nixos/modules/services/misc/sourcehut/hg.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4 let
   5   cfg = config.services.sourcehut;
   6   scfg = cfg.hg;
   7   iniKey = "hg.sr.ht";
   8   statePath = "/var/lib/sourcehut/hgsrht";
   9
  10   rcfg = config.services.redis;
  11   drv = pkgs.sourcehut.hgsrht;
  12 in
  13 {
  14   options.services.sourcehut.hg = {
  15     enable = mkEnableOption "git service";
  16
  17     user = mkOption {
  18       type = types.str;
  19       internal = true;
  20       readOnly = true;
  21       default = "hg";
  22       description = ''
  23         User for hg.sr.ht.
  24       '';
  25     };
  26
  27     port = mkOption {
  28       type = types.port;
  29       default = 5010;
  30       description = ''
  31         Port on which the "hg" module should listen.
  32       '';
  33     };
  34
  35     database = mkOption {
  36       type = types.str;
  37       default = "hg.sr.ht";
  38       description = ''
  39         PostgreSQL database name for hg.sr.ht.
  40       '';
  41     };
  42
  43     cloneBundles = mkOption {
  44       type = types.bool;
  45       default = false;
  46       description = ''
  47         Generate clonebundles (which require more disk space but dramatically speed up cloning large repositories).
  48       '';
  49     };
  50   };
  51
  52   config = with scfg; lib.mkIf (cfg.enable && scfg.enable) {
  53     # In case it ever comes into being
  54     environment.etc."ssh/hgsrht-dispatch" = {
  55       mode = "0755";
  56       text = ''
  57         #! ${pkgs.stdenv.shell}
  58         ${cfg.python}/bin/gitsrht-dispatch "$@"
  59       '';
  60     };
  61
  62     environment.systemPackages = [ pkgs.mercurial ];
  63
  64     users = {
  65       users = {
  66         "${user}" = {
  67           isSystemUser = true;
  68           group = user;
  69           # Assuming hg.sr.ht needs this too
  70           shell = pkgs.bash;
  71           description = "hg.sr.ht user";
  72         };
  73       };
  74
  75       groups = {
  76         "${user}" = { };
  77       };
  78     };
  79
  80     services = {
  81       cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/hgsrht-periodic" ]
  82         ++ optional cloneBundles "0 * * * * ${cfg.python}/bin/hgsrht-clonebundles";
  83
  84       openssh.authorizedKeysCommand = ''/etc/ssh/hgsrht-dispatch "%u" "%h" "%t" "%k"'';
  85       openssh.authorizedKeysCommandUser = "root";
  86       openssh.extraConfig = ''
  87         PermitUserEnvironment SRHT_*
  88       '';
  89
  90       postgresql = {
  91         authentication = ''
  92           local ${database} ${user} trust
  93         '';
  94         ensureDatabases = [ database ];
  95         ensureUsers = [
  96           {
  97             name = user;
  98             ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
  99           }
 100         ];
 101       };
 102     };
 103
 104     systemd = {
 105       tmpfiles.rules = [
 106         # /var/log is owned by root
 107         "f /var/log/hg-srht-shell 0644 ${user} ${user} -"
 108
 109         "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -"
 110       ];
 111
 112       services.hgsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
 113         after = [ "redis.service" "postgresql.service" "network.target" ];
 114         requires = [ "redis.service" "postgresql.service" ];
 115         wantedBy = [ "multi-user.target" ];
 116
 117         path = [ pkgs.mercurial ];
 118         description = "hg.sr.ht website service";
 119
 120         serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
 121       };
 122     };
 123
 124     services.sourcehut.settings = {
 125       # The authorized keys hook uses this to dispatch to various handlers
 126       # The format is a program to exec into as the key, and the user to match as the
 127       # value. When someone tries to log in as this user, this program is executed
 128       # and is expected to emit an AuthorizedKeys file.
 129       #
 130       # Uncomment the relevant lines to enable the various sr.ht dispatchers.
 131       "hg.sr.ht::dispatch"."/run/current-system/sw/bin/hgsrht-keys" = mkDefault "${user}:${user}";
 132     };
 133
 134     # TODO: requires testing and addition of hg-specific requirements
 135     services.nginx.virtualHosts."hg.${cfg.originBase}" = {
 136       forceSSL = true;
 137       locations."/".proxyPass = "http://${cfg.address}:${toString port}";
 138       locations."/query".proxyPass = cfgIni."meta.sr.ht".api-origin;
 139       locations."/static".root = "${pkgs.sourcehut.hgsrht}/${pkgs.sourcehut.python.sitePackages}/hgsrht";
 140     };
 141   };
 142 }