Merge pull request #303733 from tcmal/backport-300343-to-release-23.11

akkoma: Backport #300343 to release 23.11
NixOS · Apr 15, 2024 · 164ca27 · 164ca27
2 parents cd69dcb + 6c4f37e
commit 164ca27
Show file tree

Hide file tree

Showing 5 changed files with 1,386 additions and 1,252 deletions.
diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -17835,6 +17835,12 @@
     githubId = 2389333;
     name = "Andy Tockman";
   };
+  tcmal = {
+    email = "me@aria.rip";
+    github = "tcmal";
+    githubId = 4183876;
+    name = "Aria Shrimpton";
+  };
   teatwig = {
     email = "nix@teatwig.net";
     name = "tea";

diff --git a/nixos/modules/services/web-apps/akkoma.nix b/nixos/modules/services/web-apps/akkoma.nix
@@ -769,6 +769,21 @@ in {
                 };
               };
 
+              "Pleroma.Upload" = let
+                httpConf = cfg.config.":pleroma"."Pleroma.Web.Endpoint".url;
+              in {
+                base_url = mkOption {
+                    type = types.nonEmptyStr;
+                    default = if lib.versionOlder config.system.stateVersion "24.05"
+                              then "${httpConf.scheme}://${httpConf.host}:${builtins.toString httpConf.port}/media/"
+                              else null;
+                    description = mdDoc ''
+                      Base path which uploads will be stored at.
+                      Whilst this can just be set to a subdirectory of the main domain, it is now recommended to use a different subdomain.
+                    '';
+                };
+              };
+
               ":frontends" = mkOption {
                 type = elixirValue;
                 default = mapAttrs
@@ -786,6 +801,30 @@ in {
                   [{option}`config.services.akkoma.frontends`](#opt-services.akkoma.frontends).
                 '';
               };
+
+
+              ":media_proxy" = let
+                httpConf = cfg.config.":pleroma"."Pleroma.Web.Endpoint".url;
+              in {
+                enabled = mkOption {
+                    type = types.bool;
+                    default = false;
+                    description = mdDoc ''
+                      Whether to enable proxying of remote media through the instance's proxy.
+                    '';
+                };
+                base_url = mkOption {
+                    type = types.nullOr types.nonEmptyStr;
+                    default = if lib.versionOlder config.system.stateVersion "24.05"
+                              then "${httpConf.scheme}://${httpConf.host}:${builtins.toString httpConf.port}/media/"
+                              else null;
+                    description = mdDoc ''
+                      Base path for the media proxy.
+                      Whilst this can just be set to a subdirectory of the main domain, it is now recommended to use a different subdomain.
+                    '';
+                };
+              };
+
             };
 
             ":web_push_encryption" = mkOption {
@@ -909,6 +948,9 @@ in {
   };
 
   config = mkIf cfg.enable {
+    assertions = optionals (cfg.config.":pleroma".":media_proxy".enabled && cfg.config.":pleroma".":media_proxy".base_url == null) [''
+      `services.akkoma.config.":pleroma".":media_proxy".base_url` must be set when the media proxy is enabled.
+    ''];
     warnings = optionals (with config.security; (!sudo.enable) && (!sudo-rs.enable)) [''
       The pleroma_ctl wrapper enabled by the installWrapper option relies on
       sudo, which appears to have been disabled through security.sudo.enable.
@@ -1088,6 +1130,6 @@ in {
     };
   };
 
-  meta.maintainers = with maintainers; [ mvs ];
+  meta.maintainers = with maintainers; [ mvs tcmal ];
   meta.doc = ./akkoma.md;
 }
diff --git a/nixos/tests/akkoma.nix b/nixos/tests/akkoma.nix
@@ -1,12 +1,16 @@
 /*
-  End-to-end test for Akkoma.
+End-to-end test for Akkoma.
 
-  Based in part on nixos/tests/pleroma.
+Based in part on nixos/tests/pleroma.
 
-  TODO: Test federation.
+TODO: Test federation.
 */
-import ./make-test-python.nix ({ pkgs, package ? pkgs.akkoma, confined ? false, ... }:
-let
+import ./make-test-python.nix ({
+  pkgs,
+  package ? pkgs.akkoma,
+  confined ? false,
+  ...
+}: let
   userPassword = "4LKOrGo8SgbPm1a6NclVU5Wb";
 
   provisionUser = pkgs.writers.writeBashBin "provisionUser" ''
@@ -15,16 +19,17 @@ let
     pleroma_ctl user new jamy jamy@nixos.test --password '${userPassword}' --moderator --admin -y
   '';
 
-  tlsCert = pkgs.runCommand "selfSignedCerts" {
-    nativeBuildInputs = with pkgs; [ openssl ];
-  } ''
-    mkdir -p $out
-    openssl req -x509 \
-      -subj '/CN=akkoma.nixos.test/' -days 49710 \
-      -addext 'subjectAltName = DNS:akkoma.nixos.test' \
-      -keyout "$out/key.pem" -newkey ed25519 \
-      -out "$out/cert.pem" -noenc
-  '';
+  tlsCert =
+    pkgs.runCommand "selfSignedCerts" {
+      nativeBuildInputs = with pkgs; [openssl];
+    } ''
+      mkdir -p $out
+      openssl req -x509 \
+        -subj '/CN=akkoma.nixos.test/' -days 49710 \
+        -addext 'subjectAltName = DNS:akkoma.nixos.test' \
+        -keyout "$out/key.pem" -newkey ed25519 \
+        -out "$out/cert.pem" -noenc
+    '';
 
   sendToot = pkgs.writers.writeBashBin "sendToot" ''
     set -eu -o errtrace -o pipefail
@@ -40,7 +45,7 @@ let
 
     # Test file upload
     echo "y" | ${pkgs.toot}/bin/toot upload <(dd if=/dev/zero bs=1024 count=1024 status=none) \
-      | grep -F -q "https://akkoma.nixos.test/media"
+      | grep -F -q "https://akkoma.nixos.test:443/media"
   '';
 
   checkFe = pkgs.writers.writeBashBin "checkFe" ''
@@ -59,19 +64,28 @@ let
     ${nodes.akkoma.networking.primaryIPAddress} akkoma.nixos.test
     ${nodes.client.networking.primaryIPAddress} client.nixos.test
   '';
-in
-{
+in {
   name = "akkoma";
   nodes = {
-    client = { nodes, pkgs, config, ... }: {
-      security.pki.certificateFiles = [ "${tlsCert}/cert.pem" ];
+    client = {
+      nodes,
+      pkgs,
+      config,
+      ...
+    }: {
+      security.pki.certificateFiles = ["${tlsCert}/cert.pem"];
       networking.extraHosts = hosts nodes;
     };
 
-    akkoma = { nodes, pkgs, config, ... }: {
+    akkoma = {
+      nodes,
+      pkgs,
+      config,
+      ...
+    }: {
       networking.extraHosts = hosts nodes;
-      networking.firewall.allowedTCPPorts = [ 443 ];
-      environment.systemPackages = with pkgs; [ provisionUser ];
+      networking.firewall.allowedTCPPorts = [443];
+      environment.systemPackages = with pkgs; [provisionUser];
       systemd.services.akkoma.confinement.enable = confined;
 
       services.akkoma = {
@@ -94,6 +108,9 @@ in
             "Pleroma.Web.Endpoint" = {
               url.host = "akkoma.nixos.test";
             };
+            "Pleroma.Upload" = {
+              base_url = "https://akkoma.nixos.test:443/media/";
+            };
           };
         };
 
@@ -109,7 +126,7 @@ in
     };
   };
 
-  testScript = { nodes, ... }: ''
+  testScript = {nodes, ...}: ''
     start_all()
     akkoma.wait_for_unit('akkoma-initdb.service')
     akkoma.systemctl('restart akkoma-initdb.service')  # test repeated initialisation
@@ -121,4 +138,3 @@ in
     client.succeed('${checkFe}/bin/checkFe')
   '';
 })
-