]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/sourcehut.nix
losurdo: drop gnupg at runtime in favor of systemd-creds
[sourcephile-nix.git] / hosts / mermet / sourcehut.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) nginx sourcehut;
5 inherit (config.users) users groups;
6 inherit (config.security) gnupg;
7 domain = "code.${networking.domain}";
8 in
9 {
10 security.gnupg.secrets = lib.genAttrs [
11 "sourcehut/network-key"
12 "sourcehut/service-key"
13 "sourcehut/webhook-key"
14 "sourcehut/oauth-client-secret"
15 ] (p: let srhts = [
16 "metasrht.service"
17 "metasrht-api.service"
18 "gitsrht.service"
19 "listsrht.service"
20 "todosrht.service"
21 "todosrht-lmtp.service"
22 ]; in {
23 systemdConfig.before = srhts;
24 systemdConfig.wantedBy = srhts;
25 });
26 services.minio = {
27 #enable = true;
28 accessKey = "12345";
29 secretKey = "12345678";
30 #region = "";
31 browser = true;
32 };
33 #environment.systemPackages = [ pkgs.minio-client ];
34 services.sourcehut = {
35 enable = true;
36 listenAddress = "localhost";
37 builds = {
38 #enable = true;
39 #enableWorker = true;
40 images.nixos.unstable.x86_64 =
41 import sourcehut/builds/nixos-unstable.nix
42 "x86_64-linux" { inherit pkgs lib config; };
43 };
44
45 #dispatch.enable = true;
46 #git.enable = true;
47 #hub.enable = true;
48 meta.enable = true;
49 meta.port = 4999;
50 #man.enable = true;
51 #pages.enable = true;
52 #paste.enable = true;
53 todo.enable = true;
54 #lists.enable = true;
55
56 postgresql.enable = true;
57 postfix.enable = true;
58 redis.enable = true;
59 nginx.enable = true;
60 nginx.virtualHost = {
61 useACMEHost = networking.domain;
62 };
63 settings = {
64 "sr.ht" = {
65 environment = "production";
66 global-domain = domain;
67 owner-email = "julm+srht@sourcephile.fr";
68 owner-name = "Sourcephile";
69 site-blurb = "a simple free software forge";
70 site-info = "https://${domain}";
71 site-name = "Sourcephile";
72 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
73 network-key = gnupg.secrets."sourcehut/network-key".path;
74 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
75 service-key = gnupg.secrets."sourcehut/service-key".path;
76 #redis-host = "redis://localhost:6379/";
77 };
78 objects = {
79 s3-upstream = "localhost";
80 s3-access-key = "12345";
81 s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
82 };
83 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
84 "builds.sr.ht" = {
85 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
86 oauth-client-id = "299db9f9c2013170";
87 allow-free = true;
88 };
89 "dispatch.sr.ht" = {
90 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
91 oauth-client-id = "299db9f9c2013170";
92 };
93 "pages.sr.ht" = {
94 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
95 oauth-client-id = "299db9f9c2013170";
96 s3-bucket = "pagesbuck";
97 };
98 "paste.sr.ht" = {
99 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
100 oauth-client-id = "299db9f9c2013170";
101 };
102 "man.sr.ht" = {
103 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
104 oauth-client-id = "299db9f9c2013170";
105 };
106 "meta.sr.ht" = {
107 };
108 "meta.sr.ht::settings" = {
109 onboarding-redirect = "https://meta.${domain}";
110 registration = false;
111 };
112 "meta.sr.ht::api" = {
113 #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
114 };
115 "todo.sr.ht" = {
116 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
117 oauth-client-id = "299db9f9c2013170";
118 };
119 "git.sr.ht" = {
120 outgoing-domain = "https://git.${domain}";
121 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
122 oauth-client-id = "gitsrht";
123 };
124 "hub.sr.ht" = {
125 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
126 oauth-client-id = "299db9f9c2013170";
127 };
128 "lists.sr.ht" = {
129 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
130 oauth-client-id = "299db9f9c2013170";
131 };
132 "lists.sr.ht::worker" = {
133 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
134 };
135 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
136 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
137 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
138 mail = {
139 smtp-host = "localhost";
140 smtp-port = 25;
141 smtp-user = null;
142 smtp-password = null;
143 smtp-from = "julm+hut@${networking.domain}";
144 error-to = "julm+hut+error@${networking.domain}";
145 error-from = "julm+hut+error@${networking.domain}";
146 pgp-privkey = null;
147 pgp-pubkey = null;
148 pgp-key-id = null;
149 };
150 };
151 };
152 fileSystems."/var/lib/sourcehut" = {
153 device = "rpool/var/sourcehut";
154 fsType = "zfs";
155 };
156 services.sanoid.datasets = {
157 "rpool/var/sourcehut" = {
158 use_template = [ "snap" ];
159 daily = 31;
160 };
161 };
162 services.nginx = {
163 virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
164 forceSSL = true;
165 useACMEHost = networking.domain;
166 globalRedirect = "$subdomain.code.${networking.domain}";
167 };
168 virtualHosts."meta.${domain}" = {
169 locations."/query".extraConfig = lib.mkForce ''
170 if ($request_method = 'OPTIONS') {
171 ${nginx.configs.https_add_headers}
172 add_header 'Access-Control-Allow-Origin' '*';
173 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
174 add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
175 add_header 'Access-Control-Max-Age' 1728000;
176 add_header 'Content-Type' 'text/plain; charset=utf-8';
177 add_header 'Content-Length' 0;
178 return 204;
179 }
180
181 ${nginx.configs.https_add_headers}
182 add_header 'Access-Control-Allow-Origin' '*';
183 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
184 add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
185 add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
186 '';
187 };
188 };
189 }