693e21b1a8
for now, had to get rid of vmVariant. we can figure out how to add it back when we understand how we should actually distinguish between real machines and VMs
200 lines
7.2 KiB
Nix
200 lines
7.2 KiB
Nix
let
|
|
snakeoil_key = {
|
|
id = "GK3515373e4c851ebaad366558";
|
|
secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
|
|
};
|
|
in
|
|
{ config, lib, pkgs, ... }: lib.mkMerge [
|
|
{ # garage setup
|
|
services.garage = {
|
|
ensureBuckets = {
|
|
mastodon = {
|
|
website = true;
|
|
corsRules = {
|
|
enable = true;
|
|
allowedHeaders = [ "*" ];
|
|
allowedMethods = [ "GET" ];
|
|
allowedOrigins = [ "*" ];
|
|
};
|
|
};
|
|
};
|
|
ensureKeys = {
|
|
mastodon = {
|
|
inherit (snakeoil_key) id secret;
|
|
ensureAccess = {
|
|
mastodon = {
|
|
read = true;
|
|
write = true;
|
|
owner = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
services.mastodon = {
|
|
extraConfig = {
|
|
S3_ENABLED = "true";
|
|
S3_ENDPOINT = "http://s3.garage.localhost:3900";
|
|
S3_REGION = "garage";
|
|
S3_BUCKET = "mastodon";
|
|
# use <S3_BUCKET>.<S3_ENDPOINT>
|
|
S3_OVERRIDE_PATH_STLE = "true";
|
|
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
|
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
|
S3_PROTOCOL = "http";
|
|
S3_HOSTNAME = "web.garage.localhost:3902";
|
|
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
|
# but we want "<S3_BUCKET>.<S3_HOSTNAME>"
|
|
S3_ALIAS_HOST = "mastodon.web.garage.localhost:3902";
|
|
# XXX: I think we need to set up a proper CDN host
|
|
# CDN_HOST = "mastodon.web.garage.localhost:3902";
|
|
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
|
# TODO: can we set up ACLs with garage?
|
|
S3_PERMISSION = "";
|
|
};
|
|
};
|
|
}
|
|
# mastodon setup
|
|
{
|
|
# open up access to the mastodon web interface
|
|
networking.firewall.allowedTCPPorts = [ 443 ];
|
|
|
|
services.mastodon = {
|
|
enable = true;
|
|
|
|
# TODO: set up a domain name, and a DNS service so that this can run not in a vm
|
|
# localDomain = "domain.social";
|
|
configureNginx = true;
|
|
|
|
# TODO: configure a mailserver so this works
|
|
# smtp.fromAddress = "mastodon@mastodon.localhost";
|
|
|
|
# TODO: this is hardware-dependent. let's figure it out when we have hardware
|
|
# streamingProcesses = 1;
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
preliminarySelfsigned = true;
|
|
# TODO: configure a mailserver so we can set up acme
|
|
# defaults.email = "test@example.com";
|
|
};
|
|
}
|
|
# VM setup
|
|
{
|
|
services.mastodon = {
|
|
# redirects to localhost, but allows it to have a proper domain name
|
|
localDomain = "mastodon.localhost";
|
|
|
|
smtp = {
|
|
fromAddress = "mastodon@mastodon.localhost";
|
|
createLocally = false;
|
|
};
|
|
|
|
extraConfig = {
|
|
EMAIL_DOMAIN_ALLOWLIST = "example.com";
|
|
};
|
|
|
|
# from the documentation: recommended is the amount of your CPU cores minus one.
|
|
# but it also must be a positive integer
|
|
streamingProcesses = lib.max 1 (config.virtualisation.cores - 1);
|
|
};
|
|
|
|
security.acme = {
|
|
defaults = {
|
|
# invalid server; the systemd service will fail, and we won't get properly signed certificates
|
|
# but let's not spam the letsencrypt servers (and we don't own this domain anyways)
|
|
server = "https://127.0.0.1";
|
|
email = "none";
|
|
};
|
|
};
|
|
|
|
virtualisation.memorySize = 2048;
|
|
virtualisation.forwardPorts = [
|
|
{
|
|
from = "host";
|
|
host.port = 44443;
|
|
guest.port = 443;
|
|
}
|
|
];
|
|
}
|
|
|
|
# mastodon development environment
|
|
{
|
|
networking.firewall.allowedTCPPorts = [ 55001 ];
|
|
services.mastodon = {
|
|
# needed so we can directly access mastodon at port 55001
|
|
# otherwise, mastodon has to be accessed *from* port 443, which we can't do via port forwarding
|
|
enableUnixSocket = false;
|
|
extraConfig = {
|
|
RAILS_ENV = "development";
|
|
# to be accessible from outside the VM
|
|
BIND = "0.0.0.0";
|
|
# for letter_opener (still doesn't work though)
|
|
REMOTE_DEV = "true";
|
|
LOCAL_DOMAIN = "mastodon.localhost:8443";
|
|
};
|
|
};
|
|
# services.nginx.virtualHosts."${config.services.mastodon.localDomain}" = {
|
|
# extraConfig = ''
|
|
# add_header Content-Security-Policy 'base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' http://mastodon.localhost:8443; img-src * https: data: blob: http://mastodon.localhost:8443; style-src 'self' http://mastodon.localhost:8443 'nonce-QvwdQ3lNRMmEcQnhZ22MAg=='; media-src 'self' https: data: http://mastodon.localhost:8443; frame-src 'self' https:; manifest-src 'self' http://mastodon.localhost:8443; form-action 'self'; child-src 'self' blob: http://mastodon.localhost:8443; worker-src 'self' blob: http://mastodon.localhost:8443; connect-src 'self' data: blob: http://mastodon.localhost:8443 http://mastodon.web.garage.localhost:3902 ws://mastodon.localhost:4000 ws://localhost:3035 http://localhost:3035; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://mastodon.localhost:8443'
|
|
# '';
|
|
# };
|
|
# services.nginx.virtualHosts."${config.services.mastodon.localDomain}".locations."/sw.js" =
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureUsers = [
|
|
{
|
|
name = config.services.mastodon.database.user;
|
|
ensureClauses.createdb = true;
|
|
# ensurePermissions doesn't work anymore
|
|
# ensurePermissions = {
|
|
# "mastodon_development.*" = "ALL PRIVILEGES";
|
|
# "mastodon_test.*" = "ALL PRIVILEGES";
|
|
# }
|
|
}
|
|
];
|
|
# ensureDatabases = [ "mastodon_development_test" "mastodon_test" ];
|
|
};
|
|
|
|
# Currently, nixos seems to be able to create a single database per
|
|
# postgres user. This works for the production version of mastodon, which
|
|
# is what's packaged in nixpkgs. For development, we need two databases,
|
|
# mastodon_development and mastodon_test. This used to be possible with
|
|
# ensurePermissions, but that's broken and has been removed. Here I copy
|
|
# the mastodon-init-db script from upstream nixpkgs, but add the single
|
|
# line `rails db:setup`, which asks mastodon to create the postgres
|
|
# databases for us.
|
|
# FIXME: the commented out lines were breaking things, but presumably they're necessary for something.
|
|
# TODO: see if we can fix the upstream ensurePermissions stuff. See above for what that config would look like.
|
|
systemd.services.mastodon-init-db.script = lib.mkForce ''
|
|
result="$(psql -t --csv -c \
|
|
"select count(*) from pg_class c \
|
|
join pg_namespace s on s.oid = c.relnamespace \
|
|
where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
|
|
and s.nspname not like 'pg_temp%';")" || error_code=$?
|
|
if [ "''${error_code:-0}" -ne 0 ]; then
|
|
echo "Failure checking if database is seeded. psql gave exit code $error_code"
|
|
exit "$error_code"
|
|
fi
|
|
if [ "$result" -eq 0 ]; then
|
|
echo "Seeding database"
|
|
rails db:setup
|
|
# SAFETY_ASSURED=1 rails db:schema:load
|
|
rails db:seed
|
|
# else
|
|
# echo "Migrating database (this might be a noop)"
|
|
# rails db:migrate
|
|
fi
|
|
'';
|
|
virtualisation.forwardPorts = [
|
|
{
|
|
from = "host";
|
|
host.port = 55001;
|
|
guest.port = 55001;
|
|
}
|
|
];
|
|
}
|
|
]
|