basic s3 garage setup for mastodon
it's still having trouble fetching stored images for some reason
This commit is contained in:
parent
907a9c9494
commit
5fd1e115a0
|
@ -25,6 +25,7 @@ You can then access the apps on your local machine (using the magic of port forw
|
|||
- You will have to "accept the security risk"
|
||||
- It may take a minute for the webpage to come online. Until then you will see "502 Bad Gateway"
|
||||
- (NOTE: currently broken) email sent from the mastodon instance (e.g. for setting up an account) will be accessible at <https://mastodon.localhost:55001/letter_opener>
|
||||
- You can also create accounts on the machine itself by running `mastodon-tootctl accounts create <name> --email <email> --confirmed --approve`
|
||||
|
||||
- PeerTube: <http://peertube.localhost:9000>
|
||||
- The root account can be accessed with username "root". The password can be obtained by running the following command on the VM:
|
||||
|
@ -61,6 +62,13 @@ You can then access the apps on your local machine (using the magic of port forw
|
|||
- either forward 443 directly, or get mastodon to accept connections on a different port (maybe 3000? see development environment documentation)
|
||||
- [ ] get letter_opener working
|
||||
- [ ] share resources (e.g. s3 storage) between the services
|
||||
- [ ] get garage running on another machine
|
||||
- [ ] get garage replication running (multiple machines)
|
||||
|
||||
# questions
|
||||
|
||||
- what is meant to be shared between instances?
|
||||
- this is relevant to the security model. If garage is being shared between instances, we have to be careful having configurations depend on each other.
|
||||
|
||||
# resources
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
nixosConfigurations = {
|
||||
mastodon = nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = [ ./common.nix ./mastodon.nix ];
|
||||
modules = [ ./common.nix ./mastodon.nix ./garage.nix ];
|
||||
};
|
||||
|
||||
peertube = nixpkgs.lib.nixosSystem {
|
||||
|
|
74
garage.nix
Normal file
74
garage.nix
Normal file
|
@ -0,0 +1,74 @@
|
|||
let
|
||||
# generate one using openssl (somehow)
|
||||
# XXX: when importing, garage tells you importing is only meant for keys previously generated by garage. is it okay to generate them using openssl?
|
||||
snakeoil_key = {
|
||||
id = "GK3515373e4c851ebaad366558";
|
||||
secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
|
||||
};
|
||||
in
|
||||
# TODO: expand to a multi-machine setup
|
||||
{ config, lib, pkgs, ... }: {
|
||||
# add in options to ensure creation of buckets and keys
|
||||
|
||||
config = {
|
||||
virtualisation.vmVariant = {
|
||||
virtualisation.diskSize = 2048;
|
||||
virtualisation.forwardPorts = [
|
||||
{
|
||||
from = "host";
|
||||
host.port = 3901;
|
||||
guest.port = 3901;
|
||||
}
|
||||
{
|
||||
from = "host";
|
||||
host.port = 3902;
|
||||
guest.port = 3902;
|
||||
}
|
||||
];
|
||||
};
|
||||
environment.systemPackages = [ pkgs.minio-client ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 3901 3902 ];
|
||||
services.garage = {
|
||||
enable = true;
|
||||
package = pkgs.garage_0_9;
|
||||
settings = {
|
||||
replication_mode = "none";
|
||||
# TODO: use a secret file
|
||||
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
||||
# TODO: why does this have to be set? is there not a sensible default?
|
||||
rpc_bind_addr = "[::]:3901";
|
||||
rpc_public_addr = "[::1]:3901";
|
||||
s3_api.api_bind_addr = "[::]:3900";
|
||||
s3_web.bind_addr = "[::]:3902";
|
||||
s3_web.root_domain = ".web.garage.localhost";
|
||||
index = "index.html";
|
||||
|
||||
s3_api.s3_region = "garage";
|
||||
s3_api.root_domain = ".s3.garage.localhost";
|
||||
};
|
||||
};
|
||||
systemd.services.ensure-garage = {
|
||||
after = [ "garage.service" ];
|
||||
wantedBy = [ "garage.service" ];
|
||||
path = [ config.services.garage.package pkgs.perl ];
|
||||
script = ''
|
||||
set -xeuo pipefail
|
||||
# give garage time to start up
|
||||
sleep 3
|
||||
# XXX: this is very sensitive to being a single instance
|
||||
# (bare minimum to get garage up and running)
|
||||
# also, it's crazy that we have to parse command output like this
|
||||
GARAGE_ID=$(garage node id 2>/dev/null | perl -ne '/(.*)@.*/ && print $1')
|
||||
garage layout assign -z g1 -c 1G $GARAGE_ID
|
||||
LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
|
||||
garage layout apply --version $((LAYOUT_VER + 1))
|
||||
|
||||
garage bucket create mastodon
|
||||
garage key import --yes -n mastodon "${snakeoil_key.id}" "${snakeoil_key.secret}"
|
||||
garage bucket allow --read --write mastodon --key mastodon
|
||||
garage bucket website --allow mastodon
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
28
mastodon.nix
28
mastodon.nix
|
@ -1,4 +1,32 @@
|
|||
let
|
||||
snakeoil_key = {
|
||||
id = "GK3515373e4c851ebaad366558";
|
||||
secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
|
||||
};
|
||||
in
|
||||
{ config, lib, pkgs, ... }: lib.mkMerge [
|
||||
{ # garage setup
|
||||
services.mastodon = {
|
||||
extraConfig = {
|
||||
S3_ENABLED = "true";
|
||||
S3_ENDPOINT = "http://s3.garage.localhost:3900";
|
||||
S3_REGION = "garage";
|
||||
S3_BUCKET = "mastodon";
|
||||
# use <S3_BUCKET>.<S3_ENDPOINT>
|
||||
S3_OVERRIDE_PATH_STLE = "true";
|
||||
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
||||
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
||||
S3_PROTOCOL = "http";
|
||||
S3_HOSTNAME = "web.garage.localhost:3902";
|
||||
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
||||
# but we want "<S3_BUCKET>.<S3_HOSTNAME>"
|
||||
S3_ALIAS_HOST = "mastodon.web.garage.localhost:3902";
|
||||
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
||||
# TODO: can we set up ACLs with garage?
|
||||
S3_PERMISSION = "";
|
||||
};
|
||||
};
|
||||
}
|
||||
# mastodon setup
|
||||
{
|
||||
# open up access to the mastodon web interface
|
||||
|
|
Loading…
Reference in a new issue