diff --git a/flake.lock b/flake.lock index 380f41c..23ad397 100644 --- a/flake.lock +++ b/flake.lock @@ -546,6 +546,22 @@ "type": "github" } }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1738410390, + "narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "3a228057f5b619feb3186e986dbe76278d707b6e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1687274257, @@ -654,6 +670,7 @@ "nil-lsp": "nil-lsp", "nix-homebrew": "nix-homebrew", "nixpkgs": "nixpkgs_4", + "nixpkgs-unstable": "nixpkgs-unstable", "nixvim": "nixvim" } }, diff --git a/flake.nix b/flake.nix index c955774..d753881 100644 --- a/flake.nix +++ b/flake.nix @@ -2,9 +2,9 @@ description = "nix configuration for my servers + other stuff"; inputs = { - nixpkgs = { - url = "github:nixos/nixpkgs/nixos-24.11"; - }; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; darwin = { url = "github:LnL7/nix-darwin/nix-darwin-24.11"; @@ -56,6 +56,7 @@ nil-lsp, home-manager, nix-homebrew, + nixpkgs-unstable, ... } @ inputs: let lib = nixpkgs.lib // home-manager.lib; @@ -74,6 +75,12 @@ inherit system; }); + importUnstable = system: + import nixpkgs-unstable { + inherit system; + config.allowUnfree = true; + }; + deployPkgs = forEachSupportedSystem ( { pkgs, @@ -137,11 +144,12 @@ # Config for my servers nixosConfigurations = { - ashokan = lib.nixosSystem { + ashokan = lib.nixosSystem rec { system = "aarch64-linux"; specialArgs = { inherit inputs; + unstable = importUnstable system; }; modules = [ @@ -160,11 +168,12 @@ ./home/henrikvt ]; }; - barnegat = lib.nixosSystem { + barnegat = lib.nixosSystem rec { system = "x86_64-linux"; specialArgs = { inherit inputs; + pkgs-unstable = importUnstable system; }; modules = [ diff --git a/home/henrikvt/ghostty.txt b/home/henrikvt/ghostty.txt index f6dc250..89b6c0a 100644 --- a/home/henrikvt/ghostty.txt +++ b/home/henrikvt/ghostty.txt @@ -7,5 +7,7 @@ shell-integration = zsh theme = catppuccin-mocha window-inherit-working-directory = true working-directory = home +term = xterm-256color keybind = cmd+r=reload_config -term = xterm-256color \ No newline at end of file +keybind = cmd+q=quit +keybind = cmd+w=close_surface \ No newline at end of file diff --git a/home/henrikvt/home.nix b/home/henrikvt/home.nix index 805d49c..7c1255d 100644 --- a/home/henrikvt/home.nix +++ b/home/henrikvt/home.nix @@ -32,17 +32,19 @@ magic-wormhole glab python3 + nyancat + moon-buggy + sl + cowsay ]; shellAliases = { cat = "${pkgs.bat}/bin/bat -p"; - less = "${pkgs.bat}/bin/bat --style plain"; lzg = "${pkgs.lazygit}/bin/lazygit"; }; sessionVariables = { EDITOR = "nvim"; - # VISUAL = "nvim"; }; }; @@ -94,7 +96,8 @@ ]; }; - profileExtra = builtins.readFile ./.zprofile.zsh; + profileExtra = builtins.readFile ./zprofile.zsh; + initExtra = builtins.readFile ./zshrc.zsh; }; # Prompt diff --git a/home/henrikvt/.zprofile.zsh b/home/henrikvt/zprofile.zsh similarity index 75% rename from home/henrikvt/.zprofile.zsh rename to home/henrikvt/zprofile.zsh index 220e858..2145d78 100644 --- a/home/henrikvt/.zprofile.zsh +++ b/home/henrikvt/zprofile.zsh @@ -20,3 +20,14 @@ alias ptop='ceiling_divide $LINES 4; clear_rows $ceiling_result' alias pmid='ceiling_divide $LINES 2; clear_rows $ceiling_result' # Clear 3/4th alias pdown='ceiling_divide $((3*LINES)) 4; clear_rows $ceiling_result' + +# Get the git ssh url of a github repo using gh cli +if command -v "gh" &> /dev/null; then + function ghurl() { + gh repo view --json sshUrl --jq .sshUrl $1 | cat + } +fi + +if command -v "rbenv" &> /dev/null; then + eval "$(rbenv init -)" +fi diff --git a/home/henrikvt/zshrc.zsh b/home/henrikvt/zshrc.zsh new file mode 100644 index 0000000..86029e2 --- /dev/null +++ b/home/henrikvt/zshrc.zsh @@ -0,0 +1,4 @@ +# If fnm is present (ie running `fnm` returns 0), eval it +if command -v "fnm" &> /dev/null; then + eval "$(fnm env)" +fi \ No newline at end of file diff --git a/machines/darwin/default.nix b/machines/darwin/default.nix index f8e9c68..b6fabcc 100644 --- a/machines/darwin/default.nix +++ b/machines/darwin/default.nix @@ -41,6 +41,9 @@ in { home.henrikvt.enable = true; + # Show hidden files in Finder always + system.defaults.finder.AppleShowAllFiles = true; + # Force the nix daemon to run services.nix-daemon.enable = lib.mkForce true; } diff --git a/machines/darwin/pepacton/default.nix b/machines/darwin/pepacton/default.nix index b027a33..8533c75 100644 --- a/machines/darwin/pepacton/default.nix +++ b/machines/darwin/pepacton/default.nix @@ -16,29 +16,36 @@ qrcp ninvaders statix + yt-dlp + wrangler + pipes ]; }; - environment.shellAliases = { - rebuild = "darwin-rebuild switch --flake /Users/henrikvt/Desktop/Code/projects/nixmachines#pepacton && omz reload"; - # ghostty = "$GHOSTTY_BIN_DIR/ghostty"; - tailscale = "/Applications/Tailscale.app/Contents/MacOS/Tailscale"; - ytdl = "ytdlp"; - home = "cd ~"; - nvm = "fnm"; - }; - environment = { - systemPath = ["\"/Users/henrikvt/Library/Application Support/JetBrains/Toolbox/scripts\"" "$GHOSTTY_BIN_DIR" "$HOME/.bun/bin"]; + shellAliases = { + rebuild = "darwin-rebuild switch --flake /Users/henrikvt/Desktop/Code/projects/nixmachines#pepacton && omz reload"; + reload = "omz reload"; + tailscale = "/Applications/Tailscale.app/Contents/MacOS/Tailscale"; + ytdl = "yt-dlp"; + home = "cd ~"; + nvm = "fnm"; + pn = "pnpm"; + }; + systemPackages = with pkgs; [ncurses]; + # systemPath = ["$JETBRAINS_BIN_DIR" "$GHOSTTY_BIN_DIR" "$HOME/.bun/bin"]; variables = { EDITOR = "nvim"; _ZO_DATA_DIR = "/Users/henrikvt/.zoxide"; _ZO_EXCLUDE_DIRS = "$HOME:$HOME/wpilib/**/*"; - JETBRAINS_BIN_DIR = "\"/Users/henrikvt/Library/Application Support/JetBrains/Toolbox/scripts\""; + JETBRAINS_BIN_DIR = "$HOME/Library/Application\ Support/JetBrains/Toolbox/scripts"; + FNM_COREPACK_ENABLED = "true"; + FNM_RESOLVE_ENGINES = "true"; }; }; home-manager.users.henrikvt = { + home.sessionPath = ["$GHOSTTY_BIN_DIR" "$HOME/.bun/bin" "$JETBRAINS_BIN_DIR"]; programs.git.extraConfig = { user.signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICM+1ip8IBO+sK8J7cOwEtA/ba+tTtPHUGYC/KW6mppU"; gpg.format = "ssh"; @@ -61,10 +68,28 @@ autoMigrate = true; }; - networking.hostName = "pepacton"; + networking = { + hostName = "pepacton"; + search = [ + "reindeer-porgy.ts.net" + "unicycl.ing" + ]; + knownNetworkServices = [ + "USB 10/100/1G/2.5G LAN" + "Thunderbolt Bridge" + "Wi-Fi" + "iPhone USB" + "Tailscale" + "UniFi Teleport" + "Mullvad" + ]; + }; # Enable GitHub TUI Dashboard (doesn't work on some systems) - home.henrikvt.ghDash = true; + home.henrikvt = { + ghDash = true; + ghostty = true; + }; nixpkgs.hostPlatform = "aarch64-darwin"; # ======================== DO NOT CHANGE THIS ======================== diff --git a/machines/nixos/ashokan/default.nix b/machines/nixos/ashokan/default.nix index f48f8d0..c8b1d2c 100644 --- a/machines/nixos/ashokan/default.nix +++ b/machines/nixos/ashokan/default.nix @@ -54,7 +54,6 @@ secretsDir = ../../../secrets; chownPodman = file: { inherit file; - owner = "mastodon"; group = "podman"; mode = "0400"; }; @@ -67,21 +66,6 @@ mastodonAREncryptionEnvVars = chownPodman "${secretsDir}/mastodonAREncryptionEnvVars.age"; }; - svcs.traefik = { - enable = true; - environmentFiles = [config.age.secrets.cfDnsApiToken.path]; - }; - - svcs.mastodon = { - enable = true; - configureTraefik = true; - secretKeyBaseEnvFile = config.age.secrets.mastodonSecretKeyBase.path; - otpSecretEnvFile = config.age.secrets.mastodonOtpSecret.path; - vapidKeysEnvFile = config.age.secrets.mastodonVapidKeys.path; - smtpPasswordEnvFile = config.age.secrets.mastodonSmtpPassword.path; - activeRecordEncryptionEnvFile = config.age.secrets.mastodonAREncryptionEnvVars.path; - }; - # ======================== DO NOT CHANGE THIS ======================== system.stateVersion = "23.11"; # ======================== DO NOT CHANGE THIS ======================== diff --git a/machines/nixos/ashokan/services/default.nix b/machines/nixos/ashokan/services/default.nix index d04b964..25d8be5 100644 --- a/machines/nixos/ashokan/services/default.nix +++ b/machines/nixos/ashokan/services/default.nix @@ -5,4 +5,15 @@ enable = true; environmentFiles = [config.age.secrets.cfDnsApiToken.path]; }; + + svcs.mastodon = { + enable = true; + configureTraefik = true; + + secretKeyBaseEnvFile = config.age.secrets.mastodonSecretKeyBase.path; + otpSecretEnvFile = config.age.secrets.mastodonOtpSecret.path; + vapidKeysEnvFile = config.age.secrets.mastodonVapidKeys.path; + smtpPasswordEnvFile = config.age.secrets.mastodonSmtpPassword.path; + activeRecordEncryptionEnvFile = config.age.secrets.mastodonAREncryptionEnvVars.path; + }; } diff --git a/machines/nixos/ashokan/services/mastodon.nix b/machines/nixos/ashokan/services/mastodon.nix deleted file mode 100644 index f46d977..0000000 --- a/machines/nixos/ashokan/services/mastodon.nix +++ /dev/null @@ -1,137 +0,0 @@ -{ - config, - lib, - ... -}: let - mastoProxyPort = 55080; - mastoHttpPort = 55443; - # mastoInternalDomain = "mastodon.localhost"; - # mastoStreamPort = 55444; - domain = "unicycl.ing"; - interfaceDomain = "mstdn.${domain}"; -in { - services.mastodon = { - enable = true; - # enableUnixSocket = false; - webPort = mastoHttpPort; - localDomain = domain; - extraConfig = { - WEB_DOMAIN = interfaceDomain; - - RAILS_LOG_LEVEL = "debug"; - # RAILS_SERVE_STATIC_FILES = "true"; - }; - configureNginx = false; - streamingProcesses = 1; - # streamingPort = mastoStreamPort; - - # Connect to Postgres DB via Unix Sockets using Peer Authentication, all settings are default - database = { - # host = "localhost"; - # port = 5432; - createLocally = true; - }; - - smtp = { - host = "smtp.improvmx.com"; - port = 587; - user = "mastodon@${domain}"; - passwordFile = config.age.secrets.mastodonSmtpPassword; - createLocally = false; - fromAddress = "mastodon@${domain}"; - }; - }; - - # External Reverse Proxy - services.traefik.dynamicConfigOptions = { - http = { - routers = { - mastodon = { - rule = "Host(`${interfaceDomain}`)"; - service = "mastodon"; - entryPoints = [ - "https" - "http" - ]; - tls.certResolver = "lecf"; - }; - }; - services = { - mastodon = { - loadBalancer = { - # servers = [{url = "http://unix:/run/mastodon-web/web.socket";}]; - servers = [{url = "http://localhost:${toString mastoProxyPort}";}]; - }; - }; - }; - }; - }; - - # Internal Proxy - services.caddy = { - enable = true; - extraConfig = '' - :${toString mastoProxyPort} { - handle_path /system/* { - file_server * { - root /var/lib/mastodon/public-system - } - } - - handle /api/v1/streaming/* { - reverse_proxy unix//run/mastodon-streaming/streaming-1.socket - } - - route * { - file_server * { - root ${config.services.mastodon.package}/public - pass_thru - } - reverse_proxy * unix//run/mastodon-web/web.socket - } - - handle_errors { - root * ${config.services.mastodon.package}/public - rewrite 500.html - file_server - } - - encode gzip - - header /* { - Strict-Transport-Security "max-age=31536000;" - } - - header /emoji/* Cache-Control "public, max-age=31536000, immutable" - header /packs/* Cache-Control "public, max-age=31536000, immutable" - header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" - header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable" - } - ''; - }; - - users.users.mastodon.extraGroups = ["nginx"]; - users.users.caddy.extraGroups = ["mastodon"]; - systemd.services.caddy = { - wants = ["mastodon.target"]; - serviceConfig.ReadWriteDirectories = lib.mkForce ["/var/lib/caddy" "/run/mastodon-web"]; - }; - # systemd.tmpfiles.rules = [ - # "d! /run/mastodon-web 0755 - nginx -" - # "z /run/mastodon-web - - nginx -" - # ]; - - # Postgres - services.postgresql = { - enable = true; - # enableTCPIP = true; - enableJIT = true; - ensureDatabases = ["mastodon"]; - ensureUsers = [ - { - name = "mastodon"; - ensureDBOwnership = true; - } - ]; - }; -} diff --git a/machines/nixos/barnegat/services/default.nix b/machines/nixos/barnegat/services/default.nix index 3ff7126..953e7cf 100644 --- a/machines/nixos/barnegat/services/default.nix +++ b/machines/nixos/barnegat/services/default.nix @@ -1,4 +1,8 @@ -{config, ...}: { +{ + config, + pkgs-unstable, + ... +}: { imports = [ ./metrics.nix ./proxy.nix @@ -22,4 +26,6 @@ enableTraefik = true; allowSignup = true; }; + + services.woodpecker-server.package = pkgs-unstable.woodpecker-server; } diff --git a/machines/nixos/valcour/default.nix b/machines/nixos/valcour/default.nix index 6aecd45..20be597 100644 --- a/machines/nixos/valcour/default.nix +++ b/machines/nixos/valcour/default.nix @@ -38,7 +38,7 @@ svcs.tailscale = { advertiseExitNode = true; - advertiseRoutes = ["10.205.16.212/32"]; + # advertiseRoutes = ["10.205.16.212/32"]; }; svcs.netcheck = { diff --git a/modules/nixos/mastodon/.env.production b/modules/nixos/mastodon/.env.production index 0a6c7f0..3171d21 100644 --- a/modules/nixos/mastodon/.env.production +++ b/modules/nixos/mastodon/.env.production @@ -1 +1,65 @@ RAILS_ENV=production +# ALL VALUES IN THIS FILE ARE FOR TESTING ONLY. THEY ARE NOT USED FOR PRODUCTION DEPLOYMENTS. + +# Note that this file accepts slightly different syntax depending on whether +# you are using `docker-compose` or not. In particular, if you use +# `docker-compose`, the value of each declared variable will be taken verbatim, +# including surrounding quotes. +# See: https://github.com/mastodon/mastodon/issues/16895 + +# Federation +# ---------- +# This identifies your server and cannot be changed safely later +# ---------- +LOCAL_DOMAIN=localhost + +# Redis +# ----- +REDIS_HOST=redis +REDIS_PORT=6379 + +# PostgreSQL +# ---------- +DB_HOST=db +DB_USER=mastodon +DB_NAME=mastodon_production +DB_PASS=mastodon +DB_PORT=5432 + +# Elasticsearch (optional) +# ------------------------ +ES_ENABLED=false + + +# Secrets +# ------- +# Make sure to use `bundle exec rails secret` to generate secrets +# ------- +SECRET_KEY_BASE=4b59073f0e859c29bdeff9f96081092418866abceaaab0a868abe13ee76fe5b7bfccf435c6bc8dcdb9f69c7cfacba3e7a032aec4dc329685891bb0545fc8b8b6 +OTP_SECRET=34e086640459825c6360d19c411c8737eeb576520a7e151ece45c4455fff3c2820d84186448ff810f107a78a67b30e8a12eec99d33c5a68a3641c895796ebc8e + +# Encryption secrets +# ------------------ +# Must be available (and set to same values) for all server processes +# These are private/secret values, do not share outside hosting environment +# Use `bin/rails db:encryption:init` to generate fresh secrets +# Do NOT change these secrets once in use, as this would cause data loss and other issues +# ------------------ +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=fbrPbvPjnpOi3vcomxBhA4fyzqIckjoK +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=t6Mgfbs6B7fWsRdSuWAGh7daa1w0D4HJ +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=81GeIp2jbI3Vp7fOZhboKNZBOEAQ9qzz + +# Web Push +# -------- +# Generate with `bundle exec rails mastodon:webpush:generate_vapid_key` +# -------- +VAPID_PRIVATE_KEY=wVOqrETJzLEyHzUwja23W2HNhaKKFcd2aCBd184QotM= +VAPID_PUBLIC_KEY=BC0z2EoX1XXL2A8MmXeplKHj1hAisYqLO_wENRnMoUw5jsu4bQN3pZ0uYYjGvcdxnjypUN-k5KtNVQS3I9sDhmM= + +# IP and session retention +# ----------------------- +# Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml +# to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800). +# ----------------------- +IP_RETENTION_PERIOD=31556952 +SESSION_RETENTION_PERIOD=31556952 \ No newline at end of file diff --git a/modules/nixos/mastodon/default.nix b/modules/nixos/mastodon/default.nix index 685dbf6..d135ac3 100644 --- a/modules/nixos/mastodon/default.nix +++ b/modules/nixos/mastodon/default.nix @@ -13,18 +13,22 @@ env = { # General Config RAILS_ENV = "production"; + RAILS_LOG_LEVEL = "info"; NODE_ENV = "production"; RAILS_SERVE_STATIC_FILES = "true"; SINGLE_USER_MODE = "true"; DEFAULT_LOCALE = "en"; - SKIP_POST_DEPLOYMENT_MIGRATIONS = "true"; + SKIP_POST_DEPLOYMENT_MIGRATIONS = "false"; # Serve ui on mstdn.${domain}, but use ${domain} for my handle WEB_DOMAIN = interfaceDomain; LOCAL_DOMAIN = cfg.rootDomain; # Performance/Scaling - MAX_THREADS = "2"; - SIDEKIQ_CONCURRENCY = "2"; + MAX_THREADS = "5"; # Read: Puma/Web Threads + # Run Puma in single-mode (as this is a single user instance) + WEB_CONCURRENCY = "0"; # Read: Puma Processes + SIDEKIQ_CONCURRENCY = "1"; # Read: Sidekiq Processes + SIDEKIQ_THREADS = "6"; # This gets passed as a cli arg, but is here for consistency # Mail SMTP_SERVER = "smtp.improvmx.com"; @@ -45,8 +49,10 @@ REDIS_PORT = "6379"; REDIS_PASSWORD = ""; - # Disable ElasticSearch - ES_ENABLED = "false"; + # ElasticSearch + ES_ENABLED = toString cfg.enableElasticSearch; + ES_HOST = "mastodon-es"; + ES_PORT = "9200"; }; secretEnvFiles = [ @@ -54,6 +60,7 @@ cfg.otpSecretEnvFile cfg.vapidKeysEnvFile cfg.smtpPasswordEnvFile + cfg.activeRecordEncryptionEnvFile ]; in { options.svcs.mastodon = with lib; { @@ -64,6 +71,7 @@ in { default = "unicycl.ing"; description = "Root domain for Mastodon"; }; + enableElasticSearch = mkEnableOption "Enable ElasticSearch"; mastodonWebPort = mkOption { type = types.int; default = 55010; @@ -99,15 +107,12 @@ in { config = with lib; mkIf cfg.enable { - users.users.mastodon = { - isSystemUser = true; - group = "podman"; - }; - - systemd.services.podman-create-mastodon-net = { + systemd.services.podman-create-mastodon-stuff = { serviceConfig = { Group = "podman"; Type = "oneshot"; + Restart = "on-failure"; + ProtectSystem = "strict"; ProtectHostname = true; ProtectClock = true; @@ -123,25 +128,42 @@ in { ExecPaths = ["/nix/store"]; NoExecPaths = ["/"]; }; - wantedBy = [ - # "multi-user.target" - "podman-mastodon-web.service" - "podman-mastodon-db.service" - "podman-mastodon-redis.service" - # "podman-mastodon-es.service" - "podman-mastodon-streaming.service" - "podman-mastodon-sidekiq.service" - ]; + unitConfig = {StartLimitInterval = 5;}; + wantedBy = + [ + # "multi-user.target" + "podman-mastodon-web.service" + "podman-mastodon-db.service" + "podman-mastodon-redis.service" + "podman-mastodon-streaming.service" + "podman-mastodon-sidekiq.service" + "podman-mastodon-prepare.service" + ] + ++ optional cfg.enableElasticSearch "podman-mastodon-es.service"; + path = [pkgs.podman]; + preStart = "/usr/bin/env sleep 4"; script = '' + echo "Creating Mastodon network" podman network exists mastodon || podman network create mastodon + + echo "Creating Mastodon volumes" + podman volume exists mastodon_pgdata || podman volume create mastodon_pgdata + podman volume exists mastodon_redisdata || podman volume create mastodon_redisdata + podman volume exists mastodon_sysdata || podman volume create mastodon_sysdata + ${ + if cfg.enableElasticSearch + then "podman volume exists mastodon_searchdata || podman volume create mastodon_searchdata" + else "" + } + + echo "Init complete" ''; }; virtualisation.oci-containers.containers = { mastodon-db = { image = "postgres:14-alpine"; - user = "mastodon"; autoStart = true; extraOptions = [ @@ -154,104 +176,161 @@ in { }; volumes = [ - "mastodon_postgresql-data:/var/lib/postgresql/data" + "mastodon_pgdata:/var/lib/postgresql/data" ]; }; mastodon-redis = { image = "redis:7-alpine"; - user = "mastodon"; + autoStart = true; + extraOptions = [ + "--network=mastodon" + ]; + + volumes = [ + "mastodon_redisdata:/data" + ]; + }; + + mastodon-es = mkIf cfg.enableElasticSearch { + image = "docker.elastic.co/elasticsearch/elasticsearch:8.16.1"; autoStart = true; extraOptions = [ "--network=mastodon" + "--ulimit=memlock=-1:-1" + "--ulimit=nofile=65536:65536" + ]; + + environment = { + ES_JAVA_OPTS = "-Xms512m -Xmx512m -Des.enforce.bootstrap.checks=true"; + "xpack.license.self_generated.type" = "basic"; + "xpack.security.enabled" = "false"; + "xpack.watcher.enabled" = "false"; + "xpack.graph.enabled" = "false"; + "xpack.ml.enabled" = "false"; + "bootstrap.memory_lock" = "true"; + "cluster.name" = "es-mastodon"; + "discovery.type" = "single-node"; + "thread_pool.write.queue_size" = "1000"; + }; + + volumes = [ + "mastodon_searchdata:/usr/share/elasticsearch/data" + ]; + }; + + mastodon-prepare = { + image = "ghcr.io/glitch-soc/mastodon:v${version}"; + cmd = ["bundle" "exec" "rails" "db:migrate"]; + # cmd = ["bundle" "exec" "rails" "db:migrate"]; + + autoStart = false; + extraOptions = [ + "--runtime=${pkgs.gvisor}/bin/runsc" + "--network=mastodon" + "--restart=on-failure" + "--detach=false" ]; + environment = env; + environmentFiles = secretEnvFiles; + volumes = [ - "mastodon_redis-data:/data" + "mastodon_sysdata:/opt/mastodon/public/system" + ]; + + dependsOn = [ + "mastodon-db" ]; }; - # mastodon-web = { - # image = "ghcr.io/mastodon/mastodon:v${version}"; - # cmd = ["bundle" "exec" "puma" "-C" "config/puma.rb"]; - - # user = "mastodon"; - - # autoStart = true; - # extraOptions = [ - # "--runtime=${pkgs.gvisor}/bin/runsc" - # "--network=mastodon" - # ]; - - # environment = env; - # environmentFiles = secretEnvFiles; - - # volumes = [ - # "mastodon_system-data:/opt/mastodon/public/system" - # ]; - - # dependsOn = [ - # "mastodon-db" - # "mastodon-redis" - # # "mastodon-es" - # ]; - - # ports = [ - # "${toString cfg.mastodonWebPort}:3000" - # ]; - # }; - - # mastodon-streaming = { - # image = "ghcr.io/mastodon/mastodon-streaming:v${version}"; - # cmd = ["node" "./streaming/index.js"]; - - # user = "mastodon"; - - # autoStart = true; - # extraOptions = [ - # "--runtime=${pkgs.gvisor}/bin/runsc" - # "--network=mastodon" - # ]; - - # environment = env; - # environmentFiles = secretEnvFiles; - - # ports = [ - # "${builtins.toString cfg.mastodonStreamPort}:4000" - # ]; - - # dependsOn = [ - # "mastodon-db" - # "mastodon-redis" - # ]; - # }; - - # mastodon-sidekiq = { - # image = "ghcr.io/mastodon/mastodon:v${version}"; - # cmd = ["bundle" "exec" "sidekiq" "-c" "${env.SIDEKIQ_CONCURRENCY}"]; - - # user = "mastodon"; - - # autoStart = true; - # extraOptions = [ - # "--network=mastodon" - # "--cap-add=NET_BIND_SERVICE" - # ]; - - # environment = env; - # environmentFiles = secretEnvFiles; - - # volumes = [ - # "mastodon_system-data:/opt/mastodon/public/system" - # ]; - - # dependsOn = [ - # "mastodon-db" - # "mastodon-redis" - # ]; - # }; + mastodon-web = { + image = "ghcr.io/glitch-soc/mastodon:v${version}"; + # cmd = ["bundle" "exec" "rails" "assets:precompile" "&&" "bundle" "exec" "puma" "-C" "config/puma.rb"]; + cmd = ["bundle" "exec" "puma" "-C" "config/puma.rb"]; + + autoStart = true; + extraOptions = [ + "--runtime=${pkgs.gvisor}/bin/runsc" + "--network=mastodon" + ]; + + environment = env; + environmentFiles = secretEnvFiles; + + volumes = [ + "mastodon_sysdata:/opt/mastodon/public/system" + ]; + + dependsOn = + [ + "mastodon-db" + "mastodon-redis" + "mastodon-prepare" + ] + ++ (optional cfg.enableElasticSearch "mastodon-es"); + + ports = [ + "127.0.0.1:${toString cfg.mastodonWebPort}:3000" + ]; + }; + + mastodon-streaming = { + image = "ghcr.io/glitch-soc/mastodon-streaming:v${version}"; + cmd = ["node" "./streaming/index.js"]; + + autoStart = true; + extraOptions = [ + "--runtime=${pkgs.gvisor}/bin/runsc" + "--network=mastodon" + ]; + + environment = env; + environmentFiles = secretEnvFiles; + + ports = [ + "127.0.0.1:${toString cfg.mastodonStreamPort}:4000" + ]; + + dependsOn = [ + "mastodon-db" + "mastodon-redis" + "mastodon-prepare" + ]; + }; + + mastodon-sidekiq = { + image = "ghcr.io/glitch-soc/mastodon:v${version}"; + cmd = ["bundle" "exec" "sidekiq" "-c" "${env.SIDEKIQ_THREADS}"]; + + autoStart = true; + extraOptions = [ + "--network=mastodon" + "--cap-add=NET_BIND_SERVICE" + ]; + + environment = env; + environmentFiles = secretEnvFiles; + + volumes = [ + "mastodon_sysdata:/opt/mastodon/public/system" + ]; + + dependsOn = [ + "mastodon-db" + "mastodon-redis" + "mastodon-prepare" + ]; + }; + }; + + systemd.services.podman-mastodon-prepare = { + serviceConfig = { + Type = mkForce "oneshot"; + Restart = mkForce "on-failure"; + }; }; services.traefik.dynamicConfigOptions = lib.mkIf cfg.configureTraefik { @@ -269,7 +348,7 @@ in { services = { mastodon = { loadBalancer = { - servers = [{url = "http://localhost:${toString cfg.mastodonWebPort}";}]; + servers = [{url = "http://127.0.0.1:${toString cfg.mastodonWebPort}";}]; }; }; }; diff --git a/modules/nixos/mastodon/mastodon-compose.yml b/modules/nixos/mastodon/mastodon-compose.yml index 3c53d4c..f331ba6 100644 --- a/modules/nixos/mastodon/mastodon-compose.yml +++ b/modules/nixos/mastodon/mastodon-compose.yml @@ -14,6 +14,9 @@ services: - ./postgres14:/var/lib/postgresql/data environment: - "POSTGRES_HOST_AUTH_METHOD=trust" + - "POSTGRES_DB=mastodon_production" + - "POSTGRES_USER=mastodon" + - "POSTGRES_PASSWORD=mastodon" redis: restart: always diff --git a/users/henrikvt/default.nix b/users/henrikvt/default.nix index a9033d1..082a0b5 100644 --- a/users/henrikvt/default.nix +++ b/users/henrikvt/default.nix @@ -17,6 +17,7 @@ extraGroups = [ "wheel" "networkmanager" + "podman" ]; shell = pkgs.zsh;