hosts/mermet/sourcehut.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config) networking;
   4   inherit (config.services) nginx sourcehut;
   5   inherit (config.users) users groups;
   6   inherit (config.security) gnupg;
   7   domain = "code.${networking.domain}";
   8 in
   9 {
  10 security.gnupg.secrets = lib.genAttrs [
  11     "sourcehut/network-key"
  12     "sourcehut/service-key"
  13     "sourcehut/webhook-key"
  14     "sourcehut/oauth-client-secret"
  15   ] (p: let srhts = [
  16     "metasrht.service"
  17     "metasrht-api.service"
  18     "gitsrht.service"
  19     "listsrht.service"
  20     "todosrht.service"
  21     "todosrht-lmtp.service"
  22   ]; in {
  23   systemdConfig.before = srhts;
  24   systemdConfig.wantedBy = srhts;
  25 });
  26 services.minio = {
  27   #enable = true;
  28   accessKey = "12345";
  29   secretKey = "12345678";
  30   #region = "";
  31   browser = true;
  32 };
  33 #environment.systemPackages = [ pkgs.minio-client ];
  34 services.sourcehut = {
  35   enable = true;
  36   listenAddress = "localhost";
  37   builds = {
  38     #enable = true;
  39     #enableWorker = true;
  40     images.nixos.unstable.x86_64 =
  41       import sourcehut/builds/nixos-unstable.nix
  42         "x86_64-linux" { inherit pkgs lib config; };
  43   };
  44
  45   #dispatch.enable = true;
  46   git.enable = true;
  47   #hub.enable = true;
  48   meta.enable = true;
  49   meta.port = 4999;
  50   #man.enable = true;
  51   #pages.enable = true;
  52   #paste.enable = true;
  53   todo.enable = true;
  54   #lists.enable = true;
  55
  56   postgresql.enable = true;
  57   postfix.enable = true;
  58   redis.enable = true;
  59   nginx.enable = true;
  60   nginx.virtualHost = {
  61     useACMEHost = networking.domain;
  62   };
  63   settings = {
  64     "sr.ht" = {
  65       environment = "production";
  66       global-domain = domain;
  67       owner-email = "julm+srht@sourcephile.fr";
  68       owner-name = "Sourcephile";
  69       site-blurb = "a simple free software forge";
  70       site-info = "https://${domain}";
  71       site-name = "Sourcephile";
  72       # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
  73       network-key = gnupg.secrets."sourcehut/network-key".path;
  74       # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
  75       service-key = gnupg.secrets."sourcehut/service-key".path;
  76       #redis-host = "redis://localhost:6379/";
  77     };
  78     objects = {
  79       s3-upstream = "localhost";
  80       s3-access-key = "12345";
  81       s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
  82     };
  83     # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
  84     "builds.sr.ht" = {
  85       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  86       oauth-client-id = "299db9f9c2013170";
  87       allow-free = true;
  88     };
  89     "dispatch.sr.ht" = {
  90       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  91       oauth-client-id = "299db9f9c2013170";
  92     };
  93     "pages.sr.ht" = {
  94       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  95       oauth-client-id = "299db9f9c2013170";
  96       s3-bucket = "pagesbuck";
  97     };
  98     "paste.sr.ht" = {
  99       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 100       oauth-client-id = "299db9f9c2013170";
 101     };
 102     "man.sr.ht" = {
 103       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 104       oauth-client-id = "299db9f9c2013170";
 105     };
 106     "meta.sr.ht" = {
 107     };
 108     "meta.sr.ht::settings" = {
 109       onboarding-redirect = "https://meta.${domain}";
 110       registration = false;
 111     };
 112     "meta.sr.ht::api" = {
 113       #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
 114     };
 115     "todo.sr.ht" = {
 116       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 117       oauth-client-id = "299db9f9c2013170";
 118     };
 119     "git.sr.ht" = {
 120       outgoing-domain = "https://git.${domain}";
 121       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 122       oauth-client-id = "gitsrht";
 123     };
 124     "hub.sr.ht" = {
 125       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 126       oauth-client-id = "299db9f9c2013170";
 127     };
 128     "lists.sr.ht" = {
 129       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 130       oauth-client-id = "299db9f9c2013170";
 131     };
 132     "lists.sr.ht::worker" = {
 133       #sock = "/var/lib/postfix/queue/private/srht-lmtp";
 134     };
 135     # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
 136     #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
 137     webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
 138     mail = {
 139       smtp-host = "localhost";
 140       smtp-port = 25;
 141       smtp-user = null;
 142       smtp-password = null;
 143       smtp-from = "julm+hut@${networking.domain}";
 144       error-to = "julm+hut+error@${networking.domain}";
 145       error-from = "julm+hut+error@${networking.domain}";
 146       pgp-privkey = null;
 147       pgp-pubkey = null;
 148       pgp-key-id = null;
 149     };
 150   };
 151 };
 152 fileSystems."/var/lib/sourcehut" = {
 153   device = "rpool/var/sourcehut";
 154   fsType = "zfs";
 155 };
 156 services.sanoid.datasets = {
 157   "rpool/var/sourcehut" = {
 158     use_template = [ "snap" ];
 159     daily = 31;
 160   };
 161 };
 162 services.nginx = {
 163   virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
 164     forceSSL = true;
 165     useACMEHost = networking.domain;
 166     globalRedirect = "$subdomain.code.${networking.domain}";
 167   };
 168   virtualHosts."meta.${domain}" = {
 169     locations."/query".extraConfig = lib.mkForce ''
 170       if ($request_method = 'OPTIONS') {
 171         ${nginx.configs.https_add_headers}
 172         add_header 'Access-Control-Allow-Origin' '*';
 173         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
 174         add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
 175         add_header 'Access-Control-Max-Age' 1728000;
 176         add_header 'Content-Type' 'text/plain; charset=utf-8';
 177         add_header 'Content-Length' 0;
 178         return 204;
 179       }
 180
 181       ${nginx.configs.https_add_headers}
 182       add_header 'Access-Control-Allow-Origin' '*';
 183       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
 184       add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
 185       add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
 186     '';
 187   };
 188 };
 189 }