Compare commits
	
		
			51 commits
		
	
	
		
			pixelfed-f
			...
			main
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| b1a5e16432 | |||
| 661f81b3f9 | |||
| 7007da1775 | |||
| 49473c43c8 | |||
| 4f8ba4bf3c | |||
| 8e03b4b34e | |||
| c1dcdfe493 | |||
| f53a27baee | |||
| 2d522f51f5 | |||
| f04b71047c | |||
| cd194f818d | |||
| 007c168081 | |||
| fb342b02fb | |||
| 96acf1f10d | |||
| e299978508 | |||
| 0b5e3ca40e | |||
| 1de8f5bc17 | |||
|   | b36166ccc0 | ||
| 4c8d380e9e | |||
| 247a4258b2 | |||
| be756ab8d3 | |||
| dd9b481b78 | |||
| 3cfc4370f7 | |||
| e9b5de893d | |||
| 7b36774b80 | |||
|   | 4da997b3af | ||
|   | fa53ecac53 | ||
|   | d910dfe788 | ||
| b461a44707 | |||
| fc18582a1b | |||
| e6b58b656b | |||
| bf303ff1d1 | |||
| a600829d56 | |||
| 042cb2d517 | |||
| 050042d255 | |||
| 6b45256839 | |||
|   | 51a294a659 | ||
|   | 2116ac6b27 | ||
|   | 3e4b486921 | ||
|   | db39623eeb | ||
|   | ffb941687a | ||
|   | 2657e2130f | ||
|   | ca8310dce3 | ||
|   | e093632222 | ||
|   | 2501c480fb | ||
| 011f166fd3 | |||
| 3bb9569eb4 | |||
| 6323e0adc8 | |||
| 55a6377b12 | |||
| 9be8232083 | |||
| c9665b927f | 
					 20 changed files with 1133 additions and 534 deletions
				
			
		
							
								
								
									
										1
									
								
								.gitignore
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
										
									
									
										vendored
									
									
								
							|  | @ -6,3 +6,4 @@ result* | |||
| output | ||||
| todo | ||||
| 
 | ||||
| /.pre-commit-config.yaml | ||||
|  |  | |||
							
								
								
									
										20
									
								
								README.md
									
										
									
									
									
								
							
							
						
						
									
										20
									
								
								README.md
									
										
									
									
									
								
							|  | @ -46,6 +46,26 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti | |||
|     ```bash | ||||
|     pixelfed-manage user:create --name=test --username=test --email=test@test.com --password=testtest --confirm_email=1 | ||||
|     ``` | ||||
| # Building an installer image | ||||
| 
 | ||||
| Build an installer image for the desired configuration, e.g. for `peertube`: | ||||
| 
 | ||||
| ```bash | ||||
| nix build .#installers.peertube | ||||
| ``` | ||||
| 
 | ||||
| Upload the image in `./result` to Proxmox when creating a VM. | ||||
| Booting the image will format the disk and install NixOS with the desired configuration. | ||||
| 
 | ||||
| # Deploying an updated machine configuration | ||||
| 
 | ||||
| > TODO: There is currently no way to specify an actual target machine by name. | ||||
| 
 | ||||
| Assuming you have SSH configuration with access to the remote `root` user stored for a machine called e.g. `peertube`, deploy the configuration by the same name: | ||||
| 
 | ||||
| ```bash | ||||
| nix run .#deploy.peertube | ||||
| ``` | ||||
| 
 | ||||
| ## debugging notes | ||||
| 
 | ||||
|  |  | |||
							
								
								
									
										13
									
								
								deploy.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								deploy.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,13 @@ | |||
| { writeShellApplication }: | ||||
| name: _config: | ||||
| writeShellApplication { | ||||
|   name = "deploy"; | ||||
|   text = '' | ||||
|     result="$(nix build --print-out-paths ${./.}#nixosConfigurations#${name} --eval-store auto --store ssh-ng://${name})" | ||||
|     # shellcheck disable=SC2087 | ||||
|     ssh ${name} << EOF | ||||
|     nix-env -p /nix/var/nix/profiles/system --set "$result" | ||||
|     "$result"/bin/switch-to-configuration switch | ||||
|     EOF | ||||
|   ''; | ||||
| } | ||||
							
								
								
									
										36
									
								
								disk-layout.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										36
									
								
								disk-layout.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,36 @@ | |||
| { ... }: | ||||
| { | ||||
|   disko.devices.disk.main = { | ||||
|     device = "/dev/sda"; | ||||
|     type = "disk"; | ||||
|     content = { | ||||
|       type = "gpt"; | ||||
|       partitions = { | ||||
|         MBR = { | ||||
|           priority = 0; | ||||
|           size = "1M"; | ||||
|           type = "EF02"; | ||||
|         }; | ||||
|         ESP = { | ||||
|           priority = 1; | ||||
|           size = "500M"; | ||||
|           type = "EF00"; | ||||
|           content = { | ||||
|             type = "filesystem"; | ||||
|             format = "vfat"; | ||||
|             mountpoint = "/boot"; | ||||
|           }; | ||||
|         }; | ||||
|         root = { | ||||
|           priority = 2; | ||||
|           size = "100%"; | ||||
|           content = { | ||||
|             type = "filesystem"; | ||||
|             format = "ext4"; | ||||
|             mountpoint = "/"; | ||||
|           }; | ||||
|         }; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  | @ -2,10 +2,11 @@ | |||
| 
 | ||||
| let | ||||
|   inherit (builtins) toString; | ||||
|   inherit (lib) mkOption mkEnableOption; | ||||
|   inherit (lib) mkOption mkEnableOption mkForce; | ||||
|   inherit (lib.types) types; | ||||
| 
 | ||||
| in { | ||||
| in | ||||
| { | ||||
|   imports = [ | ||||
|     ./garage.nix | ||||
|     ./mastodon.nix | ||||
|  | @ -31,6 +32,24 @@ in { | |||
|       pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration"; | ||||
|       peertube.enable = mkEnableOption "default Fediversity PeerTube configuration"; | ||||
| 
 | ||||
|       temp = mkOption { | ||||
|         description = "options that are only used while developing; should be removed eventually"; | ||||
|         default = { }; | ||||
|         type = types.submodule { | ||||
|           options = { | ||||
|             cores = mkOption { | ||||
|               description = "number of cores; should be obtained from NixOps4"; | ||||
|               type = types.int; | ||||
|             }; | ||||
| 
 | ||||
|             peertubeSecretsFile = mkOption { | ||||
|               description = "should it be provided by NixOps4? or maybe we should just ask for a main secret from which to derive all the others?"; | ||||
|               type = types.path; | ||||
|             }; | ||||
|           }; | ||||
|         }; | ||||
|       }; | ||||
| 
 | ||||
|       internal = mkOption { | ||||
|         description = "options that are only meant to be used internally; change at your own risk"; | ||||
|         default = { }; | ||||
|  | @ -64,17 +83,17 @@ in { | |||
|                   type = types.str; | ||||
|                   default = "web.garage.${config.fediversity.domain}"; | ||||
|                 }; | ||||
|                 port = mkOption { | ||||
|                 internalPort = mkOption { | ||||
|                   type = types.int; | ||||
|                   default = 3902; | ||||
|                 }; | ||||
|                 rootDomainAndPort = mkOption { | ||||
|                   type = types.str; | ||||
|                   default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}"; | ||||
|                 }; | ||||
|                 urlFor = mkOption { | ||||
|                 domainForBucket = mkOption { | ||||
|                   type = types.functionTo types.str; | ||||
|                   default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}"; | ||||
|                   default = bucket: "${bucket}.${config.fediversity.internal.garage.web.rootDomain}"; | ||||
|                 }; | ||||
|                 urlForBucket = mkOption { | ||||
|                   type = types.functionTo types.str; | ||||
|                   default = bucket: "http://${config.fediversity.internal.garage.web.domainForBucket bucket}"; | ||||
|                 }; | ||||
|               }; | ||||
|             }; | ||||
|  | @ -89,7 +108,7 @@ in { | |||
|             }; | ||||
|             mastodon.domain = mkOption { | ||||
|               type = types.str; | ||||
|               default = "mastdodon.${config.fediversity.domain}"; | ||||
|               default = "mastodon.${config.fediversity.domain}"; | ||||
|             }; | ||||
|             peertube.domain = mkOption { | ||||
|               type = types.str; | ||||
|  | @ -100,4 +119,19 @@ in { | |||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   config = { | ||||
|     ## FIXME: This should clearly go somewhere else; and we should have a | ||||
|     ## `staging` vs. `production` setting somewhere. | ||||
|     security.acme = { | ||||
|       acceptTerms = true; | ||||
|       defaults.email = "nicolas.jeannerod+fediversity@moduscreate.com"; | ||||
|       # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; | ||||
|     }; | ||||
| 
 | ||||
|     ## NOTE: For a one-machine deployment, this removes the need to provide an | ||||
|     ## `s3.garage.<domain>` domain. However, this will quickly stop working once | ||||
|     ## we go to multi-machines deployment. | ||||
|     fediversity.internal.garage.api.domain = mkForce "s3.garage.localhost"; | ||||
|   }; | ||||
| } | ||||
|  |  | |||
|  | @ -8,25 +8,49 @@ let | |||
| in | ||||
| 
 | ||||
| # TODO: expand to a multi-machine setup | ||||
| { config, lib, pkgs, ... }: | ||||
| { | ||||
|   config, | ||||
|   lib, | ||||
|   pkgs, | ||||
|   ... | ||||
| }: | ||||
| 
 | ||||
| let | ||||
|   inherit (builtins) toString; | ||||
|   inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep; | ||||
|   inherit (lib) | ||||
|     types | ||||
|     mkOption | ||||
|     mkEnableOption | ||||
|     optionalString | ||||
|     concatStringsSep | ||||
|     ; | ||||
|   inherit (lib.strings) escapeShellArg; | ||||
|   inherit (lib.attrsets) filterAttrs mapAttrs'; | ||||
|   cfg = config.services.garage; | ||||
|   fedicfg = config.fediversity.internal.garage; | ||||
|   concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset); | ||||
|   ensureBucketScriptFn = bucket: { website, aliases, corsRules }: | ||||
|   ensureBucketScriptFn = | ||||
|     bucket: | ||||
|     { | ||||
|       website, | ||||
|       aliases, | ||||
|       corsRules, | ||||
|     }: | ||||
|     let | ||||
|       bucketArg = escapeShellArg bucket; | ||||
|       corsRulesJSON = escapeShellArg (builtins.toJSON { | ||||
|         CORSRules = [{ | ||||
|       corsRulesJSON = escapeShellArg ( | ||||
|         builtins.toJSON { | ||||
|           CORSRules = [ | ||||
|             { | ||||
|               AllowedHeaders = corsRules.allowedHeaders; | ||||
|               AllowedMethods = corsRules.allowedMethods; | ||||
|               AllowedOrigins = corsRules.allowedOrigins; | ||||
|         }]; | ||||
|       }); | ||||
|     in '' | ||||
|             } | ||||
|           ]; | ||||
|         } | ||||
|       ); | ||||
|     in | ||||
|     '' | ||||
|       # garage bucket info tells us if the bucket already exists | ||||
|       garage bucket info ${bucketArg} || garage bucket create ${bucketArg} | ||||
| 
 | ||||
|  | @ -35,24 +59,41 @@ let | |||
|         garage bucket website --allow ${bucketArg} | ||||
|       ''} | ||||
| 
 | ||||
|       ${concatStringsSep "\n" (map (alias: '' | ||||
|       ${concatStringsSep "\n" ( | ||||
|         map (alias: '' | ||||
|           garage bucket alias ${bucketArg} ${escapeShellArg alias} | ||||
|       '') aliases)} | ||||
|         '') aliases | ||||
|       )} | ||||
| 
 | ||||
|       ${optionalString corsRules.enable '' | ||||
|         garage bucket allow --read --write --owner ${bucketArg} --key tmp | ||||
|         # TODO: endpoin-url should not be hard-coded | ||||
|         aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} | ||||
|         aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${fedicfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} | ||||
|         garage bucket deny --read --write --owner ${bucketArg} --key tmp | ||||
|       ''} | ||||
|     ''; | ||||
|   ensureBucketsScript = concatMapAttrs ensureBucketScriptFn cfg.ensureBuckets; | ||||
|   ensureAccessScriptFn = key: bucket: { read, write, owner }: '' | ||||
|   ensureAccessScriptFn = | ||||
|     key: bucket: | ||||
|     { | ||||
|       read, | ||||
|       write, | ||||
|       owner, | ||||
|     }: | ||||
|     '' | ||||
|       garage bucket allow ${optionalString read "--read"} ${optionalString write "--write"} ${optionalString owner "--owner"} \ | ||||
|         ${escapeShellArg bucket} --key ${escapeShellArg key} | ||||
|     ''; | ||||
|   ensureKeyScriptFn = key: {id, secret, ensureAccess}: '' | ||||
|     garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} | ||||
|   ensureKeyScriptFn = | ||||
|     key: | ||||
|     { | ||||
|       id, | ||||
|       secret, | ||||
|       ensureAccess, | ||||
|     }: | ||||
|     '' | ||||
|       ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :` | ||||
|       garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || : | ||||
|       ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess} | ||||
|     ''; | ||||
|   ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys; | ||||
|  | @ -63,7 +104,8 @@ in | |||
|   options = { | ||||
|     services.garage = { | ||||
|       ensureBuckets = mkOption { | ||||
|         type = types.attrsOf (types.submodule { | ||||
|         type = types.attrsOf ( | ||||
|           types.submodule { | ||||
|             options = { | ||||
|               website = mkOption { | ||||
|                 type = types.bool; | ||||
|  | @ -90,11 +132,13 @@ in | |||
|                 default = [ ]; | ||||
|               }; | ||||
|             }; | ||||
|         }); | ||||
|           } | ||||
|         ); | ||||
|         default = { }; | ||||
|       }; | ||||
|       ensureKeys = mkOption { | ||||
|         type = types.attrsOf (types.submodule { | ||||
|         type = types.attrsOf ( | ||||
|           types.submodule { | ||||
|             # TODO: these should be managed as secrets, not in the nix store | ||||
|             options = { | ||||
|               id = mkOption { | ||||
|  | @ -106,7 +150,8 @@ in | |||
|               # TODO: assert at least one of these is true | ||||
|               # NOTE: this currently needs to be done at the top level module | ||||
|               ensureAccess = mkOption { | ||||
|               type = types.attrsOf (types.submodule { | ||||
|                 type = types.attrsOf ( | ||||
|                   types.submodule { | ||||
|                     options = { | ||||
|                       read = mkOption { | ||||
|                         type = types.bool; | ||||
|  | @ -121,36 +166,26 @@ in | |||
|                         default = false; | ||||
|                       }; | ||||
|                     }; | ||||
|               }); | ||||
|                   } | ||||
|                 ); | ||||
|                 default = [ ]; | ||||
|               }; | ||||
|             }; | ||||
|         }); | ||||
|           } | ||||
|         ); | ||||
|         default = { }; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   config = lib.mkIf config.fediversity.enable { | ||||
|     virtualisation.diskSize = 2048; | ||||
|     virtualisation.forwardPorts = [ | ||||
|       { | ||||
|         from = "host"; | ||||
|         host.port = config.fediversity.internal.garage.rpc.port; | ||||
|         guest.port = config.fediversity.internal.garage.rpc.port; | ||||
|       } | ||||
|       { | ||||
|         from = "host"; | ||||
|         host.port = config.fediversity.internal.garage.web.port; | ||||
|         guest.port = config.fediversity.internal.garage.web.port; | ||||
|       } | ||||
|     environment.systemPackages = [ | ||||
|       pkgs.minio-client | ||||
|       pkgs.awscli | ||||
|     ]; | ||||
| 
 | ||||
|     environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; | ||||
| 
 | ||||
|     networking.firewall.allowedTCPPorts = [ | ||||
|       config.fediversity.internal.garage.rpc.port | ||||
|       config.fediversity.internal.garage.web.port | ||||
|       fedicfg.rpc.port | ||||
|     ]; | ||||
|     services.garage = { | ||||
|       enable = true; | ||||
|  | @ -160,30 +195,59 @@ in | |||
|         # TODO: use a secret file | ||||
|         rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; | ||||
|         # TODO: why does this have to be set? is there not a sensible default? | ||||
|         rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}"; | ||||
|         rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}"; | ||||
|         s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}"; | ||||
|         s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}"; | ||||
|         s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}"; | ||||
|         rpc_bind_addr = "[::]:${toString fedicfg.rpc.port}"; | ||||
|         rpc_public_addr = "[::1]:${toString fedicfg.rpc.port}"; | ||||
|         s3_api.api_bind_addr = "[::]:${toString fedicfg.api.port}"; | ||||
|         s3_web.bind_addr = "[::]:${toString fedicfg.web.internalPort}"; | ||||
|         s3_web.root_domain = ".${fedicfg.web.rootDomain}"; | ||||
|         index = "index.html"; | ||||
| 
 | ||||
|         s3_api.s3_region = "garage"; | ||||
|         s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}"; | ||||
|         s3_api.root_domain = ".${fedicfg.api.domain}"; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     ## Create a proxy from <bucket>.web.garage.<domain> to localhost:3902 for | ||||
|     ## each bucket that has `website = true`. | ||||
|     services.nginx.virtualHosts = | ||||
|       let | ||||
|         value = { | ||||
|           forceSSL = true; | ||||
|           enableACME = true; | ||||
|           locations."/" = { | ||||
|             proxyPass = "http://localhost:3902"; | ||||
|             extraConfig = '' | ||||
|               ## copied from https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/ | ||||
|               proxy_set_header Host $host; | ||||
|               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||||
|               # Disable buffering to a temporary file. | ||||
|               proxy_max_temp_file_size 0; | ||||
|             ''; | ||||
|           }; | ||||
|         }; | ||||
|       in | ||||
|       mapAttrs' (bucket: _: { | ||||
|         name = fedicfg.web.domainForBucket bucket; | ||||
|         inherit value; | ||||
|       }) (filterAttrs (_: { website, ... }: website) cfg.ensureBuckets); | ||||
| 
 | ||||
|     systemd.services.ensure-garage = { | ||||
|       after = [ "garage.service" ]; | ||||
|       wantedBy = [ "garage.service" ]; | ||||
|       serviceConfig = { | ||||
|         Type = "oneshot"; | ||||
|       }; | ||||
|       path = [ cfg.package pkgs.perl pkgs.awscli ]; | ||||
|       path = [ | ||||
|         cfg.package | ||||
|         pkgs.perl | ||||
|         pkgs.awscli | ||||
|       ]; | ||||
|       script = '' | ||||
|         set -xeuo pipefail | ||||
| 
 | ||||
|         # Give Garage time to start up by waiting until somethings speaks HTTP | ||||
|         # behind Garage's API URL. | ||||
|         until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done | ||||
|         until ${pkgs.curl}/bin/curl -sio /dev/null ${fedicfg.api.url}; do sleep 1; done | ||||
| 
 | ||||
|         # XXX: this is very sensitive to being a single instance | ||||
|         # (doing the bare minimum to get garage up and running) | ||||
|  | @ -197,7 +261,8 @@ in | |||
| 
 | ||||
|         # XXX: this is a hack because we want to write to the buckets here but we're not guaranteed any access keys | ||||
|         # TODO: generate this key here rather than using a well-known key | ||||
|         garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret} | ||||
|         # TODO: if the key already exists, we get an error; hacked with this `|| :` which needs to be removed | ||||
|         garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret} || : | ||||
|         export AWS_ACCESS_KEY_ID=${snakeoil_key.id}; | ||||
|         export AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}; | ||||
| 
 | ||||
|  |  | |||
|  | @ -5,7 +5,11 @@ let | |||
|   }; | ||||
| in | ||||
| 
 | ||||
| { config, lib, pkgs, ... }: | ||||
| { | ||||
|   config, | ||||
|   lib, | ||||
|   ... | ||||
| }: | ||||
| 
 | ||||
| lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { | ||||
|   #### garage setup | ||||
|  | @ -46,7 +50,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { | |||
|       AWS_ACCESS_KEY_ID = snakeoil_key.id; | ||||
|       AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; | ||||
|       S3_PROTOCOL = "http"; | ||||
|       S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort; | ||||
|       S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain; | ||||
|       # by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>" | ||||
|       S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}"; | ||||
|       # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ | ||||
|  | @ -57,8 +61,11 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { | |||
| 
 | ||||
|   #### mastodon setup | ||||
| 
 | ||||
|   # open up access to the mastodon web interface | ||||
|   networking.firewall.allowedTCPPorts = [ 443 ]; | ||||
|   # open up access to the mastodon web interface. 80 is necessary if only for ACME | ||||
|   networking.firewall.allowedTCPPorts = [ | ||||
|     80 | ||||
|     443 | ||||
|   ]; | ||||
| 
 | ||||
|   services.mastodon = { | ||||
|     enable = true; | ||||
|  | @ -66,6 +73,10 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { | |||
|     localDomain = config.fediversity.internal.mastodon.domain; | ||||
|     configureNginx = true; | ||||
| 
 | ||||
|     # from the documentation: recommended is the amount of your CPU cores minus | ||||
|     # one. but it also must be a positive integer | ||||
|     streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1); | ||||
| 
 | ||||
|     # TODO: configure a mailserver so this works | ||||
|     smtp = { | ||||
|       fromAddress = "noreply@${config.fediversity.internal.mastodon.domain}"; | ||||
|  |  | |||
|  | @ -5,10 +5,17 @@ let | |||
|   }; | ||||
| in | ||||
| 
 | ||||
| { config, lib, pkgs, ... }: | ||||
| { | ||||
|   config, | ||||
|   lib, | ||||
|   ... | ||||
| }: | ||||
| 
 | ||||
| lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { | ||||
|   networking.firewall.allowedTCPPorts = [ 80 9000 ]; | ||||
|   networking.firewall.allowedTCPPorts = [ | ||||
|     80 | ||||
|     443 | ||||
|   ]; | ||||
| 
 | ||||
|   services.garage = { | ||||
|     ensureBuckets = { | ||||
|  | @ -59,7 +66,8 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { | |||
|     # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. | ||||
|     redis.createLocally = true; | ||||
|     database.createLocally = true; | ||||
|     configureNginx = true; | ||||
| 
 | ||||
|     secrets.secretsFile = config.fediversity.temp.peertubeSecretsFile; | ||||
| 
 | ||||
|     settings = { | ||||
|       object_storage = { | ||||
|  | @ -74,17 +82,17 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { | |||
|         web_videos = rec { | ||||
|           bucket_name = "peertube-videos"; | ||||
|           prefix = ""; | ||||
|           base_url = config.fediversity.internal.garage.web.urlFor bucket_name; | ||||
|           base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name; | ||||
|         }; | ||||
|         videos = rec { | ||||
|           bucket_name = "peertube-videos"; | ||||
|           prefix = ""; | ||||
|           base_url = config.fediversity.internal.garage.web.urlFor bucket_name; | ||||
|           base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name; | ||||
|         }; | ||||
|         streaming_playlists = rec { | ||||
|           bucket_name = "peertube-playlists"; | ||||
|           prefix = ""; | ||||
|           base_url = config.fediversity.internal.garage.web.urlFor bucket_name; | ||||
|           base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name; | ||||
|         }; | ||||
|       }; | ||||
|     }; | ||||
|  | @ -94,4 +102,12 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { | |||
|     AWS_ACCESS_KEY_ID=${snakeoil_key.id} | ||||
|     AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret} | ||||
|   ''; | ||||
| 
 | ||||
|   ## Proxying through Nginx | ||||
| 
 | ||||
|   services.peertube.configureNginx = true; | ||||
|   services.nginx.virtualHosts.${config.services.peertube.localDomain} = { | ||||
|     forceSSL = true; | ||||
|     enableACME = true; | ||||
|   }; | ||||
| } | ||||
|  |  | |||
|  | @ -5,7 +5,12 @@ let | |||
|   }; | ||||
| in | ||||
| 
 | ||||
| { config, lib, pkgs, ... }: | ||||
| { | ||||
|   config, | ||||
|   lib, | ||||
|   pkgs, | ||||
|   ... | ||||
| }: | ||||
| 
 | ||||
| lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { | ||||
|   services.garage = { | ||||
|  | @ -38,16 +43,37 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { | |||
|   services.pixelfed = { | ||||
|     enable = true; | ||||
|     domain = config.fediversity.internal.pixelfed.domain; | ||||
| 
 | ||||
|     # TODO: secrets management!!! | ||||
|     secretFile = pkgs.writeText "secrets.env" '' | ||||
|       APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA | ||||
|     ''; | ||||
| 
 | ||||
|     ## Taeer feels like this way of configuring Nginx is odd; there should | ||||
|     ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx | ||||
|     ## configuration should be in `services.nginx`. See eg. `pretix`. | ||||
|     ## | ||||
|     ## TODO: If that indeed makes sense, upstream. | ||||
|     nginx = { | ||||
|       forceSSL = true; | ||||
|       enableACME = true; | ||||
|       # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlForBucket "pixelfed"}/public/"; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   services.pixelfed.settings = { | ||||
|     ## NOTE: This depends on the targets, eg. universities might want control | ||||
|     ## over who has an account. We probably want a universal | ||||
|     ## `fediversity.openRegistration` option. | ||||
|     OPEN_REGISTRATION = true; | ||||
| 
 | ||||
|     # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3"; | ||||
|     FILESYSTEM_CLOUD = "s3"; | ||||
|     PF_ENABLE_CLOUD = true; | ||||
|     AWS_ACCESS_KEY_ID = snakeoil_key.id; | ||||
|     AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; | ||||
|     AWS_DEFAULT_REGION = "garage"; | ||||
|     AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed"; | ||||
|     AWS_URL = config.fediversity.internal.garage.web.urlForBucket "pixelfed"; | ||||
|     AWS_BUCKET = "pixelfed"; | ||||
|     AWS_ENDPOINT = config.fediversity.internal.garage.api.url; | ||||
|     AWS_USE_PATH_STYLE_ENDPOINT = false; | ||||
|  | @ -59,4 +85,8 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { | |||
|     after = [ "ensure-garage.service" ]; | ||||
|   }; | ||||
| 
 | ||||
|   networking.firewall.allowedTCPPorts = [ | ||||
|     80 | ||||
|     443 | ||||
|   ]; | ||||
| } | ||||
|  |  | |||
							
								
								
									
										168
									
								
								flake.lock
									
										
									
										generated
									
									
									
								
							
							
						
						
									
										168
									
								
								flake.lock
									
										
									
										generated
									
									
									
								
							|  | @ -1,12 +1,151 @@ | |||
| { | ||||
|   "nodes": { | ||||
|     "disko": { | ||||
|       "inputs": { | ||||
|         "nixpkgs": "nixpkgs" | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1727347829, | ||||
|         "narHash": "sha256-y7cW6TjJKy+tu7efxeWI6lyg4VVx/9whx+OmrhmRShU=", | ||||
|         "owner": "nix-community", | ||||
|         "repo": "disko", | ||||
|         "rev": "1879e48907c14a70302ff5d0539c3b9b6f97feaa", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "nix-community", | ||||
|         "repo": "disko", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "flake-compat": { | ||||
|       "flake": false, | ||||
|       "locked": { | ||||
|         "lastModified": 1696426674, | ||||
|         "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", | ||||
|         "owner": "edolstra", | ||||
|         "repo": "flake-compat", | ||||
|         "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "edolstra", | ||||
|         "repo": "flake-compat", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "git-hooks": { | ||||
|       "inputs": { | ||||
|         "flake-compat": "flake-compat", | ||||
|         "gitignore": "gitignore", | ||||
|         "nixpkgs": "nixpkgs_2", | ||||
|         "nixpkgs-stable": "nixpkgs-stable" | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1730814269, | ||||
|         "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=", | ||||
|         "owner": "cachix", | ||||
|         "repo": "git-hooks.nix", | ||||
|         "rev": "d70155fdc00df4628446352fc58adc640cd705c2", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "cachix", | ||||
|         "repo": "git-hooks.nix", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "gitignore": { | ||||
|       "inputs": { | ||||
|         "nixpkgs": [ | ||||
|           "git-hooks", | ||||
|           "nixpkgs" | ||||
|         ] | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1709087332, | ||||
|         "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", | ||||
|         "owner": "hercules-ci", | ||||
|         "repo": "gitignore.nix", | ||||
|         "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "hercules-ci", | ||||
|         "repo": "gitignore.nix", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "nixpkgs": { | ||||
|       "locked": { | ||||
|         "lastModified": 1723726852, | ||||
|         "narHash": "sha256-lRzlx4fPRtzA+dgz9Rh4WK5yAW3TsAXx335DQqxY2XY=", | ||||
|         "lastModified": 1725194671, | ||||
|         "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", | ||||
|         "owner": "NixOS", | ||||
|         "repo": "nixpkgs", | ||||
|         "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "NixOS", | ||||
|         "ref": "nixpkgs-unstable", | ||||
|         "repo": "nixpkgs", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "nixpkgs-latest": { | ||||
|       "locked": { | ||||
|         "lastModified": 1727220152, | ||||
|         "narHash": "sha256-6ezRTVBZT25lQkvaPrfJSxYLwqcbNWm6feD/vG1FO0o=", | ||||
|         "owner": "nixos", | ||||
|         "repo": "nixpkgs", | ||||
|         "rev": "24959f933187217890b206788a85bfa73ba75949", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "nixos", | ||||
|         "repo": "nixpkgs", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "nixpkgs-stable": { | ||||
|       "locked": { | ||||
|         "lastModified": 1730741070, | ||||
|         "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", | ||||
|         "owner": "NixOS", | ||||
|         "repo": "nixpkgs", | ||||
|         "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "NixOS", | ||||
|         "ref": "nixos-24.05", | ||||
|         "repo": "nixpkgs", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "nixpkgs_2": { | ||||
|       "locked": { | ||||
|         "lastModified": 1730768919, | ||||
|         "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", | ||||
|         "owner": "NixOS", | ||||
|         "repo": "nixpkgs", | ||||
|         "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "NixOS", | ||||
|         "ref": "nixpkgs-unstable", | ||||
|         "repo": "nixpkgs", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "nixpkgs_3": { | ||||
|       "locked": { | ||||
|         "lastModified": 1730137230, | ||||
|         "narHash": "sha256-0kW6v0alzWIc/Dc/DoVZ7A9qNScv77bj/zYTKI67HZM=", | ||||
|         "owner": "radvendii", | ||||
|         "repo": "nixpkgs", | ||||
|         "rev": "9286249a1673cf5b14a4793e22dd44b70cb69a0d", | ||||
|         "rev": "df815998652a1d00ce7c059a1e5ef7d7c0548c90", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|  | @ -16,9 +155,30 @@ | |||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "pixelfed": { | ||||
|       "flake": false, | ||||
|       "locked": { | ||||
|         "lastModified": 1719823820, | ||||
|         "narHash": "sha256-CKjqnxp7p2z/13zfp4HQ1OAmaoUtqBKS6HFm6TV8Jwg=", | ||||
|         "owner": "pixelfed", | ||||
|         "repo": "pixelfed", | ||||
|         "rev": "4c245cf429330d01fcb8ebeb9aa8c84a9574a645", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "pixelfed", | ||||
|         "ref": "v0.12.3", | ||||
|         "repo": "pixelfed", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "root": { | ||||
|       "inputs": { | ||||
|         "nixpkgs": "nixpkgs" | ||||
|         "disko": "disko", | ||||
|         "git-hooks": "git-hooks", | ||||
|         "nixpkgs": "nixpkgs_3", | ||||
|         "nixpkgs-latest": "nixpkgs-latest", | ||||
|         "pixelfed": "pixelfed" | ||||
|       } | ||||
|     } | ||||
|   }, | ||||
|  |  | |||
							
								
								
									
										130
									
								
								flake.nix
									
										
									
									
									
								
							
							
						
						
									
										130
									
								
								flake.nix
									
										
									
									
									
								
							|  | @ -1,77 +1,108 @@ | |||
| { | ||||
|   description = "Testing mastodon configurations"; | ||||
| 
 | ||||
|   inputs = { | ||||
|     nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests"; | ||||
|     nixpkgs-latest.url = "github:nixos/nixpkgs"; | ||||
|     git-hooks.url = "github:cachix/git-hooks.nix"; | ||||
| 
 | ||||
|     pixelfed = { | ||||
|       url = "github:pixelfed/pixelfed?ref=v0.12.3"; | ||||
|       flake = false; | ||||
|     }; | ||||
|     disko.url = "github:nix-community/disko"; | ||||
|   }; | ||||
| 
 | ||||
|   outputs = inputs@{ self, nixpkgs }: | ||||
|   outputs = | ||||
|     { | ||||
|       self, | ||||
|       nixpkgs, | ||||
|       nixpkgs-latest, | ||||
|       git-hooks, | ||||
|       pixelfed, | ||||
|       disko, | ||||
|     }: | ||||
|     let | ||||
|       system = "x86_64-linux"; | ||||
|       lib = nixpkgs.lib; | ||||
|       pkgs = nixpkgs.legacyPackages.${system}; | ||||
|   in { | ||||
| 
 | ||||
|     packages.${system} = { | ||||
|       pixelfed = pkgs.pixelfed.overrideAttrs (old: { | ||||
|       pkgsLatest = nixpkgs-latest.legacyPackages.${system}; | ||||
|       bleedingFediverseOverlay = ( | ||||
|         _: _: { | ||||
|           pixelfed = pkgsLatest.pixelfed.overrideAttrs (old: { | ||||
|             src = pixelfed; | ||||
|             patches = (old.patches or [ ]) ++ [ ./fediversity/pixelfed-group-permissions.patch ]; | ||||
|           }); | ||||
|     }; | ||||
| 
 | ||||
|           ## TODO: give mastodon, peertube the same treatment | ||||
|         } | ||||
|       ); | ||||
|     in | ||||
|     { | ||||
|       nixosModules = { | ||||
|       ## Fediversity modules | ||||
|       fediversity = { pkgs, ... }: { | ||||
|         imports = [ ./fediversity ]; | ||||
|         services.pixelfed.package = self.packages.${pkgs.stdenv.hostPlatform.system}.pixelfed; | ||||
|         ## Bleeding-edge fediverse packages | ||||
|         bleedingFediverse = { | ||||
|           nixpkgs.overlays = [ bleedingFediverseOverlay ]; | ||||
|         }; | ||||
|         ## Fediversity modules | ||||
|         fediversity = import ./fediversity; | ||||
| 
 | ||||
|         ## VM-specific modules | ||||
|       interactive-vm = { | ||||
|         imports = [ | ||||
|           ./vm/interactive-vm.nix | ||||
|           self.nixosModules.fediversity | ||||
|         ]; | ||||
|       }; | ||||
|       mastodon-vm = { | ||||
|         imports = [ | ||||
|           ./vm/mastodon-vm.nix | ||||
|           self.nixosModules.fediversity | ||||
|         ]; | ||||
|       }; | ||||
|       peertube-vm = { | ||||
|         imports = [ | ||||
|           ./vm/peertube-vm.nix | ||||
|           self.nixosModules.fediversity | ||||
|         ]; | ||||
|       }; | ||||
|       pixelfed-vm = { | ||||
|         imports = [ | ||||
|           ./vm/pixelfed-vm.nix | ||||
|           self.nixosModules.fediversity | ||||
|         ]; | ||||
|       }; | ||||
|         interactive-vm = import ./vm/interactive-vm.nix; | ||||
|         garage-vm = import ./vm/garage-vm.nix; | ||||
|         mastodon-vm = import ./vm/mastodon-vm.nix; | ||||
|         peertube-vm = import ./vm/peertube-vm.nix; | ||||
|         pixelfed-vm = import ./vm/pixelfed-vm.nix; | ||||
| 
 | ||||
|         disk-layout = import ./disk-layout.nix; | ||||
|       }; | ||||
| 
 | ||||
|       nixosConfigurations = { | ||||
|         mastodon = nixpkgs.lib.nixosSystem { | ||||
|           inherit system; | ||||
|         modules = with self.nixosModules; [ fediversity interactive-vm mastodon-vm ]; | ||||
|           modules = with self.nixosModules; [ | ||||
|             disko.nixosModules.default | ||||
|             disk-layout | ||||
|             bleedingFediverse | ||||
|             fediversity | ||||
|             interactive-vm | ||||
|             garage-vm | ||||
|             mastodon-vm | ||||
|           ]; | ||||
|         }; | ||||
| 
 | ||||
|         peertube = nixpkgs.lib.nixosSystem { | ||||
|           inherit system; | ||||
|         modules = with self.nixosModules; [ fediversity interactive-vm peertube-vm ]; | ||||
|           modules = with self.nixosModules; [ | ||||
|             disko.nixosModules.default | ||||
|             disk-layout | ||||
|             bleedingFediverse | ||||
|             fediversity | ||||
|             interactive-vm | ||||
|             garage-vm | ||||
|             peertube-vm | ||||
|           ]; | ||||
|         }; | ||||
| 
 | ||||
|         pixelfed = nixpkgs.lib.nixosSystem { | ||||
|           inherit system; | ||||
|         modules = with self.nixosModules; [ fediversity interactive-vm pixelfed-vm ]; | ||||
|           modules = with self.nixosModules; [ | ||||
|             disko.nixosModules.default | ||||
|             disk-layout | ||||
|             bleedingFediverse | ||||
|             fediversity | ||||
|             interactive-vm | ||||
|             garage-vm | ||||
|             pixelfed-vm | ||||
|           ]; | ||||
|         }; | ||||
| 
 | ||||
|         all = nixpkgs.lib.nixosSystem { | ||||
|           inherit system; | ||||
|           modules = with self.nixosModules; [ | ||||
|             disko.nixosModules.default | ||||
|             disk-layout | ||||
|             bleedingFediverse | ||||
|             fediversity | ||||
|             interactive-vm | ||||
|             garage-vm | ||||
|             peertube-vm | ||||
|             pixelfed-vm | ||||
|             mastodon-vm | ||||
|  | @ -79,15 +110,34 @@ | |||
|         }; | ||||
|       }; | ||||
| 
 | ||||
|       ## Fully-feature ISO installer | ||||
|       mkInstaller = import ./installer.nix; | ||||
|       installers = lib.mapAttrs (_: config: self.mkInstaller nixpkgs config) self.nixosConfigurations; | ||||
| 
 | ||||
|       deploy = | ||||
|         let | ||||
|           deployCommand = (pkgs.callPackage ./deploy.nix { }); | ||||
|         in | ||||
|         lib.mapAttrs (name: config: deployCommand name config) self.nixosConfigurations; | ||||
| 
 | ||||
|       checks.${system} = { | ||||
|         mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; }; | ||||
|         pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; }; | ||||
| 
 | ||||
|         pre-commit = git-hooks.lib.${system}.run { | ||||
|           src = ./.; | ||||
|           hooks = { | ||||
|             nixfmt-rfc-style.enable = true; | ||||
|             deadnix.enable = true; | ||||
|           }; | ||||
|         }; | ||||
|       }; | ||||
| 
 | ||||
|       devShells.${system}.default = pkgs.mkShell { | ||||
|         inputs = with pkgs; [ | ||||
|           nil | ||||
|         ]; | ||||
|         shellHook = self.checks.${system}.pre-commit.shellHook; | ||||
|       }; | ||||
|     }; | ||||
| } | ||||
|  |  | |||
							
								
								
									
										61
									
								
								installer.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										61
									
								
								installer.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,61 @@ | |||
| /** | ||||
|   Convert a NixOS configuration to one for a minimal installer ISO | ||||
| 
 | ||||
|   WARNING: Running this installer will format the target disk! | ||||
| */ | ||||
| 
 | ||||
| { | ||||
|   nixpkgs, | ||||
|   hostKeys ? { }, | ||||
| }: | ||||
| machine: | ||||
| 
 | ||||
| let | ||||
|   inherit (builtins) concatStringsSep attrValues mapAttrs; | ||||
| 
 | ||||
|   installer = | ||||
|     { | ||||
|       config, | ||||
|       pkgs, | ||||
|       lib, | ||||
|       ... | ||||
|     }: | ||||
|     let | ||||
|       bootstrap = pkgs.writeShellApplication { | ||||
|         name = "bootstrap"; | ||||
|         runtimeInputs = with pkgs; [ nixos-install-tools ]; | ||||
|         text = '' | ||||
|           ${machine.config.system.build.diskoScript} | ||||
|           nixos-install --no-root-password --no-channel-copy --system ${machine.config.system.build.toplevel} | ||||
|           ${concatStringsSep "\n" ( | ||||
|             attrValues ( | ||||
|               mapAttrs (kind: keys: '' | ||||
|                 cp ${keys.private} /mnt/etc/ssh/ssh_host_${kind}_key | ||||
|                 chmod 600 /mnt/etc/ssh/ssh_host_${kind}_key | ||||
|                 cp ${keys.public} /mnt/etc/ssh/ssh_host_${kind}_key.pub | ||||
|                 chmod 644 /mnt/etc/ssh/ssh_host_${kind}_key.pub | ||||
|               '') hostKeys | ||||
|             ) | ||||
|           )} | ||||
|           poweroff | ||||
|         ''; | ||||
|       }; | ||||
|     in | ||||
|     { | ||||
|       imports = [ | ||||
|         "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" | ||||
|       ]; | ||||
|       nixpkgs.hostPlatform = "x86_64-linux"; | ||||
|       services.getty.autologinUser = lib.mkForce "root"; | ||||
|       programs.bash.loginShellInit = nixpkgs.lib.getExe bootstrap; | ||||
| 
 | ||||
|       isoImage = { | ||||
|         compressImage = false; | ||||
|         squashfsCompression = "lz4"; | ||||
|         isoName = lib.mkForce "installer.iso"; | ||||
|         ## ^^ FIXME: Use a more interesting name or keep the default name and | ||||
|         ## use `isoImage.isoName` in the tests. | ||||
|       }; | ||||
|     }; | ||||
| in | ||||
| (nixpkgs.lib.nixosSystem { modules = [ installer ]; }).config.system.build.isoImage | ||||
|  | @ -1,11 +1,16 @@ | |||
| { pkgs, self }: | ||||
| let | ||||
|   lib = pkgs.lib; | ||||
|   rebuildableTest = import ./rebuildableTest.nix pkgs; | ||||
|   seleniumScript = pkgs.writers.writePython3Bin "selenium-script" | ||||
| 
 | ||||
|   ## FIXME: this binding was not used, but maybe we want a side-effect or something? | ||||
|   # rebuildableTest = import ./rebuildableTest.nix pkgs; | ||||
| 
 | ||||
|   seleniumScript = | ||||
|     pkgs.writers.writePython3Bin "selenium-script" | ||||
|       { | ||||
|         libraries = with pkgs.python3Packages; [ selenium ]; | ||||
|     } '' | ||||
|       } | ||||
|       '' | ||||
|         from selenium import webdriver | ||||
|         from selenium.webdriver.common.by import By | ||||
|         from selenium.webdriver.firefox.options import Options | ||||
|  | @ -35,9 +40,16 @@ pkgs.nixosTest { | |||
|   name = "test-mastodon-garage"; | ||||
| 
 | ||||
|   nodes = { | ||||
|     server = { config, ... }: { | ||||
|     server = | ||||
|       { config, ... }: | ||||
|       { | ||||
|         virtualisation.memorySize = lib.mkVMOverride 4096; | ||||
|       imports = with self.nixosModules; [ mastodon-vm ]; | ||||
|         imports = with self.nixosModules; [ | ||||
|           bleedingFediverse | ||||
|           fediversity | ||||
|           garage-vm | ||||
|           mastodon-vm | ||||
|         ]; | ||||
|         # TODO: pair down | ||||
|         environment.systemPackages = with pkgs; [ | ||||
|           python3 | ||||
|  | @ -57,7 +69,9 @@ pkgs.nixosTest { | |||
|       }; | ||||
|   }; | ||||
| 
 | ||||
|   testScript = { nodes, ... }: '' | ||||
|   testScript = | ||||
|     { nodes, ... }: | ||||
|     '' | ||||
|       import re | ||||
|       import time | ||||
| 
 | ||||
|  | @ -121,8 +135,8 @@ pkgs.nixosTest { | |||
|           raise Exception("mastodon did not send a content security policy header") | ||||
|         csp = csp_match.group(1) | ||||
|         # the img-src content security policy should include the garage server | ||||
|       ## TODO: use `nodes.server.fediversity.internal.garage.api.url` same as above, but beware of escaping the regex. | ||||
|       garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost:3902.*", csp) | ||||
|         ## TODO: use `nodes.server.fediversity.internal.garage.api.url` same as above, but beware of escaping the regex. Be careful with port 80 though. | ||||
|         garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost.*", csp) | ||||
|         if garage_csp is None: | ||||
|           raise Exception("Mastodon's content security policy does not include garage server. image will not be displayed properly on mastodon.") | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,7 +1,9 @@ | |||
| { pkgs, self }: | ||||
| let | ||||
|   lib = pkgs.lib; | ||||
|   rebuildableTest = import ./rebuildableTest.nix pkgs; | ||||
| 
 | ||||
|   ## FIXME: this binding was not used but maybe we want a side effect or something? | ||||
|   # rebuildableTest = import ./rebuildableTest.nix pkgs; | ||||
| 
 | ||||
|   email = "test@test.com"; | ||||
|   password = "testtest"; | ||||
|  | @ -50,10 +52,12 @@ let | |||
|     driver.quit() | ||||
|   ''; | ||||
| 
 | ||||
|   seleniumScriptPostPicture = pkgs.writers.writePython3Bin "selenium-script-post-picture" | ||||
|   seleniumScriptPostPicture = | ||||
|     pkgs.writers.writePython3Bin "selenium-script-post-picture" | ||||
|       { | ||||
|         libraries = with pkgs.python3Packages; [ selenium ]; | ||||
|     } '' | ||||
|       } | ||||
|       '' | ||||
|         import os | ||||
|         import time | ||||
|         ${seleniumImports} | ||||
|  | @ -93,10 +97,12 @@ let | |||
|         ${seleniumTakeScreenshot "\"/home/selenium/screenshot.png\""} | ||||
|         ${seleniumQuit}''; | ||||
| 
 | ||||
|   seleniumScriptGetSrc = pkgs.writers.writePython3Bin "selenium-script-get-src" | ||||
|   seleniumScriptGetSrc = | ||||
|     pkgs.writers.writePython3Bin "selenium-script-get-src" | ||||
|       { | ||||
|         libraries = with pkgs.python3Packages; [ selenium ]; | ||||
|     } '' | ||||
|       } | ||||
|       '' | ||||
|         ${seleniumImports} | ||||
|         ${seleniumSetup} | ||||
|         ${seleniumPixelfedLogin} | ||||
|  | @ -115,7 +121,9 @@ pkgs.nixosTest { | |||
|   name = "test-pixelfed-garage"; | ||||
| 
 | ||||
|   nodes = { | ||||
|     server = { config, ... }: { | ||||
|     server = | ||||
|       { config, ... }: | ||||
|       { | ||||
| 
 | ||||
|         services = { | ||||
|           xserver = { | ||||
|  | @ -129,14 +137,21 @@ pkgs.nixosTest { | |||
|             user = "selenium"; | ||||
|           }; | ||||
|         }; | ||||
|       virtualisation.resolution = { x = 1680; y = 1050; }; | ||||
| 
 | ||||
|         virtualisation.resolution = { | ||||
|           x = 1680; | ||||
|           y = 1050; | ||||
|         }; | ||||
| 
 | ||||
|         virtualisation = { | ||||
|           memorySize = lib.mkVMOverride 8192; | ||||
|           cores = 8; | ||||
|         }; | ||||
|       imports = with self.nixosModules; [ pixelfed-vm ]; | ||||
|         imports = with self.nixosModules; [ | ||||
|           bleedingFediverse | ||||
|           fediversity | ||||
|           garage-vm | ||||
|           pixelfed-vm | ||||
|         ]; | ||||
|         # TODO: pair down | ||||
|         environment.systemPackages = with pkgs; [ | ||||
|           python3 | ||||
|  | @ -152,6 +167,8 @@ pkgs.nixosTest { | |||
|           POST_MEDIA = ./fediversity.png; | ||||
|           AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id; | ||||
|           AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret; | ||||
|           ## without this we get frivolous errors in the logs | ||||
|           MC_REGION = "garage"; | ||||
|         }; | ||||
|         # chrome does not like being run as root | ||||
|         users.users.selenium = { | ||||
|  | @ -160,7 +177,9 @@ pkgs.nixosTest { | |||
|       }; | ||||
|   }; | ||||
| 
 | ||||
|   testScript = { nodes, ... }: '' | ||||
|   testScript = | ||||
|     { nodes, ... }: | ||||
|     '' | ||||
|       import re | ||||
| 
 | ||||
|       server.start() | ||||
|  | @ -202,7 +221,7 @@ pkgs.nixosTest { | |||
| 
 | ||||
|       with subtest("Check that image comes from garage"): | ||||
|         src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'") | ||||
|       if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlFor "pixelfed"}"): | ||||
|         if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlForBucket "pixelfed"}"): | ||||
|           raise Exception("image does not come from garage") | ||||
|     ''; | ||||
| } | ||||
|  |  | |||
|  | @ -1,9 +1,16 @@ | |||
| pkgs: test: | ||||
| let | ||||
|   inherit (pkgs.lib) mapAttrsToList concatStringsSep genAttrs mkIf; | ||||
|   inherit (pkgs.lib) | ||||
|     mapAttrsToList | ||||
|     concatStringsSep | ||||
|     genAttrs | ||||
|     mkIf | ||||
|     ; | ||||
|   inherit (builtins) attrNames; | ||||
| 
 | ||||
|   interactiveConfig = ({ config, ... }: { | ||||
|   interactiveConfig = ( | ||||
|     { config, ... }: | ||||
|     { | ||||
|       # so we can run `nix shell nixpkgs#foo` on the machines | ||||
|       nix.extraOptions = '' | ||||
|         extra-experimental-features = nix-command flakes | ||||
|  | @ -20,13 +27,16 @@ let | |||
|       }; | ||||
| 
 | ||||
|       virtualisation = mkIf (config.networking.hostName == "jumphost") { | ||||
|       forwardPorts = [{ | ||||
|         forwardPorts = [ | ||||
|           { | ||||
|             from = "host"; | ||||
|             host.port = 2222; | ||||
|             guest.port = 22; | ||||
|       }]; | ||||
|           } | ||||
|         ]; | ||||
|       }; | ||||
|   }); | ||||
|     } | ||||
|   ); | ||||
| 
 | ||||
|   sshConfig = pkgs.writeText "ssh-config" '' | ||||
|     Host * | ||||
|  | @ -50,10 +60,11 @@ let | |||
|     # create an association array from machine names to the path to their | ||||
|     # configuration in the nix store | ||||
|     declare -A configPaths=(${ | ||||
|       concatStringsSep " " | ||||
|         (mapAttrsToList | ||||
|           (n: v: ''["${n}"]="${v.system.build.toplevel}"'') | ||||
|           rebuildableTest.driverInteractive.nodes) | ||||
|       concatStringsSep " " ( | ||||
|         mapAttrsToList ( | ||||
|           n: v: ''["${n}"]="${v.system.build.toplevel}"'' | ||||
|         ) rebuildableTest.driverInteractive.nodes | ||||
|       ) | ||||
|     }) | ||||
| 
 | ||||
|     rebuild_one() { | ||||
|  | @ -113,16 +124,14 @@ let | |||
|   # we're at it) | ||||
|   rebuildableTest = | ||||
|     let | ||||
|       preOverride = pkgs.nixosTest (test // { | ||||
|       preOverride = pkgs.nixosTest ( | ||||
|         test | ||||
|         // { | ||||
|           interactive = (test.interactive or { }) // { | ||||
|             # no need to // with test.interactive.nodes here, since we are iterating | ||||
|             # over all of them, and adding back in the config via `imports` | ||||
|           nodes = genAttrs | ||||
|             ( | ||||
|               attrNames test.nodes or { } ++ | ||||
|                 attrNames test.interactive.nodes or { } ++ | ||||
|                 [ "jumphost" ] | ||||
|             ) | ||||
|             nodes = | ||||
|               genAttrs (attrNames test.nodes or { } ++ attrNames test.interactive.nodes or { } ++ [ "jumphost" ]) | ||||
|                 (n: { | ||||
|                   imports = [ | ||||
|                     (test.interactive.${n} or { }) | ||||
|  | @ -131,14 +140,20 @@ let | |||
|                 }); | ||||
|           }; | ||||
|           # override with test.passthru in case someone wants to overwrite us. | ||||
|         passthru = { inherit rebuildScript sshConfig; } // (test.passthru or { }); | ||||
|       }); | ||||
|           passthru = { | ||||
|             inherit rebuildScript sshConfig; | ||||
|           } // (test.passthru or { }); | ||||
|         } | ||||
|       ); | ||||
|     in | ||||
|     preOverride // { | ||||
|     preOverride | ||||
|     // { | ||||
|       driverInteractive = preOverride.driverInteractive.overrideAttrs (old: { | ||||
|         # this comes from runCommand, not mkDerivation, so this is the only | ||||
|         # hook we have to override | ||||
|         buildCommand = old.buildCommand + '' | ||||
|         buildCommand = | ||||
|           old.buildCommand | ||||
|           + '' | ||||
|             ln -s ${sshConfig} $out/ssh-config | ||||
|             ln -s ${rebuildScript}/bin/rebuild $out/bin/rebuild | ||||
|           ''; | ||||
|  | @ -146,4 +161,3 @@ let | |||
|     }; | ||||
| in | ||||
| rebuildableTest | ||||
| 
 | ||||
|  |  | |||
							
								
								
									
										44
									
								
								vm/garage-vm.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										44
									
								
								vm/garage-vm.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,44 @@ | |||
| { | ||||
|   lib, | ||||
|   config, | ||||
|   modulesPath, | ||||
|   ... | ||||
| }: | ||||
| 
 | ||||
| let | ||||
|   inherit (lib) mkVMOverride mapAttrs' filterAttrs; | ||||
| 
 | ||||
|   cfg = config.services.garage; | ||||
| 
 | ||||
|   fedicfg = config.fediversity.internal.garage; | ||||
| 
 | ||||
| in | ||||
| { | ||||
|   imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; | ||||
| 
 | ||||
|   services.nginx.virtualHosts = | ||||
|     let | ||||
|       value = { | ||||
|         forceSSL = mkVMOverride false; | ||||
|         enableACME = mkVMOverride false; | ||||
|       }; | ||||
|     in | ||||
|     mapAttrs' (bucket: _: { | ||||
|       name = fedicfg.web.domainForBucket bucket; | ||||
|       inherit value; | ||||
|     }) (filterAttrs (_: { website, ... }: website) cfg.ensureBuckets); | ||||
| 
 | ||||
|   virtualisation.diskSize = 2048; | ||||
|   virtualisation.forwardPorts = [ | ||||
|     { | ||||
|       from = "host"; | ||||
|       host.port = fedicfg.rpc.port; | ||||
|       guest.port = fedicfg.rpc.port; | ||||
|     } | ||||
|     { | ||||
|       from = "host"; | ||||
|       host.port = fedicfg.web.internalPort; | ||||
|       guest.port = fedicfg.web.internalPort; | ||||
|     } | ||||
|   ]; | ||||
| } | ||||
|  | @ -1,5 +1,6 @@ | |||
| # customize nixos-rebuild build-vm to be a bit more convenient | ||||
| { pkgs, ... }: { | ||||
| { pkgs, ... }: | ||||
| { | ||||
|   # let us log in | ||||
|   users.mutableUsers = false; | ||||
|   users.users.root.hashedPassword = ""; | ||||
|  | @ -34,7 +35,10 @@ | |||
|   # no graphics. see nixos-shell | ||||
|   virtualisation = { | ||||
|     graphics = false; | ||||
|     qemu.consoles = [ "tty0" "hvc0" ]; | ||||
|     qemu.consoles = [ | ||||
|       "tty0" | ||||
|       "hvc0" | ||||
|     ]; | ||||
|     qemu.options = [ | ||||
|       "-serial null" | ||||
|       "-device virtio-serial" | ||||
|  | @ -44,12 +48,19 @@ | |||
|     ]; | ||||
|   }; | ||||
| 
 | ||||
| 
 | ||||
|   # we can't forward port 80 or 443, so let's run nginx on a different port | ||||
|   networking.firewall.allowedTCPPorts = [ 8443 8080 ]; | ||||
|   networking.firewall.allowedTCPPorts = [ | ||||
|     8443 | ||||
|     8080 | ||||
|   ]; | ||||
|   services.nginx.defaultSSLListenPort = 8443; | ||||
|   services.nginx.defaultHTTPListenPort = 8080; | ||||
|   virtualisation.forwardPorts = [ | ||||
|     { | ||||
|       from = "host"; | ||||
|       host.port = 22222; | ||||
|       guest.port = 22; | ||||
|     } | ||||
|     { | ||||
|       from = "host"; | ||||
|       host.port = 8080; | ||||
|  |  | |||
|  | @ -1,8 +1,12 @@ | |||
| { modulesPath, lib, config, ... }: { | ||||
| { | ||||
|   modulesPath, | ||||
|   lib, | ||||
|   config, | ||||
|   ... | ||||
| }: | ||||
| { | ||||
| 
 | ||||
|   imports = [ | ||||
|     (modulesPath + "/virtualisation/qemu-vm.nix") | ||||
|   ]; | ||||
|   imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; | ||||
| 
 | ||||
|   config = lib.mkMerge [ | ||||
|     { | ||||
|  | @ -10,19 +14,17 @@ | |||
|         enable = true; | ||||
|         domain = "localhost"; | ||||
|         mastodon.enable = true; | ||||
| 
 | ||||
|         temp.cores = config.virtualisation.cores; | ||||
|       }; | ||||
| 
 | ||||
|       services.mastodon = { | ||||
|         extraConfig = { | ||||
|           EMAIL_DOMAIN_ALLOWLIST = "example.com"; | ||||
|         }; | ||||
| 
 | ||||
|         # from the documentation: recommended is the amount of your CPU cores | ||||
|         # minus one. but it also must be a positive integer | ||||
|         streamingProcesses = lib.max 1 (config.virtualisation.cores - 1); | ||||
|       }; | ||||
| 
 | ||||
|       security.acme = { | ||||
|       security.acme = lib.mkVMOverride { | ||||
|         defaults = { | ||||
|           # invalid server; the systemd service will fail, and we won't get | ||||
|           # properly signed certificates. but let's not spam the letsencrypt | ||||
|  |  | |||
|  | @ -1,8 +1,8 @@ | |||
| { pkgs, modulesPath, ... }: { | ||||
| { modulesPath, ... }: | ||||
| 
 | ||||
|   imports = [ | ||||
|     (modulesPath + "/virtualisation/qemu-vm.nix") | ||||
|   ]; | ||||
| { | ||||
| 
 | ||||
|   imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; | ||||
| 
 | ||||
|   services.peertube = { | ||||
|     enableWebHttps = false; | ||||
|  | @ -10,10 +10,6 @@ | |||
|       listen.hostname = "0.0.0.0"; | ||||
|       instance.name = "PeerTube Test VM"; | ||||
|     }; | ||||
|     # TODO: use agenix | ||||
|     secrets.secretsFile = pkgs.writeText "secret" '' | ||||
|       574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 | ||||
|     ''; | ||||
|   }; | ||||
| 
 | ||||
|   virtualisation.forwardPorts = [ | ||||
|  |  | |||
|  | @ -1,8 +1,16 @@ | |||
| { pkgs, modulesPath, ... }: { | ||||
| { | ||||
|   lib, | ||||
|   modulesPath, | ||||
|   ... | ||||
| }: | ||||
| 
 | ||||
|   imports = [ | ||||
|     (modulesPath + "/virtualisation/qemu-vm.nix") | ||||
|   ]; | ||||
| let | ||||
|   inherit (lib) mkVMOverride; | ||||
| 
 | ||||
| in | ||||
| 
 | ||||
| { | ||||
|   imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; | ||||
| 
 | ||||
|   fediversity = { | ||||
|     enable = true; | ||||
|  | @ -10,22 +18,16 @@ | |||
|     pixelfed.enable = true; | ||||
|   }; | ||||
| 
 | ||||
|   networking.firewall.allowedTCPPorts = [ 80 ]; | ||||
|   services.pixelfed = { | ||||
|     # TODO: secrets management! | ||||
|     secretFile = pkgs.writeText "secrets.env" '' | ||||
|       APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA | ||||
|     ''; | ||||
|     settings = { | ||||
|       OPEN_REGISTRATION = true; | ||||
|       FORCE_HTTPS_URLS = false; | ||||
|     }; | ||||
|     # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx | ||||
|     # TODO: If that indeed makes sense, upstream it. | ||||
|     nginx = { | ||||
|       # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/"; | ||||
|       forceSSL = mkVMOverride false; | ||||
|       enableACME = mkVMOverride false; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   virtualisation.memorySize = 2048; | ||||
|   virtualisation.forwardPorts = [ | ||||
|     { | ||||
|  |  | |||
		Loading…
	
	Add table
		
		Reference in a new issue