1 { config, lib, pkgs, ... }:
5 cfg = config.services.sourcehut;
8 statePath = "/var/lib/sourcehut/hgsrht";
10 rcfg = config.services.redis;
11 drv = pkgs.sourcehut.hgsrht;
14 options.services.sourcehut.hg = {
15 enable = mkEnableOption "git service";
31 Port on which the "hg" module should listen.
39 PostgreSQL database name for hg.sr.ht.
43 cloneBundles = mkOption {
47 Generate clonebundles (which require more disk space but dramatically speed up cloning large repositories).
52 config = with scfg; lib.mkIf (cfg.enable && scfg.enable) {
53 # In case it ever comes into being
54 environment.etc."ssh/hgsrht-dispatch" = {
57 #! ${pkgs.stdenv.shell}
58 ${cfg.python}/bin/gitsrht-dispatch "$@"
62 environment.systemPackages = [ pkgs.mercurial ];
69 # Assuming hg.sr.ht needs this too
71 description = "hg.sr.ht user";
81 cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/hgsrht-periodic" ]
82 ++ optional cloneBundles "0 * * * * ${cfg.python}/bin/hgsrht-clonebundles";
84 openssh.authorizedKeysCommand = ''/etc/ssh/hgsrht-dispatch "%u" "%h" "%t" "%k"'';
85 openssh.authorizedKeysCommandUser = "root";
86 openssh.extraConfig = ''
87 PermitUserEnvironment SRHT_*
92 local ${database} ${user} trust
94 ensureDatabases = [ database ];
98 ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
106 # /var/log is owned by root
107 "f /var/log/hg-srht-shell 0644 ${user} ${user} -"
109 "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -"
112 services.hgsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
113 after = [ "redis.service" "postgresql.service" "network.target" ];
114 requires = [ "redis.service" "postgresql.service" ];
115 wantedBy = [ "multi-user.target" ];
117 path = [ pkgs.mercurial ];
118 description = "hg.sr.ht website service";
120 serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
124 services.sourcehut.settings = {
125 # The authorized keys hook uses this to dispatch to various handlers
126 # The format is a program to exec into as the key, and the user to match as the
127 # value. When someone tries to log in as this user, this program is executed
128 # and is expected to emit an AuthorizedKeys file.
130 # Uncomment the relevant lines to enable the various sr.ht dispatchers.
131 "hg.sr.ht::dispatch"."/run/current-system/sw/bin/hgsrht-keys" = mkDefault "${user}:${user}";
134 # TODO: requires testing and addition of hg-specific requirements
135 services.nginx.virtualHosts."hg.${cfg.originBase}" = {
137 locations."/".proxyPass = "http://${cfg.address}:${toString port}";
138 locations."/query".proxyPass = cfgIni."meta.sr.ht".api-origin;
139 locations."/static".root = "${pkgs.sourcehut.hgsrht}/${pkgs.sourcehut.python.sitePackages}/hgsrht";