hosts/mermet/sourcehut.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config) networking;
   4   inherit (config.services) nginx sourcehut;
   5   inherit (config.security) gnupg;
   6   domain = "code.${networking.domain}";
   7 in
   8 {
   9   security.gnupg.secrets = lib.genAttrs [
  10     "sourcehut/network-key"
  11     "sourcehut/service-key"
  12     "sourcehut/webhook-key"
  13     "sourcehut/oauth-client-secret"
  14   ]
  15     (_p:
  16       let
  17         srhts = [
  18           "metasrht.service"
  19           "metasrht-api.service"
  20           "gitsrht.service"
  21           "listsrht.service"
  22           "todosrht.service"
  23           "todosrht-lmtp.service"
  24         ];
  25       in
  26       {
  27         systemdConfig.before = srhts;
  28         systemdConfig.wantedBy = srhts;
  29       });
  30   services.minio = {
  31     #enable = true;
  32     accessKey = "12345";
  33     secretKey = "12345678";
  34     #region = "";
  35     browser = true;
  36   };
  37   #environment.systemPackages = [ pkgs.minio-client ];
  38   services.sourcehut = {
  39     enable = true;
  40     listenAddress = "localhost";
  41     builds = {
  42       #enable = true;
  43       #enableWorker = true;
  44       images.nixos.unstable.x86_64 =
  45         import sourcehut/builds/nixos-unstable.nix
  46           "x86_64-linux"
  47           { inherit pkgs lib config; };
  48     };
  49
  50     #dispatch.enable = true;
  51     #git.enable = true;
  52     #hub.enable = true;
  53     meta.enable = true;
  54     meta.port = 4999;
  55     #man.enable = true;
  56     #pages.enable = true;
  57     #paste.enable = true;
  58     todo.enable = true;
  59     #lists.enable = true;
  60
  61     postgresql.enable = true;
  62     postfix.enable = true;
  63     redis.enable = true;
  64     nginx.enable = true;
  65     nginx.virtualHost = {
  66       useACMEHost = networking.domain;
  67     };
  68     settings = {
  69       "sr.ht" = {
  70         environment = "production";
  71         global-domain = domain;
  72         owner-email = "julm+srht@sourcephile.fr";
  73         owner-name = "Sourcephile";
  74         site-blurb = "a simple free software forge";
  75         site-info = "https://${domain}";
  76         site-name = "Sourcephile";
  77         # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
  78         network-key = gnupg.secrets."sourcehut/network-key".path;
  79         # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
  80         service-key = gnupg.secrets."sourcehut/service-key".path;
  81         #redis-host = "redis://localhost:6379/";
  82       };
  83       objects = {
  84         s3-upstream = "localhost";
  85         s3-access-key = "12345";
  86         s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
  87       };
  88       # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
  89       "builds.sr.ht" = {
  90         oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  91         oauth-client-id = "299db9f9c2013170";
  92         allow-free = true;
  93       };
  94       "dispatch.sr.ht" = {
  95         oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  96         oauth-client-id = "299db9f9c2013170";
  97       };
  98       "pages.sr.ht" = {
  99         oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 100         oauth-client-id = "299db9f9c2013170";
 101         s3-bucket = "pagesbuck";
 102       };
 103       "paste.sr.ht" = {
 104         oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 105         oauth-client-id = "299db9f9c2013170";
 106       };
 107       "man.sr.ht" = {
 108         oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 109         oauth-client-id = "299db9f9c2013170";
 110       };
 111       "meta.sr.ht" = { };
 112       "meta.sr.ht::settings" = {
 113         onboarding-redirect = "https://meta.${domain}";
 114         registration = false;
 115       };
 116       "meta.sr.ht::api" = {
 117         #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
 118       };
 119       "todo.sr.ht" = {
 120         oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 121         oauth-client-id = "299db9f9c2013170";
 122       };
 123       "git.sr.ht" = {
 124         outgoing-domain = "https://git.${domain}";
 125         oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 126         oauth-client-id = "gitsrht";
 127       };
 128       "hub.sr.ht" = {
 129         oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 130         oauth-client-id = "299db9f9c2013170";
 131       };
 132       "lists.sr.ht" = {
 133         oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 134         oauth-client-id = "299db9f9c2013170";
 135       };
 136       "lists.sr.ht::worker" = {
 137         #sock = "/var/lib/postfix/queue/private/srht-lmtp";
 138       };
 139       # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
 140       #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
 141       webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
 142       mail = {
 143         smtp-host = "localhost";
 144         smtp-port = 25;
 145         smtp-user = null;
 146         smtp-password = null;
 147         smtp-from = "julm+hut@${networking.domain}";
 148         error-to = "julm+hut+error@${networking.domain}";
 149         error-from = "julm+hut+error@${networking.domain}";
 150         pgp-privkey = null;
 151         pgp-pubkey = null;
 152         pgp-key-id = null;
 153       };
 154     };
 155   };
 156   fileSystems."/var/lib/sourcehut" = {
 157     device = "rpool/var/sourcehut";
 158     fsType = "zfs";
 159   };
 160   services.sanoid.datasets = {
 161     "rpool/var/sourcehut" = {
 162       use_template = [ "snap" ];
 163       daily = 31;
 164     };
 165   };
 166   services.nginx = {
 167     virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
 168       forceSSL = true;
 169       useACMEHost = networking.domain;
 170       globalRedirect = "$subdomain.code.${networking.domain}";
 171     };
 172     virtualHosts."meta.${domain}" = {
 173       locations."/query".extraConfig = lib.mkForce ''
 174         if ($request_method = 'OPTIONS') {
 175           ${nginx.configs.https_add_headers}
 176           add_header 'Access-Control-Allow-Origin' '*';
 177           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
 178           add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
 179           add_header 'Access-Control-Max-Age' 1728000;
 180           add_header 'Content-Type' 'text/plain; charset=utf-8';
 181           add_header 'Content-Length' 0;
 182           return 204;
 183         }
 184
 185         ${nginx.configs.https_add_headers}
 186         add_header 'Access-Control-Allow-Origin' '*';
 187         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
 188         add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
 189         add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
 190       '';
 191     };
 192   };
 193 }