]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/services/misc/sourcehut/hg.nix
knot: disable secondary_muarf which has been down for 3 months
[sourcephile-nix.git] / nixos / modules / services / misc / sourcehut / hg.nix
1 { config, lib, pkgs, ... }:
2
3 with lib;
4 let
5 cfg = config.services.sourcehut;
6 scfg = cfg.hg;
7 iniKey = "hg.sr.ht";
8 statePath = "/var/lib/sourcehut/hgsrht";
9
10 rcfg = config.services.redis;
11 drv = pkgs.sourcehut.hgsrht;
12 in
13 {
14 options.services.sourcehut.hg = {
15 user = mkOption {
16 type = types.str;
17 internal = true;
18 readOnly = true;
19 default = "hg";
20 description = ''
21 User for hg.sr.ht.
22 '';
23 };
24
25 port = mkOption {
26 type = types.port;
27 default = 5010;
28 description = ''
29 Port on which the "hg" module should listen.
30 '';
31 };
32
33 database = mkOption {
34 type = types.str;
35 default = "hg.sr.ht";
36 description = ''
37 PostgreSQL database name for hg.sr.ht.
38 '';
39 };
40
41 cloneBundles = mkOption {
42 type = types.bool;
43 default = false;
44 description = ''
45 Generate clonebundles (which require more disk space but dramatically speed up cloning large repositories).
46 '';
47 };
48 };
49
50 config = with scfg; lib.mkIf (cfg.enable && elem "hg" cfg.services) {
51 # In case it ever comes into being
52 environment.etc."ssh/hgsrht-dispatch" = {
53 mode = "0755";
54 text = ''
55 #! ${pkgs.stdenv.shell}
56 ${cfg.python}/bin/gitsrht-dispatch $@
57 '';
58 };
59
60 environment.systemPackages = [ pkgs.mercurial ];
61
62 users = {
63 users = {
64 "${user}" = {
65 isSystemUser = true;
66 group = user;
67 # Assuming hg.sr.ht needs this too
68 shell = pkgs.bash;
69 description = "hg.sr.ht user";
70 };
71 };
72
73 groups = {
74 "${user}" = { };
75 };
76 };
77
78 services = {
79 cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/hgsrht-periodic" ]
80 ++ optional cloneBundles "0 * * * * ${cfg.python}/bin/hgsrht-clonebundles";
81
82 openssh.authorizedKeysCommand = ''/etc/ssh/hgsrht-dispatch "%u" "%h" "%t" "%k"'';
83 openssh.authorizedKeysCommandUser = "root";
84 openssh.extraConfig = ''
85 PermitUserEnvironment SRHT_*
86 '';
87
88 postgresql = {
89 authentication = ''
90 local ${database} ${user} trust
91 '';
92 ensureDatabases = [ database ];
93 ensureUsers = [
94 {
95 name = user;
96 ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
97 }
98 ];
99 };
100 };
101
102 systemd = {
103 tmpfiles.rules = [
104 # /var/log is owned by root
105 "f /var/log/hg-srht-shell 0644 ${user} ${user} -"
106
107 "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -"
108 ];
109
110 services.hgsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
111 after = [ "redis.service" "postgresql.service" "network.target" ];
112 requires = [ "redis.service" "postgresql.service" ];
113 wantedBy = [ "multi-user.target" ];
114
115 path = [ pkgs.mercurial ];
116 description = "hg.sr.ht website service";
117
118 serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
119 };
120 };
121
122 services.sourcehut.settings = {
123 # The authorized keys hook uses this to dispatch to various handlers
124 # The format is a program to exec into as the key, and the user to match as the
125 # value. When someone tries to log in as this user, this program is executed
126 # and is expected to omit an AuthorizedKeys file.
127 #
128 # Uncomment the relevant lines to enable the various sr.ht dispatchers.
129 "hg.sr.ht::dispatch"."/run/current-system/sw/bin/hgsrht-keys" = mkDefault "${user}:${user}";
130 };
131
132 # TODO: requires testing and addition of hg-specific requirements
133 services.nginx.virtualHosts."hg.${cfg.originBase}" = {
134 forceSSL = true;
135 locations."/".proxyPass = "http://${cfg.address}:${toString port}";
136 locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}";
137 locations."/static".root = "${pkgs.sourcehut.hgsrht}/${pkgs.sourcehut.python.sitePackages}/hgsrht";
138 };
139 };
140 }