]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/sourcehut.nix
nginx: remove deprecated X-XSS-Protection header
[sourcephile-nix.git] / hosts / mermet / sourcehut.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) nginx sourcehut;
5 inherit (config.security) gnupg;
6 domain = "code.${networking.domain}";
7 in
8 {
9 security.gnupg.secrets = lib.genAttrs [
10 "sourcehut/network-key"
11 "sourcehut/service-key"
12 "sourcehut/webhook-key"
13 "sourcehut/oauth-client-secret"
14 ]
15 (_p:
16 let
17 srhts = [
18 "metasrht.service"
19 "metasrht-api.service"
20 "gitsrht.service"
21 "listsrht.service"
22 "todosrht.service"
23 "todosrht-lmtp.service"
24 ];
25 in
26 {
27 systemdConfig.before = srhts;
28 systemdConfig.wantedBy = srhts;
29 });
30 services.minio = {
31 #enable = true;
32 accessKey = "12345";
33 secretKey = "12345678";
34 #region = "";
35 browser = true;
36 };
37 #environment.systemPackages = [ pkgs.minio-client ];
38 services.sourcehut = {
39 enable = true;
40 listenAddress = "localhost";
41 builds = {
42 #enable = true;
43 #enableWorker = true;
44 images.nixos.unstable.x86_64 =
45 import sourcehut/builds/nixos-unstable.nix
46 "x86_64-linux"
47 { inherit pkgs lib config; };
48 };
49
50 #dispatch.enable = true;
51 #git.enable = true;
52 #hub.enable = true;
53 meta.enable = true;
54 meta.port = 4999;
55 #man.enable = true;
56 #pages.enable = true;
57 #paste.enable = true;
58 todo.enable = true;
59 #lists.enable = true;
60
61 postgresql.enable = true;
62 postfix.enable = true;
63 redis.enable = true;
64 nginx.enable = true;
65 nginx.virtualHost = {
66 useACMEHost = networking.domain;
67 };
68 settings = {
69 "sr.ht" = {
70 environment = "production";
71 global-domain = domain;
72 owner-email = "julm+srht@sourcephile.fr";
73 owner-name = "Sourcephile";
74 site-blurb = "a simple free software forge";
75 site-info = "https://${domain}";
76 site-name = "Sourcephile";
77 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
78 network-key = gnupg.secrets."sourcehut/network-key".path;
79 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
80 service-key = gnupg.secrets."sourcehut/service-key".path;
81 #redis-host = "redis://localhost:6379/";
82 };
83 objects = {
84 s3-upstream = "localhost";
85 s3-access-key = "12345";
86 s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
87 };
88 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
89 "builds.sr.ht" = {
90 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
91 oauth-client-id = "299db9f9c2013170";
92 allow-free = true;
93 };
94 "dispatch.sr.ht" = {
95 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
96 oauth-client-id = "299db9f9c2013170";
97 };
98 "pages.sr.ht" = {
99 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
100 oauth-client-id = "299db9f9c2013170";
101 s3-bucket = "pagesbuck";
102 };
103 "paste.sr.ht" = {
104 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
105 oauth-client-id = "299db9f9c2013170";
106 };
107 "man.sr.ht" = {
108 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
109 oauth-client-id = "299db9f9c2013170";
110 };
111 "meta.sr.ht" = { };
112 "meta.sr.ht::settings" = {
113 onboarding-redirect = "https://meta.${domain}";
114 registration = false;
115 };
116 "meta.sr.ht::api" = {
117 #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
118 };
119 "todo.sr.ht" = {
120 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
121 oauth-client-id = "299db9f9c2013170";
122 };
123 "git.sr.ht" = {
124 outgoing-domain = "https://git.${domain}";
125 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
126 oauth-client-id = "gitsrht";
127 };
128 "hub.sr.ht" = {
129 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
130 oauth-client-id = "299db9f9c2013170";
131 };
132 "lists.sr.ht" = {
133 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
134 oauth-client-id = "299db9f9c2013170";
135 };
136 "lists.sr.ht::worker" = {
137 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
138 };
139 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
140 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
141 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
142 mail = {
143 smtp-host = "localhost";
144 smtp-port = 25;
145 smtp-user = null;
146 smtp-password = null;
147 smtp-from = "julm+hut@${networking.domain}";
148 error-to = "julm+hut+error@${networking.domain}";
149 error-from = "julm+hut+error@${networking.domain}";
150 pgp-privkey = null;
151 pgp-pubkey = null;
152 pgp-key-id = null;
153 };
154 };
155 };
156 fileSystems."/var/lib/sourcehut" = {
157 device = "rpool/var/sourcehut";
158 fsType = "zfs";
159 };
160 services.sanoid.datasets = {
161 "rpool/var/sourcehut" = {
162 use_template = [ "snap" ];
163 daily = 31;
164 };
165 };
166 services.nginx = {
167 virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
168 forceSSL = true;
169 useACMEHost = networking.domain;
170 globalRedirect = "$subdomain.code.${networking.domain}";
171 };
172 virtualHosts."meta.${domain}" = {
173 locations."/query".extraConfig = lib.mkForce ''
174 if ($request_method = 'OPTIONS') {
175 ${nginx.configs.https_add_headers}
176 add_header 'Access-Control-Allow-Origin' '*';
177 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
178 add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
179 add_header 'Access-Control-Max-Age' 1728000;
180 add_header 'Content-Type' 'text/plain; charset=utf-8';
181 add_header 'Content-Length' 0;
182 return 204;
183 }
184
185 ${nginx.configs.https_add_headers}
186 add_header 'Access-Control-Allow-Origin' '*';
187 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
188 add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
189 add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
190 '';
191 };
192 };
193 }