review

2024-05-28 16:08:57 +02:00 · 2024-05-28 16:08:57 +02:00 · 3e329b4254
parent 2c7e3603b8
commit 3e329b4254
5 changed files with 31 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@

 This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. The goal is something in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) but for fediversity.

-Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small configuration to run in VMs.
+Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small set of configurations to run in VMs.

 ## Running the VMs

@ -76,6 +76,10 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti
 When mastodon is running in production mode, we have a few problems:
 - you have to click "accept the security risk"
 - it takes a while for the webpage to come online. Until then you see "502 Bad Gateway"
+  - reverse proxy should produce a user friendly page regardless
+    - might be needed for upgrade downtime too?
+  - don't send users over until it's up
 - email sent from the mastodon instance (e.g. for account confirmation) should be accessible at <https://mastodon.localhost:55001/letter_opener>, but it's not working.
+  - maybe the admin account should be managed entirely by fediversity anyway?


--- a/common.nix
+++ b/common.nix
@ -1,4 +1,6 @@
 { pkgs, ... }: {
+
+  # Customize nixos-rebuild build-vm to be a bit more convenient
  virtualisation.vmVariant = {
    # let us log in
    users.mutableUsers = false;
--- a/garage.nix
+++ b/garage.nix
@ -55,6 +55,7 @@ in
              type = types.str;
            };
            # TODO: assert at least one of these is true
+            #       currently, needs to be done in the top level module
            ensureAccess = mkOption {
              type = types.attrsOf (types.submodule {
                options = {
@ -106,6 +107,8 @@ in
      settings = {
        replication_mode = "none";
        # TODO: use a secret file
+        #       I'd like to have a NixOS module that declares the need for a secret file
+        #       that way, the need can be met by any secrets solution (agenix, sops-nix, colmena, a nixops4 module, ...)
        rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
        # TODO: why does this have to be set? is there not a sensible default?
        rpc_bind_addr = "[::]:3901";
@ -133,6 +136,7 @@ in
        # also, it's crazy that we have to parse command output like this
        # TODO: talk to garage maintainer about making this nicer to work with in Nix
        # before I do that though, I should figure out how setting it up across multiple machines will work
+        # You could ask for a change or `--json` flag anyway, and maybe tell them what you're working on.
        GARAGE_ID=$(garage node id 2>/dev/null | perl -ne '/(.*)@.*/ && print $1')
        garage layout assign -z g1 -c 1G $GARAGE_ID
        LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
@ -151,7 +155,7 @@ in

            # TODO: should this --deny the website if `website` is false?
            ${lib.optionalString website ''
-              garage bucket website --allow ${bucket}
+              garage bucket website --allow ${/* more robust: */ lib.strings.escapeShellArg bucket}
            ''}

            ${lib.concatStringsSep "\n" (map (alias: ''
@ -160,6 +164,8 @@ in

            ${lib.optionalString corsRules.enable ''
              # TODO: can i turn this whole thing into one builtins.toJSON?
+              #       why not :D
+              #       we also have `lib.strings.escapeShellArg` for the quoting
              export CORS=${lib.concatStrings [
                "'"
                ''{"CORSRules":[{''
@ -175,6 +181,7 @@ in
              garage bucket deny --read --write --owner ${bucket} --key tmp
            ''}
          '') config.services.garage.ensureBuckets)
+          # probably nice to factor this out into a function
        }
        ${
          lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: ''
--- a/mastodon.nix
+++ b/mastodon.nix
@ -101,9 +101,8 @@ in
        # but it also must be a positive integer
        streamingProcesses = let
          ncores = config.virtualisation.cores;
-          max = x: y: if x > y then x else y;
        in
-          max 1 (ncores - 1);
+          lib.max 1 (ncores - 1);
      };

      security.acme = {
@ -160,7 +159,10 @@ in
      };

      # run rails db:seed so that mastodon sets up the databases for us
+      # iirc the postgresql module can also do this kind of thing
      systemd.services.mastodon-init-db.script = lib.mkForce ''
+          # This conditional freaks me out
+          # Maybe configure psql to output in a more machine-readable format?
          if [ `psql -c \
                  "select count(*) from pg_class c \
                  join pg_namespace s on s.oid = c.relnamespace \
--- a/12
+++ b/12
@ -0,0 +1,12 @@
+
+# `ensureBuckets`
+
+Should be replaced by a resource that creates the bucket, so that we can manage its whole lifecycle, including updates (authz?) and deletion; possibly a generic S3 bucket resource? - we'll see.
+Fine solution for now.
+Perhaps also useful in a NixOS module, but could also be tech debt if nobody uses it.
+
+# More exploration
+
+- Use NixOS test framework?
+- Write test that upgrades garage
+