]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/services/misc/sourcehut/git.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
sourcehut: replace the services option by enable options
[sourcephile-nix.git] / nixos / modules / services / misc / sourcehut / git.nix
1 { config, lib, pkgs, ... }:
2
3 with lib;
4 let
5 cfg = config.services.sourcehut;
6 scfg = cfg.git;
7 iniKey = "git.sr.ht";
8 statePath = "/var/lib/sourcehut/gitsrht";
9
10 rcfg = config.services.redis;
11 drv = pkgs.sourcehut.gitsrht;
12 in
13 {
14 options.services.sourcehut.git = {
15 enable = mkEnableOption "git service";
16
17 user = mkOption {
18 type = types.str;
19 visible = false;
20 internal = true;
21 readOnly = true;
22 default = "git";
23 description = ''
24 User for git.sr.ht.
25 '';
26 };
27
28 port = mkOption {
29 type = types.port;
30 default = 5001;
31 description = ''
32 Port on which the "git" module should listen.
33 '';
34 };
35
36 database = mkOption {
37 type = types.str;
38 default = "git.sr.ht";
39 description = ''
40 PostgreSQL database name for git.sr.ht.
41 '';
42 };
43
44 package = mkOption {
45 type = types.package;
46 default = pkgs.git;
47 example = literalExample "pkgs.gitFull";
48 description = ''
49 Git package for git.sr.ht. This can help silence collisions.
50 '';
51 };
52 };
53
54 config = with scfg; lib.mkIf (cfg.enable && scfg.enable) {
55 # sshd refuses to run with `Unsafe AuthorizedKeysCommand ... bad ownership or modes for directory /nix/store`
56 environment.etc."ssh/gitsrht-dispatch" = {
57 mode = "0755";
58 text = ''
59 #! ${pkgs.stdenv.shell}
60 ${cfg.python}/bin/gitsrht-dispatch "$@"
61 '';
62 };
63
64 # Needs this in the $PATH when sshing into the server
65 environment.systemPackages = [ cfg.git.package ];
66
67 users = {
68 users = {
69 "${user}" = {
70 isSystemUser = true;
71 group = user;
72 # https://stackoverflow.com/questions/22314298/git-push-results-in-fatal-protocol-error-bad-line-length-character-this
73 # Probably could use gitsrht-shell if output is restricted to just parameters...
74 shell = pkgs.bash;
75 description = "git.sr.ht user";
76 };
77 };
78
79 groups = {
80 "${user}" = { };
81 };
82 };
83
84 services = {
85 cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/gitsrht-periodic" ];
86 fcgiwrap.enable = true;
87
88 openssh.authorizedKeysCommand = ''/etc/ssh/gitsrht-dispatch "%u" "%h" "%t" "%k"'';
89 openssh.authorizedKeysCommandUser = "root";
90 openssh.extraConfig = ''
91 PermitUserEnvironment SRHT_*
92 '';
93
94 postgresql = {
95 authentication = ''
96 local ${database} ${user} trust
97 '';
98 ensureDatabases = [ database ];
99 ensureUsers = [
100 {
101 name = user;
102 ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
103 }
104 ];
105 };
106 };
107
108 systemd = {
109 tmpfiles.rules = [
110 # /var/log is owned by root
111 "f /var/log/git-srht-shell 0644 ${user} ${user} -"
112
113 "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -"
114 ];
115
116 services = {
117 gitsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
118 after = [ "redis.service" "postgresql.service" "network.target" ];
119 requires = [ "redis.service" "postgresql.service" ];
120 wantedBy = [ "multi-user.target" ];
121
122 # Needs internally to create repos at the very least
123 path = [ pkgs.git ];
124 description = "git.sr.ht website service";
125
126 serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
127 };
128
129 gitsrht-webhooks = {
130 after = [ "postgresql.service" "network.target" ];
131 requires = [ "postgresql.service" ];
132 wantedBy = [ "multi-user.target" ];
133
134 description = "git.sr.ht webhooks service";
135 serviceConfig = {
136 Type = "simple";
137 User = user;
138 Restart = "always";
139 };
140
141 serviceConfig.ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel INFO --pool eventlet";
142 };
143 };
144 };
145
146 services.sourcehut.settings = {
147 # The authorized keys hook uses this to dispatch to various handlers
148 # The format is a program to exec into as the key, and the user to match as the
149 # value. When someone tries to log in as this user, this program is executed
150 # and is expected to omit an AuthorizedKeys file.
151 #
152 # Discard of the string context is in order to allow derivation-derived strings.
153 # This is safe if the relevant package is installed which will be the case if the setting is utilized.
154 "git.sr.ht::dispatch".${builtins.unsafeDiscardStringContext "${pkgs.sourcehut.gitsrht}/bin/gitsrht-keys"} = mkDefault "${user}:${user}";
155 };
156
157 services.nginx.virtualHosts."git.${cfg.originBase}" = {
158 forceSSL = true;
159 locations."/".proxyPass = "http://${cfg.address}:${toString port}";
160 locations."/query".proxyPass = cfgIni."meta.sr.ht".api-origin;
161 locations."/static".root = "${pkgs.sourcehut.gitsrht}/${pkgs.sourcehut.python.sitePackages}/gitsrht";
162 extraConfig = ''
163 location = /authorize {
164 proxy_pass http://${cfg.address}:${toString port};
165 proxy_pass_request_body off;
166 proxy_set_header Content-Length "";
167 proxy_set_header X-Original-URI $request_uri;
168 }
169 location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
170 auth_request /authorize;
171 root /var/lib/git;
172 fastcgi_pass unix:/run/fcgiwrap.sock;
173 fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend;
174 fastcgi_param PATH_INFO $uri;
175 fastcgi_param GIT_PROJECT_ROOT $document_root;
176 fastcgi_read_timeout 500s;
177 include ${pkgs.nginx}/conf/fastcgi_params;
178 gzip off;
179 }
180 '';
181
182 };
183 };
184 }
NixOS configurations for Sourcephile's infrastructure