nixos/akkoma: check that upload and media proxy base url is specified

new versions of akkoma require the upload base url to be specified in order for updates to work properly. this will be a breaking change in 24.05, but for now a reasonable default is set.
2024-03-30 19:14:37 +00:00 · 2024-03-30 19:14:37 +00:00 · d598b5d88d
parent 855667eadc
commit d598b5d88d
3 changed files with 51 additions and 1 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -402,6 +402,10 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - The `erlang_node_short_name`, `erlang_node_name`, `port` and `options` configuration parameters are gone, and have been replaced with an `environment` parameter.
    Use the appropriate [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) inside `environment` to configure the service instead.

+- `akkoma` now requires explicitly setting the base URL for uploaded media (`settings."Pleroma.Upload".base_url`), as well as for the media proxy if enabled (`settings."Media"`).
+  This is recommended to be a separate (sub)domain to the one Akkoma is hosted at.
+  See [here](https://meta.akkoma.dev/t/akkoma-stable-2024-03-securer-i-barely-know-her/681#explicit-upload-and-media-proxy-domains-5) for more details.
+
 - The `crystal` package has been updated to 1.11.x, which has some breaking changes.
  Refer to crystal's changelog for more information. ([v1.10](https://github.com/crystal-lang/crystal/blob/master/CHANGELOG.md#1100-2023-10-09), [v1.11](https://github.com/crystal-lang/crystal/blob/master/CHANGELOG.md#1110-2024-01-08))

--- a/nixos/modules/services/web-apps/akkoma.nix
+++ b/nixos/modules/services/web-apps/akkoma.nix
@ -764,6 +764,21 @@ in {
                };
              };

+              "Pleroma.Upload" = let
+                httpConf = cfg.config.":pleroma"."Pleroma.Web.Endpoint".url;
+              in {
+                base_url = mkOption {
+                    type = types.nonEmptyStr;
+                    default = if lib.versionOlder config.system.stateVersion "24.05"
+                              then "${httpConf.scheme}://${httpConf.host}:${builtins.toString httpConf.port}/media/"
+                              else null;
+                    description = mdDoc ''
+                      Base path which uploads will be stored at.
+                      Whilst this can just be set to a subdirectory of the main domain, it is now recommended to use a different subdomain.
+                    '';
+                };
+              };
+
              ":frontends" = mkOption {
                type = elixirValue;
                default = mapAttrs
@ -781,6 +796,30 @@ in {
                  [{option}`config.services.akkoma.frontends`](#opt-services.akkoma.frontends).
                '';
              };
+
+
+              ":media_proxy" = let
+                httpConf = cfg.config.":pleroma"."Pleroma.Web.Endpoint".url;
+              in {
+                enabled = mkOption {
+                    type = types.bool;
+                    default = false;
+                    description = mdDoc ''
+                      Whether to enable proxying of remote media through the instance's proxy.
+                    '';
+                };
+                base_url = mkOption {
+                    type = types.nullOr types.nonEmptyStr;
+                    default = if lib.versionOlder config.system.stateVersion "24.05"
+                              then "${httpConf.scheme}://${httpConf.host}:${builtins.toString httpConf.port}/media/"
+                              else null;
+                    description = mdDoc ''
+                      Base path for the media proxy.
+                      Whilst this can just be set to a subdirectory of the main domain, it is now recommended to use a different subdomain.
+                    '';
+                };
+              };
+
            };

            ":web_push_encryption" = mkOption {
@ -904,6 +943,9 @@ in {
  };

  config = mkIf cfg.enable {
+    assertions = optionals (cfg.config.":pleroma".":media_proxy".enabled && cfg.config.":pleroma".":media_proxy".base_url == null) [''
+      `services.akkoma.config.":pleroma".":media_proxy".base_url` must be set when the media proxy is enabled.
+    ''];
    warnings = optionals (with config.security; (!sudo.enable) && (!sudo-rs.enable)) [''
      The pleroma_ctl wrapper enabled by the installWrapper option relies on
      sudo, which appears to have been disabled through security.sudo.enable.
--- a/nixos/tests/akkoma.nix
+++ b/nixos/tests/akkoma.nix
@ -36,7 +36,8 @@ let
    ${pkgs.toot}/bin/toot timeline -1 | grep -F -q "hello world Jamy here"

    # Test file upload
-    ${pkgs.toot}/bin/toot upload <(dd if=/dev/zero bs=1024 count=1024 status=none)
+    echo "y" | ${pkgs.toot}/bin/toot upload <(dd if=/dev/zero bs=1024 count=1024 status=none) \
+      | grep -F -q "https://akkoma.nixos.test:443/media"
  '';

  checkFe = pkgs.writers.writeBashBin "checkFe" ''
@ -90,6 +91,9 @@ in
            "Pleroma.Web.Endpoint" = {
              url.host = "akkoma.nixos.test";
            };
+            "Pleroma.Upload" = {
+              base_url = "https://akkoma.nixos.test:443/media/";
+            };
          };
        };