Add initial deployment process for nix

[happysalada]

This PR adds the initial deployment process for nixos.

the result can be checked at https://bonfire.union.rocks/

The following tradeoffs where chosen

• the dependencies usually have a sha256 to check integrity. Due to the fact that bonfire is still in a fast moving state, I disabled the check. If the check is enabled, then this sha256 needs to be updated whenever the dependencies (js deps and mix deps) are updated. For convenience, this check is disabled for now until bonfire is in a more stable state.
• the default flavour is "reflow". I still need to make it easier to configure the flavour.

The following contestable choice where made

• I used postgres13 since there aren't much difference with version 12
• using elixir 12 as I don't see any major difference over 11
• using node 16 and the corresponding npm version for frontend deps.
• the systemd service is using DynamicUser. While this provides enhanced security, the initial setup needs to create the postgis extension manually. I'm not sure about this one, and still considering how to best solve it.

I ran into a tiny hiccup for which I still don't have a solution I'm satisfied with.

• the migrations are trying to create an extension "postgis". Without superuser priviledges, this is not possible. Currently I went with creating the extention manually. I'm still considering the best way to do this.

This is missing the caddy config used to deploy. (even in my example deploment I didn't add the upload route reverse proxy).

I tried to put all the files into a nix directory to not make the base dir too crowded.

I needed to add 2 environment variable in runtime.exs.

The postgres_socket_dir socket. This is to enable a connection to postgres via unix sockets. The default authentication configuration of postgres only checks the username for local unix sockets, this makes one less secret configuration variable to use (POSTGRES_PASSWORD). Also a connection over a socket is 30% more efficient than one over TCP/IP

The TZDATA_DIR is the directory that TZDATA will write to when doing updates. It needs to be a directory where the user has write priviledge. It will default to the priv directory, but in unix it's idiomatic to have the writable directory of an application be under /var/lib

I have a bit more work to do on this, it's 90% of the way ready.

[happysalada]

I've removed all the elixir related things.
This PR brings small improvements to the nix build system and an embryo for deployment.
My idea is to merge this "smaller" PR and then have another go at deployment once bonfire is a little more stable.

The original idea was to use this as a backend for a kind of demo app, but we are going to use something much "rougher" at first, until we have a better idea of what is needed. (something like a postgres db with just a couple of tables, and a couple of endpoints). The idea being that hopefully once we manage to figure out a UI, we have a better idea of the requirements.

Let me know if anything.

[mayel]

Thanks for your efforts! I wanted to try it out (and making some tweaks at https://github.com/bonfire-networks/bonfire-app/tree/deploy/nix) but a bit more documentation would be helpful.

Looking up docs elsewhere I assumed something like nix shell github:bonfire-networks/bonfire-app --command bonfire --version should do it but got this ouput:

       last 10 log lines:
       > unpacking source archive /nix/store/6pyzxjka763s1ziwbyhgghjszp58dhzh-source
       > source root is source
       > patching sources
       > configuring
       > installing
       > warning: the VM is running with native name encoding of latin1 which may cause Elixir to malfunction as it expects utf8. Please ensure your locale is set to UTF-8 (which can be verified by running "locale" in your shell)
       > Running Bonfire 0.1.0-reflow-alpha.185 with configuration from flavours/reflow in prod environment. You can run `mix bonfire.deps.update` to update these extensions and dependencies: "activity_pub bonfire_common bonfire_data_access_control bonfire_data_activity_pub bonfire_data_identity bonfire_data_social bonfire_me bonfire_social bonfire_mailer pointers pointers_ulid nodeinfo bonfire_ui_social bonfire_quantify bonfire_geolocate bonfire_valueflows bonfire_api_graphql bonfire_ui_valueflows bonfire_ui_reflow bonfire_breadpub bonfire_website bonfire_tag bonfire_classify bonfire_search bonfire_data_shared_user bonfire_valueflows_observe absinthe_client flexto bonfire_federate_activitypub bonfire_boundaries bonfire_files voodoo ecto_shorts ecto_sparkles emote licensir"
       > * Getting activity_pub (https://github.com/bonfire-networks/activity_pub - origin/develop)
       > fatal: unable to access 'https://github.com/bonfire-networks/activity_pub/': Could not resolve host: github.com
       > ** (Mix) Command "git --git-dir=.git fetch --force --quiet --progress" failed
       For full logs, run 'nix log /nix/store/kggmx3x39y5qrvxd4r34j9k65hyqjrhm-mix-deps-bonfire-1.0.0.drv'.
error: 1 dependencies of derivation '/nix/store/q86lw1m6q27k3zcivqqyj87bkhr02cdc-bonfire-1.0.0.drv' failed to build

So if you could be more verbose with these steps please:

- add it as an input to your system flake.
- add an overlay to make the package available
- add the required configuration in your system

[happysalada]

@mayel thanks a lot for testing!
I didn't put the instructions for running without direnv, didn't think about it.
I updated the hacking.md
Can you try nix shell . this is a relatively new syntax, but if you are able to run nix shell (without the - in between) then you should be able to run it.
The syntax you put forward, should work when this PR is merged.
Let me know of course if you run into troubles or if you feel anything isn't clear.

[happysalada]

Oh I realised the dependencies might have changed. Let me rebase actually and test again.

[happysalada]

I finished updating the PR. There were a couple of tasks that changed name, hence the failure.
Also, I added a commit that changes the preinstall script in the package.json, it removes the -y flag, it fails for me. Looking at the only-allow repo, I didn't find the flag, so I removed it.
This commit is obviously outside the scope of this PR.

Let me know if anything.

[happysalada]

Actually I spoke a bit too fast, I get the following error

> ../deps/bonfire_geolocate/assets/js/extension.js:7:7: error: Could not resolve "mapbox-gl-leaflet" (mar
    7 │ import "mapbox-gl-leaflet";
      ╵        ~~~~~~~~~~~~~~~~~~~

I'm couldn't find that dependency in the package.json, but perhaps it's one of those dependencies that is fetched dynamically.

[mayel]

make js.deps.get takes care of that

[mayel]

(note that it used to be mix js.deps.get but the command was moved to the makefile so it can be run without first compiling the app)

[happysalada]

Got it, thank you for the update! Let me have a look.

[happysalada]

@mayel should be good to go now. Let me know.

[jjl]

I'm not really doing much on bonfire v1 recently (focusing on v2), but here's some feedback anyway

The following contestable choice where made

* I used postgres13 since there aren't much difference with version 12

Should be fine.

* using elixir 12 as I don't see any major difference over 11

Should be fine.

* the systemd service is using DynamicUser. While this provides enhanced security, the initial setup needs to create the postgis extension manually. I'm not sure about this one, and still considering how to best solve it.

postgis isn't required if you use one of the flavours that doesn't pull in the postgis stuff.

I ran into a tiny hiccup for which I still don't have a solution I'm satisfied with.

* the migrations are trying to create an extension "postgis". Without superuser priviledges, this is not possible. Currently I went with creating the extention manually. I'm still considering the best way to do this.

This is sort of similar to RDS, where you have to create the extension manually before running the migrations. In a case like that, it's exactly what i'd do.

[mayel]

Well I've merged so that it's easier for others to test, as personally still getting the same error as above, which I guess could be an issue with my nix setup.

[mayel]

Thank again @happysalada

[mayel]

One thing I've noticed is that there's 3 different files where the flavour is defined (I changed the default to coordination for now btw), so consolidating that in future would be nice,

[happysalada]

Thank you for reporting your error is still happening.
It's perhaps due to the nix version, perhaps I'm using something too recent.
When you have a moment, can you post which version you are using
I'm using

❯ nix --version
nix (Nix) 2.4pre20210601_5985b8b

[mayel]

same version: nix (Nix) 2.4pre20210601_5985b8b (on Manjaro rolling release distro) and I followed these 2 steps from nix docs to enable flakes:

install nixUnstable in your environment:

$ nix-env -iA nixpkgs.nixUnstable

Edit either ~/.config/nix/nix.conf or /etc/nix/nix.conf and add:

experimental-features = nix-command flakes

[happysalada]

Ok, I think it might be the sandbox.
Could you try adding
sandbox = false in your nix.conf

[mayel]

I recently had an issue (nothing to do with nix) that was due to ipv6 not being handled correctly, so long shot but maybe something to look into...

[mayel]

Ok, I think it might be the sandbox.
Could you try adding
sandbox = false in your nix.conf

Thanks, will try in a bit

[happysalada]

Oh interesting, I hope that it's not the error, otherwise it might take a while to debug.

also @jjl thank you for the review!

[mayel]

That was it! I've now gotten this far:

> nix run . start_iex           
cat: /nix/store/fsdyfsduyfuidsyifysfsyidu-bonfire-1.0.0/releases/COOKIE: No such file or directory
Erlang/OTP 23 [erts-11.2.2.1] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [hipe]

warning: the VM is running with native name encoding of latin1 which may cause Elixir to malfunction as it expects utf8. Please ensure your locale is set to UTF-8 (which can be verified by running "locale" in your shell)
ERROR! Config provider Config.Reader failed with:
** (RuntimeError) Environment variables for database are missing.
For example: DATABASE_URL=ecto://USER:PASS@HOST/DATABASE
You can also set POSTGRES_PASSWORD (required),
and POSTGRES_USER (default: postgres) and POSTGRES_HOST (default: localhost)

Could you add docs about setting it up with direnv and/or how to configure the env (are you using the dotenv files we have in flavours/*/templates? FYI make pre-init makes a copy of those availabe at config/$ENV which can then be edited)

Also I still haven't understood these instructions:

• add it as an input to your system flake.
• add an overlay to make the package available
• add the required configuration in your system

[mayel]

On a side note, can we upgrade that to OTP 24?

[happysalada]

The error you are getting is legitimate, I still have to re-include my environment changes from before. Let me try to do that in a separate PR.

In order to update erlang, you just need to update the reference to a newer nixpkgs. nixpkgs is using erlang 24 as the main erlang so nothing to change in the code. You will need to run nix flake update and commit the updated flake.lock file.
If you run into problems, I can do it. (the command should run whether you can run the application or not, you just have to verify that it builds, it should build).

Regarding the sandbox thing. The reason this does not work is that I'm not pinning the dependencies, I'm just saying 'fetch everything from the internet'. You can fix that by defining exactly which dependencies you need, but since that is less flexible, I would say it's better to start without the sandbox.

Regarding the 3 instructions, they are a little bit condensed. Those are the instructions for actual deployment. I was hoping the nix expressions that follow give more clue as to what to do. Basically if you have a nixos running from a flake, the quoted nix expressions should get you there relatively quickly. If you want to try out the deployment from a server running nixos, happy to help there, we can go through it step by step and amend the documentation as you see fit.

[mayel]

Thanks. The update ran OK and I've pushed the lockfile.
What about the instructions in HACKING.md are those still valid for when not actually deploying?

[happysalada]

Yes the instructions in HACKING.md are just for trying on local and don't need to be changed.