediversity anyway?
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
{ pkgs, ... }: {
|
{ pkgs, ... }: {
|
||||||
|
|
||||||
|
# Customize nixos-rebuild build-vm to be a bit more convenient
|
||||||
virtualisation.vmVariant = {
|
virtualisation.vmVariant = {
|
||||||
# let us log in
|
# let us log in
|
||||||
users.mutableUsers = false;
|
users.mutableUsers = false;
|
||||||
|
|
|
@ -55,6 +55,7 @@ in
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
# TODO: assert at least one of these is true
|
# TODO: assert at least one of these is true
|
||||||
|
# currently, needs to be done in the top level module
|
||||||
ensureAccess = mkOption {
|
ensureAccess = mkOption {
|
||||||
type = types.attrsOf (types.submodule {
|
type = types.attrsOf (types.submodule {
|
||||||
options = {
|
options = {
|
||||||
|
@ -106,6 +107,8 @@ in
|
||||||
settings = {
|
settings = {
|
||||||
replication_mode = "none";
|
replication_mode = "none";
|
||||||
# TODO: use a secret file
|
# TODO: use a secret file
|
||||||
|
# I'd like to have a NixOS module that declares the need for a secret file
|
||||||
|
# that way, the need can be met by any secrets solution (agenix, sops-nix, colmena, a nixops4 module, ...)
|
||||||
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
||||||
# TODO: why does this have to be set? is there not a sensible default?
|
# TODO: why does this have to be set? is there not a sensible default?
|
||||||
rpc_bind_addr = "[::]:3901";
|
rpc_bind_addr = "[::]:3901";
|
||||||
|
@ -133,6 +136,7 @@ in
|
||||||
# also, it's crazy that we have to parse command output like this
|
# also, it's crazy that we have to parse command output like this
|
||||||
# TODO: talk to garage maintainer about making this nicer to work with in Nix
|
# TODO: talk to garage maintainer about making this nicer to work with in Nix
|
||||||
# before I do that though, I should figure out how setting it up across multiple machines will work
|
# before I do that though, I should figure out how setting it up across multiple machines will work
|
||||||
|
# You could ask for a change or `--json` flag anyway, and maybe tell them what you're working on.
|
||||||
GARAGE_ID=$(garage node id 2>/dev/null | perl -ne '/(.*)@.*/ && print $1')
|
GARAGE_ID=$(garage node id 2>/dev/null | perl -ne '/(.*)@.*/ && print $1')
|
||||||
garage layout assign -z g1 -c 1G $GARAGE_ID
|
garage layout assign -z g1 -c 1G $GARAGE_ID
|
||||||
LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
|
LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
|
||||||
|
@ -151,7 +155,7 @@ in
|
||||||
|
|
||||||
# TODO: should this --deny the website if `website` is false?
|
# TODO: should this --deny the website if `website` is false?
|
||||||
${lib.optionalString website ''
|
${lib.optionalString website ''
|
||||||
garage bucket website --allow ${bucket}
|
garage bucket website --allow ${/* more robust: */ lib.strings.escapeShellArg bucket}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
${lib.concatStringsSep "\n" (map (alias: ''
|
${lib.concatStringsSep "\n" (map (alias: ''
|
||||||
|
@ -160,6 +164,8 @@ in
|
||||||
|
|
||||||
${lib.optionalString corsRules.enable ''
|
${lib.optionalString corsRules.enable ''
|
||||||
# TODO: can i turn this whole thing into one builtins.toJSON?
|
# TODO: can i turn this whole thing into one builtins.toJSON?
|
||||||
|
# why not :D
|
||||||
|
# we also have `lib.strings.escapeShellArg` for the quoting
|
||||||
export CORS=${lib.concatStrings [
|
export CORS=${lib.concatStrings [
|
||||||
"'"
|
"'"
|
||||||
''{"CORSRules":[{''
|
''{"CORSRules":[{''
|
||||||
|
@ -175,6 +181,7 @@ in
|
||||||
garage bucket deny --read --write --owner ${bucket} --key tmp
|
garage bucket deny --read --write --owner ${bucket} --key tmp
|
||||||
''}
|
''}
|
||||||
'') config.services.garage.ensureBuckets)
|
'') config.services.garage.ensureBuckets)
|
||||||
|
# probably nice to factor this out into a function
|
||||||
}
|
}
|
||||||
${
|
${
|
||||||
lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: ''
|
lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: ''
|
||||||
|
|
|
@ -101,9 +101,8 @@ in
|
||||||
# but it also must be a positive integer
|
# but it also must be a positive integer
|
||||||
streamingProcesses = let
|
streamingProcesses = let
|
||||||
ncores = config.virtualisation.cores;
|
ncores = config.virtualisation.cores;
|
||||||
max = x: y: if x > y then x else y;
|
|
||||||
in
|
in
|
||||||
max 1 (ncores - 1);
|
lib.max 1 (ncores - 1);
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
|
@ -160,7 +159,10 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
# run rails db:seed so that mastodon sets up the databases for us
|
# run rails db:seed so that mastodon sets up the databases for us
|
||||||
|
# iirc the postgresql module can also do this kind of thing
|
||||||
systemd.services.mastodon-init-db.script = lib.mkForce ''
|
systemd.services.mastodon-init-db.script = lib.mkForce ''
|
||||||
|
# This conditional freaks me out
|
||||||
|
# Maybe configure psql to output in a more machine-readable format?
|
||||||
if [ `psql -c \
|
if [ `psql -c \
|
||||||
"select count(*) from pg_class c \
|
"select count(*) from pg_class c \
|
||||||
join pg_namespace s on s.oid = c.relnamespace \
|
join pg_namespace s on s.oid = c.relnamespace \
|
||||||
|
|
12
thoughts
Normal file
12
thoughts
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
|
||||||
|
# `ensureBuckets`
|
||||||
|
|
||||||
|
Should be replaced by a resource that creates the bucket, so that we can manage its whole lifecycle, including updates (authz?) and deletion; possibly a generic S3 bucket resource? - we'll see.
|
||||||
|
Fine solution for now.
|
||||||
|
Perhaps also useful in a NixOS module, but could also be tech debt if nobody uses it.
|
||||||
|
|
||||||
|
# More exploration
|
||||||
|
|
||||||
|
- Use NixOS test framework?
|
||||||
|
- Write test that upgrades garage
|
||||||
|
|
Loading…
Reference in a new issue