cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

nixos/mastodon: add option redis.passwordFile

Browse source
This commit is contained in:
Izorkin 2024-02-16 21:29:30 +03:00
parent 5d874ac468
commit c1a97e1f49
No known key found for this signature in database
GPG key ID: 1436C1B3F3679F09
5 changed files with 60 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
nixos/modules/services/web-apps/mastodon.nix
View file

@ -4,7 +4,8 @@ let
cfg = config.services.mastodon;
opt = options.services.mastodon;
# We only want to create a database if we're actually going to connect to it.
# We only want to create a Redis and PostgreSQL databases if we're actually going to connect to it local.
redisActuallyCreateLocally = cfg.redis.createLocally && (cfg.redis.host == "127.0.0.1" || cfg.redis.enableUnixSocket);
databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "/run/postgresql";
env = {
@ -117,11 +118,11 @@ let
threads = toString (if processCfg.threads == null then cfg.sidekiqThreads else processCfg.threads);
in {
after = [ "network.target" "mastodon-init-dirs.service" ]
++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
requires = [ "mastodon-init-dirs.service" ]
++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
description = "Mastodon sidekiq${jobClassLabel}";
@ -149,11 +150,11 @@ let
name = "mastodon-streaming-${toString i}";
value = {
after = [ "network.target" "mastodon-init-dirs.service" ]
++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
requires = [ "mastodon-init-dirs.service" ]
++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
wantedBy = [ "mastodon.target" "mastodon-streaming.target" ];
@ -410,6 +411,13 @@ in {
default = 31637;
};
passwordFile = lib.mkOption {
description = lib.mdDoc "A file containing the password for Redis database.";
type = lib.types.nullOr lib.types.path;
default = null;
example = "/run/keys/mastodon-redis-password";
};
enableUnixSocket = lib.mkOption {
description = lib.mdDoc "Use Unix socket";
type = lib.types.bool;
@ -623,6 +631,13 @@ in {
config = lib.mkIf cfg.enable (lib.mkMerge [{
assertions = [
{
assertion = redisActuallyCreateLocally -> (!cfg.redis.enableUnixSocket || cfg.redis.passwordFile == null);
message = ''
<option>services.mastodon.redis.enableUnixSocket</option> needs to be disabled if
<option>services.mastodon.redis.passwordFile</option> is used.
'';
}
{
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user && cfg.database.user == cfg.database.name);
message = ''
@ -700,6 +715,8 @@ in {
OTP_SECRET="$(cat ${cfg.otpSecretFile})"
VAPID_PRIVATE_KEY="$(cat ${cfg.vapidPrivateKeyFile})"
VAPID_PUBLIC_KEY="$(cat ${cfg.vapidPublicKeyFile})"
'' + lib.optionalString (cfg.redis.passwordFile != null)''
REDIS_PASSWORD="$(cat ${cfg.redis.passwordFile})"
'' + lib.optionalString (cfg.database.passwordFile != null) ''
DB_PASS="$(cat ${cfg.database.passwordFile})"
'' + lib.optionalString cfg.smtp.authenticate ''
@ -762,11 +779,11 @@ in {
systemd.services.mastodon-web = {
after = [ "network.target" "mastodon-init-dirs.service" ]
++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
requires = [ "mastodon-init-dirs.service" ]
++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
wantedBy = [ "mastodon.target" ];
@ -847,7 +864,7 @@ in {
enable = true;
hostname = lib.mkDefault "${cfg.localDomain}";
};
services.redis.servers.mastodon = lib.mkIf cfg.redis.createLocally (lib.mkMerge [
services.redis.servers.mastodon = lib.mkIf redisActuallyCreateLocally (lib.mkMerge [
{
enable = true;
}

2
nixos/tests/web-apps/mastodon/default.nix
View file

@ -5,5 +5,5 @@ let
in
{
standard = handleTestOn supportedSystems ./standard.nix { inherit system; };
remote-postgresql = handleTestOn supportedSystems ./remote-postgresql.nix { inherit system; };
remote-databases = handleTestOn supportedSystems ./remote-databases.nix { inherit system; };
}

38
nixos/tests/web-apps/mastodon/remote-postgresql.nix → nixos/tests/web-apps/mastodon/remote-databases.nix
View file

@ -16,7 +16,14 @@ in
meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin ];
nodes = {
database = { config, ... }: {
databases = { config, ... }: {
environment = {
etc = {
"redis/password-redis-db".text = ''
ogjhJL8ynrP7MazjYOF6
'';
};
};
networking = {
interfaces.eth1 = {
ipv4.addresses = [
@ -24,7 +31,17 @@ in
];
};
extraHosts = hosts;
firewall.allowedTCPPorts = [ config.services.postgresql.port ];
firewall.allowedTCPPorts = [
config.services.redis.servers.mastodon.port
config.services.postgresql.port
];
};
services.redis.servers.mastodon = {
enable = true;
bind = "0.0.0.0";
port = 31637;
requirePassFile = "/etc/redis/password-redis-db";
};
services.postgresql = {
@ -83,6 +100,9 @@ in
environment = {
etc = {
"mastodon/password-redis-db".text = ''
ogjhJL8ynrP7MazjYOF6
'';
"mastodon/password-posgressql-db".text = ''
SoDTZcISc3f1M1LJsRLT
'';
@ -108,6 +128,12 @@ in
localDomain = "mastodon.local";
enableUnixSocket = false;
streamingProcesses = 2;
redis = {
createLocally = false;
host = "192.168.2.102";
port = 31637;
passwordFile = "/etc/mastodon/password-redis-db";
};
database = {
createLocally = false;
host = "192.168.2.102";
@ -151,12 +177,14 @@ in
extraInit = ''
nginx.wait_for_unit("nginx.service")
nginx.wait_for_open_port(443)
database.wait_for_unit("postgresql.service")
database.wait_for_open_port(5432)
databases.wait_for_unit("redis-mastodon.service")
databases.wait_for_unit("postgresql.service")
databases.wait_for_open_port(31637)
databases.wait_for_open_port(5432)
'';
extraShutdown = ''
nginx.shutdown()
database.shutdown()
databases.shutdown()
'';
};
})

1
nixos/tests/web-apps/mastodon/script.nix
View file

@ -8,7 +8,6 @@
${extraInit}
server.wait_for_unit("redis-mastodon.service")
server.wait_for_unit("mastodon-sidekiq-all.service")
server.wait_for_unit("mastodon-streaming.target")
server.wait_for_unit("mastodon-web.service")

1
nixos/tests/web-apps/mastodon/standard.nix
View file

@ -83,6 +83,7 @@ in
extraInit = ''
server.wait_for_unit("nginx.service")
server.wait_for_open_port(443)
server.wait_for_unit("redis-mastodon.service")
server.wait_for_unit("postgresql.service")
server.wait_for_open_port(5432)
'';