]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/sourcehut.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nftables: revamp to declarative configuration
[sourcephile-nix.git] / hosts / losurdo / sourcehut.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config.services) sourcehut;
4 inherit (config.users) users groups;
5 inherit (config.security) gnupg;
6 domain = "sourcephile.wg";
7 sourcehut-services = [
8 "builds"
9 "dispatch"
10 "git"
11 "hg"
12 "hub"
13 "lists"
14 "meta"
15 "man"
16 "paste"
17 "pages"
18 "todo"
19 ];
20 in
21 {
22 #boot.isContainer = true;
23 #networking.firewall.allowedTCPPorts = [ 80 ];
24 networking.hosts = {
25 "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut-services;
26 };
27 networking.nftables.ruleset = ''
28 table inet filter {
29 chain output-net {
30 skuid ${sourcehut.meta.user} \
31 tcp dport smtp counter \
32 accept comment "sourcehut: SMTP"
33 }
34 }
35 '';
36 security.gnupg.secrets = lib.genAttrs [
37 "sourcehut/network-key"
38 "sourcehut/service-key"
39 "sourcehut/webhook-key"
40 "sourcehut/oauth-client-secret"
41 ] (p: {
42 systemdConfig.before = [ "metasrht.service" "gitsrht.service" ];
43 systemdConfig.wantedBy = [ "metasrht.service" "gitsrht.service" ];
44 });
45 services.minio = {
46 enable = true;
47 accessKey = "12345";
48 secretKey = "12345678";
49 #region = "";
50 browser = true;
51 };
52 environment.systemPackages = [ pkgs.minio-client ];
53 services.sourcehut = {
54 enable = true;
55 listenAddress = "localhost";
56 builds = {
57 #enable = true;
58 enableWorker = true;
59 images.nixos.unstable.x86_64 = let
60 systemConfig = { pkgs, ... }: {
61 # passwordless ssh server
62 services.openssh = {
63 enable = true;
64 permitRootLogin = "yes";
65 extraConfig = "PermitEmptyPasswords yes";
66 };
67
68 users = {
69 mutableUsers = false;
70 # build user
71 extraUsers."build" = {
72 isNormalUser = true;
73 uid = 1000;
74 extraGroups = [ "wheel" ];
75 password = "";
76 };
77 users.root.password = "";
78 };
79
80 security.sudo.wheelNeedsPassword = false;
81 nix.settings.trusted-users = [ "root" "build" ];
82 documentation.nixos.enable = false;
83
84 # builds.sr.ht-image-specific network settings
85 networking = {
86 hostName = "build";
87 dhcpcd.enable = false;
88 defaultGateway.address = "10.0.2.2";
89 usePredictableInterfaceNames = false; # so that we just get eth0 and not some weird id
90 interfaces."eth0".ipv4.addresses = [{
91 address = "10.0.2.15";
92 prefixLength = 25;
93 }];
94 enableIPv6 = false;
95 nameservers = [
96 # OpenNIC anycast
97 "185.121.177.177"
98 "169.239.202.202"
99 # Google as a fallback :(
100 "8.8.8.8"
101 ];
102 firewall.allowedTCPPorts = [ 22 ]; # allow ssh
103 };
104
105 environment.systemPackages = [
106 pkgs.gitMinimal
107 #pkgs.mercurial
108 pkgs.curl
109 pkgs.gnupg
110 ];
111 };
112 qemuConfig = { pkgs, ... }: {
113 imports = [ systemConfig ];
114 fileSystems."/".device = "/dev/disk/by-label/nixos";
115 boot.initrd.availableKernelModules = [
116 "ahci"
117 "ehci_pci"
118 "sd_mod"
119 "usb_storage"
120 "usbhid"
121 "virtio_balloon"
122 "virtio_blk"
123 "virtio_pci"
124 "virtio_ring"
125 "xhci_pci"
126 ];
127 boot.loader = {
128 grub = {
129 version = 2;
130 device = "/dev/vda";
131 };
132 timeout = 0;
133 };
134 };
135 config = (import (pkgs.path + "/nixos/lib/eval-config.nix") {
136 inherit pkgs; modules = [ qemuConfig ];
137 system = "x86_64-linux";
138 }).config;
139 in
140 import (pkgs.path + "/nixos/lib/make-disk-image.nix") {
141 inherit pkgs lib config;
142 diskSize = 16000;
143 format = "qcow2-compressed";
144 contents = [
145 { source = pkgs.writeText "gitconfig" ''
146 [user]
147 name = builds.sr.ht
148 email = build@sr.ht
149 '';
150 target = "/home/build/.gitconfig";
151 user = "build";
152 group = "users";
153 mode = "644";
154 }
155 ];
156 };
157 };
158
159 #dispatch.enable = true;
160 git.enable = true;
161 #hub.enable = true;
162 meta.enable = true;
163 meta.port = 4999;
164 #man.enable = true;
165 #pages.enable = true;
166 #paste.enable = true;
167 #todo.enable = true;
168 #lists.enable = true;
169
170 postgresql.enable = true;
171 postfix.enable = true;
172 redis.enable = true;
173 nginx.enable = true;
174 settings = {
175 "sr.ht" = {
176 environment = "production";
177 global-domain = domain;
178 origin = "http://${domain}";
179 owner-email = "julm+srht@sourcephile.fr";
180 owner-name = "Sourcephile";
181 site-blurb = "software forge";
182 site-info = "http://${domain}";
183 site-name = "Sourcephile";
184 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
185 network-key = gnupg.secrets."sourcehut/network-key".path;
186 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
187 service-key = gnupg.secrets."sourcehut/service-key".path;
188 };
189 objects = {
190 s3-upstream = "localhost";
191 s3-access-key = "12345";
192 s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
193 };
194 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
195 "builds.sr.ht" = {
196 origin = "http://builds.${domain}";
197 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
198 oauth-client-id = "299db9f9c2013170";
199 allow-free = true;
200 };
201 "dispatch.sr.ht" = {
202 origin = "http://dispatch.${domain}";
203 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
204 oauth-client-id = "299db9f9c2013170";
205 };
206 "pages.sr.ht" = {
207 origin = "http://pages.${domain}";
208 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
209 oauth-client-id = "299db9f9c2013170";
210 s3-bucket = "pagesbuck";
211 };
212 "paste.sr.ht" = {
213 origin = "http://paste.${domain}";
214 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
215 oauth-client-id = "299db9f9c2013170";
216 };
217 "man.sr.ht" = {
218 origin = "http://man.${domain}";
219 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
220 oauth-client-id = "299db9f9c2013170";
221 };
222 "meta.sr.ht" = {
223 origin = "http://meta.${domain}";
224 api-origin = "http://localhost:5099";
225 };
226 "meta.sr.ht::settings" = {
227 onboarding-redirect = "http://meta.${domain}";
228 registration = true;
229 };
230 "meta.sr.ht::api" = {
231 # This is a temporary workaround
232 #
233 internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
234 };
235 "todo.sr.ht" = {
236 origin = "http://todo.${domain}";
237 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
238 oauth-client-id = "299db9f9c2013170";
239 };
240 "git.sr.ht" = {
241 origin = "http://git.${domain}";
242 outgoing-domain = "http://git.${domain}";
243 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
244 oauth-client-id = "299db9f9c2013170";
245 #repos = "/var/lib/git";
246 };
247 "hub.sr.ht" = {
248 origin = "http://hub.${domain}";
249 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
250 oauth-client-id = "299db9f9c2013170";
251 };
252 "lists.sr.ht" = {
253 origin = "http://lists.${domain}";
254 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
255 oauth-client-id = "299db9f9c2013170";
256 };
257 "lists.sr.ht::worker" = {
258 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
259 };
260 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
261 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
262 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
263 mail = {
264 smtp-host = "localhost";
265 smtp-port = 25;
266 smtp-user = null;
267 smtp-password = null;
268 smtp-from = "sourcehut@sourcephile.fr";
269 error-to = "julm+sourcehut+error@sourcephile.fr";
270 error-from = "sourcehut+error@sourcephile.fr";
271 pgp-privkey = null;
272 pgp-pubkey = null;
273 pgp-key-id = null;
274 };
275 };
276 };
277 services.nginx.virtualHosts = {
278 "builds.${domain}".forceSSL = lib.mkForce false;
279 "dispatch.${domain}".forceSSL = lib.mkForce false;
280 "git.${domain}".forceSSL = lib.mkForce false;
281 "hub.${domain}".forceSSL = lib.mkForce false;
282 "lists.${domain}".forceSSL = lib.mkForce false;
283 "logs.${domain}".forceSSL = lib.mkForce false;
284 "man.${domain}".forceSSL = lib.mkForce false;
285 "paste.${domain}".forceSSL = lib.mkForce false;
286 "pages.${domain}".forceSSL = lib.mkForce false;
287 "todo.${domain}".forceSSL = lib.mkForce false;
288 "meta.${domain}" = {
289 forceSSL = lib.mkForce false;
290 /*
291 extraConfig = ''
292 access_log /var/log/nginx/${domain}/meta/access.log json;
293 error_log /var/log/nginx/${domain}/meta/error.log warn;
294 '';
295 */
296 };
297 "${domain}".forceSSL = lib.mkForce false;
298 };
299 systemd.services.postgresql = {
300 /*
301 connection_limit=64 \
302 encoding=UTF8 \
303 lc_collate=fr_FR.UTF-8 \
304 lc_type=fr_FR.UTF-8 \
305 owner="${sourcehut.git.postgresql.database}" \
306 pg_createdb "${sourcehut.git.postgresql.database}" >/dev/null </dev/null
307
308 pg_adduser "${sourcehut.git.postgresql.database}" "${sourcehut.git.postgresql.database}" >/dev/null
309 postStart = lib.mkAfter ''
310 $PSQL -d "${sourcehut.builds.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
311 GRANT USAGE,CREATE ON schema public TO "${sourcehut.builds.user}";
312 EOF
313 $PSQL -d "${sourcehut.dispatch.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
314 GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
315 EOF
316 $PSQL -d "${sourcehut.git.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
317 GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
318 EOF
319 $PSQL -d "${sourcehut.hub.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
320 GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
321 EOF
322 $PSQL -d "${sourcehut.man.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
323 GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
324 EOF
325 $PSQL -d "${sourcehut.meta.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
326 GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
327 GRANT USAGE,CREATE ON schema public TO "${users.sshsrht.name}";
328 EOF
329 $PSQL -d "${sourcehut.pages.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
330 GRANT USAGE,CREATE ON schema public TO "${sourcehut.pages.user}";
331 EOF
332 $PSQL -d "${sourcehut.paste.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
333 GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
334 EOF
335 $PSQL -d "${sourcehut.todo.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
336 GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
337 EOF
338 $PSQL -d "${sourcehut.lists.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
339 GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";
340 EOF
341 '';
342 */
343 };
344 }
NixOS configurations for Sourcephile's infrastructure