let snakeoil_key = { id = "GKb5615457d44214411e673b7b"; secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; }; in { config, lib, pkgs, ... }: { services.garage = { ensureBuckets = { pixelfed = { website = true; # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want corsRules = { enable = true; allowedHeaders = [ "*" ]; allowedMethods = [ "GET" ]; allowedOrigins = [ "*" ]; }; }; }; ensureKeys = { pixelfed = { inherit (snakeoil_key) id secret; ensureAccess = { pixelfed = { read = true; write = true; owner = true; }; }; }; }; }; # TODO: factor these out so we're only defining e.g. s3.garage.localhost and port 3900 in one place services.pixelfed.settings = { FILESYSTEM_CLOUD = "s3"; PF_ENABLE_CLOUD = true; AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; AWS_DEFAULT_REGION = "garage"; AWS_URL = "http://pixelfed.s3.garage.localhost:3900"; AWS_BUCKET = "pixelfed"; AWS_ENDPOINT = "http://s3.garage.localhost:3900"; AWS_USE_PATH_STYLE_ENDPOINT = false; }; virtualisation.vmVariant = { networking.firewall.allowedTCPPorts = [ 80 ]; services.pixelfed = { enable = true; domain = "pixelfed.localhost"; # TODO: secrets management! secretFile = pkgs.writeText "secrets.env" '' APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA ''; settings = { OPEN_REGISTRATION = true; FORCE_HTTPS_URLS = false; }; # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options here # TODO: If that indeed makes sense, upstream it. nginx = {}; }; virtualisation.memorySize = 2048; virtualisation.forwardPorts = [ { from = "host"; host.port = 8000; guest.port = 80; } ]; }; }