191 lines
5.9 KiB
Nix
191 lines
5.9 KiB
Nix
let
|
|
snakeoil_key = {
|
|
id = "GK3515373e4c851ebaad366558";
|
|
secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
|
|
};
|
|
in
|
|
{ config, lib, pkgs, ... }: lib.mkMerge [
|
|
{ # garage setup
|
|
services.garage = {
|
|
ensureBuckets = {
|
|
mastodon = {
|
|
website = true;
|
|
# corsRules = {
|
|
# enable = true;
|
|
# allowedHeaders = [ "*" ];
|
|
# allowedMethods = [ "GET" ];
|
|
# allowedOrigins = [ "*" ];
|
|
# };
|
|
};
|
|
};
|
|
ensureKeys = {
|
|
mastodon = {
|
|
inherit (snakeoil_key) id secret;
|
|
ensureAccess = {
|
|
mastodon = {
|
|
read = true;
|
|
write = true;
|
|
owner = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
services.mastodon = {
|
|
extraConfig = {
|
|
S3_ENABLED = "true";
|
|
S3_ENDPOINT = "http://s3.garage.localhost:3900";
|
|
S3_REGION = "garage";
|
|
S3_BUCKET = "mastodon";
|
|
# use <S3_BUCKET>.<S3_ENDPOINT>
|
|
S3_OVERRIDE_PATH_STLE = "true";
|
|
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
|
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
|
S3_PROTOCOL = "http";
|
|
S3_HOSTNAME = "web.garage.localhost:3902";
|
|
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
|
# but we want "<S3_BUCKET>.<S3_HOSTNAME>"
|
|
S3_ALIAS_HOST = "mastodon.web.garage.localhost:3902";
|
|
# XXX: I think we need to set up a proper CDN host
|
|
CDN_HOST = "mastodon.web.garage.localhost:3902";
|
|
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
|
# TODO: can we set up ACLs with garage?
|
|
S3_PERMISSION = "";
|
|
};
|
|
};
|
|
}
|
|
# mastodon setup
|
|
{
|
|
# open up access to the mastodon web interface
|
|
networking.firewall.allowedTCPPorts = [ 443 ];
|
|
|
|
services.mastodon = {
|
|
enable = true;
|
|
|
|
# TODO: set up a domain name, and a DNS service so that this can run not in a vm
|
|
# localDomain = "domain.social";
|
|
configureNginx = true;
|
|
|
|
# TODO: configure a mailserver so this works
|
|
# smtp.fromAddress = "mastodon@mastodon.localhost";
|
|
|
|
# TODO: this is hardware-dependent. let's figure it out when we have hardware
|
|
# streamingProcesses = 1;
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
preliminarySelfsigned = true;
|
|
# TODO: configure a mailserver so we can set up acme
|
|
# defaults.email = "test@example.com";
|
|
};
|
|
}
|
|
# VM setup
|
|
{
|
|
# these configurations only apply when producing a VM (e.g. nixos-rebuild build-vm)
|
|
virtualisation.vmVariant = { config, ... }: {
|
|
services.mastodon = {
|
|
# redirects to localhost, but allows it to have a proper domain name
|
|
localDomain = "mastodon.localhost";
|
|
|
|
smtp = {
|
|
fromAddress = "mastodon@mastodon.localhost";
|
|
createLocally = false;
|
|
};
|
|
|
|
extraConfig = {
|
|
EMAIL_DOMAIN_ALLOWLIST = "example.com";
|
|
};
|
|
|
|
# from the documentation: recommended is the amount of your CPU cores minus one.
|
|
# but it also must be a positive integer
|
|
streamingProcesses = let
|
|
ncores = config.virtualisation.cores;
|
|
in
|
|
lib.max 1 (ncores - 1);
|
|
};
|
|
|
|
security.acme = {
|
|
defaults = {
|
|
# invalid server; the systemd service will fail, and we won't get properly signed certificates
|
|
# but let's not spam the letsencrypt servers (and we don't own this domain anyways)
|
|
server = "https://127.0.0.1";
|
|
email = "none";
|
|
};
|
|
};
|
|
|
|
virtualisation.memorySize = 2048;
|
|
virtualisation.forwardPorts = [
|
|
{
|
|
from = "host";
|
|
host.port = 44443;
|
|
guest.port = 443;
|
|
}
|
|
];
|
|
};
|
|
}
|
|
|
|
# mastodon development environment
|
|
{
|
|
networking.firewall.allowedTCPPorts = [ 55001 ];
|
|
virtualisation.vmVariant = { config, ... }: {
|
|
services.mastodon = {
|
|
# needed so we can directly access mastodon at port 55001
|
|
# otherwise, mastodon has to be accessed *from* port 443, which we can't do via port forwarding
|
|
enableUnixSocket = false;
|
|
extraConfig = {
|
|
RAILS_ENV = "development";
|
|
# to be accessible from outside the VM
|
|
BIND = "0.0.0.0";
|
|
# for letter_opener (still doesn't work though)
|
|
REMOTE_DEV = "true";
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureUsers = [
|
|
{
|
|
name = config.services.mastodon.database.user;
|
|
ensureClauses.createdb = true;
|
|
# ensurePermissions doesn't work anymore
|
|
# ensurePermissions = {
|
|
# "mastodon_development.*" = "ALL PRIVILEGES";
|
|
# "mastodon_test.*" = "ALL PRIVILEGES";
|
|
# }
|
|
}
|
|
];
|
|
# ensureDatabases = [ "mastodon_development_test" "mastodon_test" ];
|
|
};
|
|
|
|
# run rails db:seed so that mastodon sets up the databases for us
|
|
# iirc the postgresql module can also do this kind of thing
|
|
systemd.services.mastodon-init-db.script = lib.mkForce ''
|
|
# This conditional freaks me out
|
|
# Maybe configure psql to output in a more machine-readable format?
|
|
if [ `psql -c \
|
|
"select count(*) from pg_class c \
|
|
join pg_namespace s on s.oid = c.relnamespace \
|
|
where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
|
|
and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then
|
|
echo "Seeding database"
|
|
rails db:setup
|
|
# SAFETY_ASSURED=1 rails db:schema:load
|
|
rails db:seed
|
|
else
|
|
echo "Migrating database (this might be a noop)"
|
|
# TODO: this breaks for some reason
|
|
# rails db:migrate
|
|
fi
|
|
'';
|
|
virtualisation.forwardPorts = [
|
|
{
|
|
from = "host";
|
|
host.port = 55001;
|
|
guest.port = 55001;
|
|
}
|
|
];
|
|
};
|
|
}
|
|
]
|