Try to add mastodon, fail to add mastodon

2022-05-26 16:40:49 +02:00 · 2022-05-26 16:40:49 +02:00 · 17e24e7150
parent c305f94612
commit 17e24e7150
16 changed files with 3446 additions and 65 deletions
--- a/flux/cluster/apps/drone/drone-deployment.yaml
+++ b/flux/cluster/apps/drone/drone-deployment.yaml
@ -17,45 +17,12 @@ spec:
        app: drone-deployment
    spec:
      containers:
-      - name: drone-deployment
-        image: drone/drone:2
-        ports:
-        - containerPort: 80
-        env:
-        - name: DRONE_GITEA_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              name: drone-secrets
-              key: gitea-client-id
-        - name: DRONE_GITEA_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: drone-secrets
-              key: gitea-client-secret
-        - name: DRONE_GITEA_SERVER
-          valueFrom:
-            secretKeyRef:
-              name: drone-secrets
-              key: gitea-server
-        - name: DRONE_GIT_ALWAYS_AUTH
-          valueFrom:
-            secretKeyRef:
-              name: drone-secrets
-              key: git-always-auth
-        - name: DRONE_RPC_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: drone-secrets
-              key: drone-rpc-secret
-        - name: DRONE_SERVER_HOST
-          valueFrom:
-            secretKeyRef:
-              name: drone-secrets
-              key: drone-server-host
-        - name: DRONE_SERVER_PROTO
-          valueFrom:
-            secretKeyRef:
-              name: drone-secrets
-              key: drone-server-proto
+        - name: drone-deployment
+          image: drone/drone:2
+          ports:
+            - containerPort: 80
+          envFrom:
+            - secretRef:
+                name: drone-secret
      imagePullSecrets:
-      - name: registry-creds
+        - name: registry-creds
--- a/flux/cluster/apps/drone/secret.yaml
+++ b/flux/cluster/apps/drone/secret.yaml
@ -11,31 +11,31 @@ spec:
  target:
    name: drone-secrets
  data:
-    - secretKey: drone-rpc-secret
+    - secretKey: DRONE_RPC_SECRET
      remoteRef:
        key: k8s/drone
        property: drone-rpc-secret
-    - secretKey: drone-server-host
+    - secretKey: DRONE_SERVER_HOST
      remoteRef:
        key: k8s/drone
        property: drone-server-host
-    - secretKey: drone-server-proto
+    - secretKey: DRONE_SERVER_PROTO
      remoteRef:
        key: k8s/drone
        property: drone-server-proto
-    - secretKey: git-always-auth
+    - secretKey: DRONE_GIT_ALWAYS_AUTH
      remoteRef:
        key: k8s/drone
        property: git-always-auth
-    - secretKey: gitea-client-id
+    - secretKey: DRONE_GITEA_CLIENT_ID
      remoteRef:
        key: k8s/drone
        property: gitea-client-id
-    - secretKey: gitea-client-secret
+    - secretKey: DRONE_GITEA_CLIENT_SECRET
      remoteRef:
        key: k8s/drone
        property: gitea-client-secret
-    - secretKey: gitea-server
+    - secretKey: DRONE_GITEA_SERVER
      remoteRef:
        key: k8s/drone
        property: gitea-server
--- a/nixos/common/default.nix
+++ b/nixos/common/default.nix
@ -39,4 +39,5 @@
  };

  nixpkgs.config.allowUnfree = true;
+  nixpkgs.overlays = [ (import ../pkgs) ];
 }
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@ -105,12 +105,6 @@
          deployment = {
            targetHost = "minio.lxd";
            tags = [ "system" ];
-            keys."minioSettings" = {
-              keyCommand = [ "vault" "kv" "get" "-field=settings" "kv/minio" ];
-              destDir = "/var/lib/keys";
-              user = "minio";
-              group = "minio";
-            };
          };
        };

@ -130,17 +124,22 @@
          };
        };

-        # k3s = {
-        #   imports = [ ./machines/k3s ];
-        #   deployment = {
-        #     targetHost = "k3s.lxd";
-        #     tags = [ "k3s" ];
-        #   };
-        # };
+        mastodon = {
+          imports = [ ./machines/mastodon ];
+          deployment = {
+            targetHost = "mastodon.lxd";
+            tags = [ "mastodon" ];
+          };
+        };
      };

      devShells.x86_64-linux.default = pkgs.mkShell {
-        buildInputs = [ colmena.packages.x86_64-linux.colmena ];
+        buildInputs = [
+          colmena.packages.x86_64-linux.colmena
+          pkgs.jq
+          pkgs.bundix
+          pkgs.nix-prefetch-git
+        ];
      };

    };
--- a/nixos/machines/minio/default.nix
+++ b/nixos/machines/minio/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, deployment, ... }: {
  imports = [ ../../common ../../common/lxc.nix ];
  networking.hostName = "minio";
  system.stateVersion = "21.11";
@ -10,4 +10,10 @@
    enable = true;
    rootCredentialsFile = "/var/lib/keys/minioSettings";
  };
+  deployment.keys."minioSettings" = {
+    keyCommand = [ "vault" "kv" "get" "-field=settings" "kv/minio" ];
+    destDir = "/var/lib/keys";
+    user = "minio";
+    group = "minio";
+  };
 }
--- a/nixos/machines/nginx/default.nix
+++ b/nixos/machines/nginx/default.nix
@ -61,6 +61,8 @@ in {
    virtualHosts."cdn.asraphiel.dev" = k8sProxy;

    virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
+    virtualHosts."registrydbg.asraphiel.dev" =
+      proxy "http://registry.lxd:5001/";
    virtualHosts."vaultwarden.asraphiel.dev" =
      proxy "http://vaultwarden.lxd:8000/";
    virtualHosts."analytics.asraphiel.dev" = k8sProxy;
--- a/nixos/machines/postgres/default.nix
+++ b/nixos/machines/postgres/default.nix
@ -23,7 +23,8 @@ in {
      host all all 10.0.0.0/8 trust
      host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust
    '';
-    ensureDatabases = [ "gitea" "vault" "vaultwarden" "authentik" "umami" ];
+    ensureDatabases =
+      [ "gitea" "vault" "vaultwarden" "authentik" "umami" "mastodon" "pleroma" ];
    ensureUsers = [
      {
        name = "gitea";
@ -42,6 +43,8 @@ in {
        ensurePermissions = { "DATABASE \"authentik\"" = "ALL PRIVILEGES"; };
      }
      (user "umami")
+      (user "mastodon")
+      (user "pleroma")
    ];

    enableTCPIP = true;
--- a/nixos/machines/registry/default.nix
+++ b/nixos/machines/registry/default.nix
@ -3,7 +3,8 @@
  networking.hostName = "registry";
  system.stateVersion = "21.11";

-  networking.firewall.allowedTCPPorts = [ config.services.dockerRegistry.port ];
+  networking.firewall.allowedTCPPorts =
+    [ config.services.dockerRegistry.port 5001 ];

  services.dockerRegistry = {
    enable = true;
@ -26,6 +27,17 @@
        realm = "Voidcorp Registry";
        path = "/var/lib/keys/htaccess";
      };
+      http.debug.addr = "0.0.0.0:5001";
+
+      log = {
+        accesslog = { disabled = false; };
+        level = "debug";
+        formatter = "text";
+        fields = {
+          service = "registry";
+          environment = "staging";
+        };
+      };

      notifications.endpoints = [{
        name = "keel";
--- a/nixos/pkgs/default.nix
+++ b/nixos/pkgs/default.nix
@ -0,0 +1 @@
+self: super: { julius = { glitch-soc = super.callPackage ./glitch-soc { }; }; }
--- a/nixos/pkgs/glitch-soc/README.md
+++ b/nixos/pkgs/glitch-soc/README.md
@ -0,0 +1,6 @@
+# How to update
+
+1. Run `./update.sh --ver v3.5.2 --url https://github.com/glitch-soc/mastodon.git --rev latest-commit-on-main` 
+2. Set `yarnOfflineCache.sha256` in `default.nix` to `""`, wait for it to error, and replace the hash.
+3. ???
+4. Profit
--- a/nixos/pkgs/glitch-soc/default.nix
+++ b/nixos/pkgs/glitch-soc/default.nix
@ -0,0 +1,123 @@
+{ lib, stdenv, nodejs-slim, mkYarnPackage, fetchFromGitHub, bundlerEnv, nixosTests
+, yarn, callPackage, imagemagick, ffmpeg, file, ruby_3_0, writeShellScript
+, fetchYarnDeps, fixup_yarn_lock
+
+  # Allow building a fork or custom version of Mastodon:
+, pname ? "mastodon"
+, version ? import ./version.nix
+, srcOverride ? null
+, dependenciesDir ? ./.  # Should contain gemset.nix, yarn.nix and package.json.
+}:
+
+stdenv.mkDerivation rec {
+  inherit pname version;
+
+  # Using overrideAttrs on src does not build the gems and modules with the overridden src.
+  # Putting the callPackage up in the arguments list also does not work.
+  src = if srcOverride != null then srcOverride else callPackage ./source.nix {};
+
+  yarnOfflineCache = fetchYarnDeps {
+    yarnLock = "${src}/yarn.lock";
+    sha256 = "sha256-zx93a2oIXW65h617cj8JmvfVPddHi/Rw2ulKOrwqUVw=";
+  };
+
+  mastodon-gems = bundlerEnv {
+    name = "${pname}-gems-${version}";
+    inherit version;
+    ruby = ruby_3_0;
+    gemdir = src;
+    gemset = dependenciesDir + "/gemset.nix";
+    # This fix (copied from https://github.com/NixOS/nixpkgs/pull/76765) replaces the gem
+    # symlinks with directories, resolving this error when running rake:
+    #   /nix/store/451rhxkggw53h7253izpbq55nrhs7iv0-mastodon-gems-3.0.1/lib/ruby/gems/2.6.0/gems/bundler-1.17.3/lib/bundler/settings.rb:6:in `<module:Bundler>': uninitialized constant Bundler::Settings (NameError)
+    postBuild = ''
+      for gem in "$out"/lib/ruby/gems/*/gems/*; do
+        cp -a "$gem/" "$gem.new"
+        rm "$gem"
+        # needed on macOS, otherwise the mv yields permission denied
+        chmod +w "$gem.new"
+        mv "$gem.new" "$gem"
+      done
+    '';
+  };
+
+  mastodon-modules = stdenv.mkDerivation {
+    pname = "${pname}-modules";
+    inherit src version;
+
+    nativeBuildInputs = [ fixup_yarn_lock nodejs-slim yarn mastodon-gems mastodon-gems.wrappedRuby ];
+
+    RAILS_ENV = "production";
+    NODE_ENV = "production";
+
+    buildPhase = ''
+      export HOME=$PWD
+      fixup_yarn_lock ~/yarn.lock
+      yarn config --offline set yarn-offline-mirror ${yarnOfflineCache}
+      yarn install --offline --frozen-lockfile --ignore-engines --ignore-scripts --no-progress
+
+      patchShebangs ~/bin
+      patchShebangs ~/node_modules
+
+      # skip running yarn install
+      rm -rf ~/bin/yarn
+
+      OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder \
+        rails assets:precompile
+      yarn cache clean --offline
+      rm -rf ~/node_modules/.cache
+    '';
+
+    installPhase = ''
+      mkdir -p $out/public
+      cp -r node_modules $out/node_modules
+      cp -r public/assets $out/public
+      cp -r public/packs $out/public
+    '';
+  };
+
+  propagatedBuildInputs = [ imagemagick ffmpeg file mastodon-gems.wrappedRuby ];
+  buildInputs = [ mastodon-gems nodejs-slim ];
+
+  buildPhase = ''
+    ln -s ${mastodon-modules}/node_modules node_modules
+    ln -s ${mastodon-modules}/public/assets public/assets
+    ln -s ${mastodon-modules}/public/packs public/packs
+
+    patchShebangs bin/
+    for b in $(ls ${mastodon-gems}/bin/)
+    do
+      if [ ! -f bin/$b ]; then
+        ln -s ${mastodon-gems}/bin/$b bin/$b
+      fi
+    done
+
+    rm -rf log
+    ln -s /var/log/mastodon log
+    ln -s /tmp tmp
+  '';
+
+  installPhase = let
+    run-streaming = writeShellScript "run-streaming.sh" ''
+      # NixOS helper script to consistently use the same NodeJS version the package was built with.
+      ${nodejs-slim}/bin/node ./streaming
+    '';
+  in ''
+    mkdir -p $out
+    cp -r * $out/
+    ln -s ${run-streaming} $out/run-streaming.sh
+  '';
+
+  passthru = {
+    tests.mastodon = nixosTests.mastodon;
+    updateScript = callPackage ./update.nix {};
+  };
+
+  meta = with lib; {
+    description = "Self-hosted, globally interconnected microblogging software based on ActivityPub";
+    homepage = "https://joinmastodon.org";
+    license = licenses.agpl3Plus;
+    platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
+    maintainers = with maintainers; [ petabyteboy happy-river erictapen izorkin ];
+  };
+}
--- a/nixos/pkgs/glitch-soc/gemset.nix
+++ b/nixos/pkgs/glitch-soc/gemset.nix
--- a/nixos/pkgs/glitch-soc/source.nix
+++ b/nixos/pkgs/glitch-soc/source.nix
@ -0,0 +1,11 @@
+# This file was generated by pkgs.mastodon.updateScript.
+{ fetchgit, applyPatches }: let
+  src = fetchgit {
+    url = "https://github.com/glitch-soc/mastodon.git";
+    rev = "444b65009411a08ddab95ec60b86b3cf63086c2e";
+    sha256 = "1hb7ljzlsvfa8375lwdw7bfzn292miv03xgsgmfax1z9arjy55qn";
+  };
+in applyPatches {
+  inherit src;
+  patches = [];
+}
--- a/nixos/pkgs/glitch-soc/update.nix
+++ b/nixos/pkgs/glitch-soc/update.nix
@ -0,0 +1,30 @@
+{ pkgs
+, runCommand
+, lib
+, makeWrapper
+, yarn2nix
+, bundix
+, coreutils
+, diffutils
+, nix-prefetch-git
+, gnused
+, jq
+}:
+let
+  binPath = lib.makeBinPath [ yarn2nix bundix coreutils diffutils nix-prefetch-git gnused jq ];
+in
+runCommand "mastodon-update-script"
+{
+  nativeBuildInputs = [ makeWrapper ];
+
+  meta = {
+    maintainers = with lib.maintainers; [ happy-river ];
+    description = "Utility to generate Nix expressions for Mastodon's dependencies";
+    platforms = lib.platforms.unix;
+  };
+} ''
+  mkdir -p $out/bin
+  cp ${./update.sh} $out/bin/update.sh
+  patchShebangs $out/bin/update.sh
+  wrapProgram $out/bin/update.sh --prefix PATH : ${binPath}
+''
--- a/nixos/pkgs/glitch-soc/update.sh
+++ b/nixos/pkgs/glitch-soc/update.sh
@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+set -e
+
+URL=https://github.com/mastodon/mastodon.git
+
+POSITIONAL=()
+while [[ $# -gt 0 ]]; do
+    key="$1"
+
+    case $key in
+        --url)
+            URL="$2"
+            shift # past argument
+            shift # past value
+            ;;
+        --ver)
+            VERSION="$2"
+            shift # past argument
+            shift # past value
+            ;;
+        --rev)
+            REVISION="$2"
+            shift # past argument
+            shift # past value
+            ;;
+        --patches)
+            PATCHES="$2"
+            shift # past argument
+            shift # past value
+            ;;
+        *)  # unknown option
+            POSITIONAL+=("$1")
+            shift # past argument
+            ;;
+    esac
+done
+
+if [[ -z "$VERSION" || -n "$POSITIONAL" ]]; then
+    echo "Usage: update.sh [--url URL] --ver VERSION [--rev REVISION] [--patches PATCHES]"
+    echo "URL may be any path acceptable to 'git clone' and VERSION the"
+    echo "semantic version number.  If VERSION is not a revision acceptable to"
+    echo "'git checkout', you must provide one in REVISION.  If URL is not"
+    echo "provided, it defaults to https://github.com/mastodon/mastodon.git."
+    echo "PATCHES, if provided, should be one or more Nix expressions"
+    echo "separated by spaces."
+    exit 1
+fi
+
+if [[ -z "$REVISION" ]]; then
+    REVISION="$VERSION"
+fi
+
+rm -f gemset.nix version.nix source.nix
+TARGET_DIR="$PWD"
+
+
+WORK_DIR=$(mktemp -d)
+
+# Check that working directory was created.
+if [[ ! "$WORK_DIR" || ! -d "$WORK_DIR" ]]; then
+    echo "Could not create temporary directory"
+    exit 1
+fi
+
+# Delete the working directory on exit.
+function cleanup {
+    # Report errors, if any, from nix-prefetch-git
+    grep "fatal" $WORK_DIR/nix-prefetch-git.out >/dev/stderr || true
+    rm -rf "$WORK_DIR"
+}
+trap cleanup EXIT
+
+echo "Fetching source code $REVISION from $URL"
+JSON=$(nix-prefetch-git --url "$URL" --rev "$REVISION"  2> $WORK_DIR/nix-prefetch-git.out)
+SHA=$(echo $JSON | jq -r .sha256)
+FETCHED_SOURCE_DIR=$(grep '^path is' $WORK_DIR/nix-prefetch-git.out | sed 's/^path is //')
+
+echo "Creating version.nix"
+echo \"$VERSION\" | sed 's/^"v/"/' > version.nix
+
+cat > source.nix << EOF
+# This file was generated by pkgs.mastodon.updateScript.
+{ fetchgit, applyPatches }: let
+  src = fetchgit {
+    url = "$URL";
+    rev = "$REVISION";
+    sha256 = "$SHA";
+  };
+in applyPatches {
+  inherit src;
+  patches = [$PATCHES];
+}
+EOF
+SOURCE_DIR="$(nix-build --no-out-link -E '(import <nixpkgs> {}).callPackage ./source.nix {}')"
+
+echo "Creating gemset.nix"
+bundix --lockfile="$SOURCE_DIR/Gemfile.lock" --gemfile="$SOURCE_DIR/Gemfile"
+echo "" >> $TARGET_DIR/gemset.nix  # Create trailing newline to please EditorConfig checks
--- a/nixos/pkgs/glitch-soc/version.nix
+++ b/nixos/pkgs/glitch-soc/version.nix
@ -0,0 +1 @@
+"3.5.2"
				`@ -0,0 +1 @@`
				`self: super: { julius = { glitch-soc = super.callPackage ./glitch-soc { }; }; }`