]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/services/misc/sourcehut/git.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
sourcehut: type-check migrate-on-upgrade
[sourcephile-nix.git] / nixos / modules / services / misc / sourcehut / git.nix
1 { config, lib, pkgs, ... }:
2
3 with lib;
4 let
5 cfg = config.services.sourcehut;
6 scfg = cfg.git;
7 iniKey = "git.sr.ht";
8
9 rcfg = config.services.redis;
10 drv = pkgs.sourcehut.gitsrht;
11 in
12 {
13 options.services.sourcehut.git = {
14 user = mkOption {
15 type = types.str;
16 visible = false;
17 internal = true;
18 readOnly = true;
19 default = "git";
20 description = ''
21 User for git.sr.ht.
22 '';
23 };
24
25 port = mkOption {
26 type = types.port;
27 default = 5001;
28 description = ''
29 Port on which the "git" module should listen.
30 '';
31 };
32
33 database = mkOption {
34 type = types.str;
35 default = "git.sr.ht";
36 description = ''
37 PostgreSQL database name for git.sr.ht.
38 '';
39 };
40
41 statePath = mkOption {
42 type = types.path;
43 default = "${cfg.statePath}/gitsrht";
44 description = ''
45 State path for git.sr.ht.
46 '';
47 };
48
49 package = mkOption {
50 type = types.package;
51 default = pkgs.git;
52 example = literalExample "pkgs.gitFull";
53 description = ''
54 Git package for git.sr.ht. This can help silence collisions.
55 '';
56 };
57 };
58
59 config = with scfg; lib.mkIf (cfg.enable && elem "git" cfg.services) {
60 # sshd refuses to run with `Unsafe AuthorizedKeysCommand ... bad ownership or modes for directory /nix/store`
61 environment.etc."ssh/gitsrht-dispatch" = {
62 mode = "0755";
63 text = ''
64 #! ${pkgs.stdenv.shell}
65 ${cfg.python}/bin/gitsrht-dispatch "$@"
66 '';
67 };
68
69 # Needs this in the $PATH when sshing into the server
70 environment.systemPackages = [ cfg.git.package ];
71
72 users = {
73 users = {
74 "${user}" = {
75 isSystemUser = true;
76 group = user;
77 # https://stackoverflow.com/questions/22314298/git-push-results-in-fatal-protocol-error-bad-line-length-character-this
78 # Probably could use gitsrht-shell if output is restricted to just parameters...
79 shell = pkgs.bash;
80 description = "git.sr.ht user";
81 };
82 };
83
84 groups = {
85 "${user}" = { };
86 };
87 };
88
89 services = {
90 cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/gitsrht-periodic" ];
91 fcgiwrap.enable = true;
92
93 openssh.authorizedKeysCommand = ''/etc/ssh/gitsrht-dispatch "%u" "%h" "%t" "%k"'';
94 openssh.authorizedKeysCommandUser = "root";
95 openssh.extraConfig = ''
96 PermitUserEnvironment SRHT_*
97 '';
98
99 postgresql = {
100 authentication = ''
101 local ${database} ${user} trust
102 '';
103 ensureDatabases = [ database ];
104 ensureUsers = [
105 {
106 name = user;
107 ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
108 }
109 ];
110 };
111 };
112
113 systemd = {
114 tmpfiles.rules = [
115 # /var/log is owned by root
116 "f /var/log/git-srht-shell 0644 ${user} ${user} -"
117
118 "d ${statePath} 0750 ${user} ${user} -"
119 "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -"
120 ];
121
122 services = {
123 gitsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
124 after = [ "redis.service" "postgresql.service" "network.target" ];
125 requires = [ "redis.service" "postgresql.service" ];
126 wantedBy = [ "multi-user.target" ];
127
128 # Needs internally to create repos at the very least
129 path = [ pkgs.git ];
130 description = "git.sr.ht website service";
131
132 serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
133 };
134
135 gitsrht-webhooks = {
136 after = [ "postgresql.service" "network.target" ];
137 requires = [ "postgresql.service" ];
138 wantedBy = [ "multi-user.target" ];
139
140 description = "git.sr.ht webhooks service";
141 serviceConfig = {
142 Type = "simple";
143 User = user;
144 Restart = "always";
145 };
146
147 serviceConfig.ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel INFO --pool eventlet";
148 };
149 };
150 };
151
152 services.sourcehut.settings = {
153 # URL git.sr.ht is being served at (protocol://domain)
154 "git.sr.ht".origin = mkDefault "http://git.${cfg.originBase}";
155 # Address and port to bind the debug server to
156 "git.sr.ht".debug-host = mkDefault "0.0.0.0";
157 "git.sr.ht".debug-port = mkDefault port;
158 # Configures the SQLAlchemy connection string for the database.
159 "git.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql";
160 # The redis connection used for the webhooks worker
161 "git.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/1";
162
163 # A post-update script which is installed in every git repo.
164 "git.sr.ht".post-update-script = mkDefault "${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook";
165
166 # git.sr.ht's OAuth client ID and secret for meta.sr.ht
167 # Register your client at meta.example.org/oauth
168 "git.sr.ht".oauth-client-id = mkDefault null;
169 "git.sr.ht".oauth-client-secret = mkDefault null;
170 # Path to git repositories on disk
171 "git.sr.ht".repos = mkDefault "/var/lib/git";
172
173 "git.sr.ht".outgoing-domain = mkDefault "http://git.${cfg.originBase}";
174
175 # The authorized keys hook uses this to dispatch to various handlers
176 # The format is a program to exec into as the key, and the user to match as the
177 # value. When someone tries to log in as this user, this program is executed
178 # and is expected to omit an AuthorizedKeys file.
179 #
180 # Discard of the string context is in order to allow derivation-derived strings.
181 # This is safe if the relevant package is installed which will be the case if the setting is utilized.
182 "git.sr.ht::dispatch".${builtins.unsafeDiscardStringContext "${pkgs.sourcehut.gitsrht}/bin/gitsrht-keys"} = mkDefault "${user}:${user}";
183 };
184
185 services.nginx.virtualHosts."git.${cfg.originBase}" = {
186 forceSSL = true;
187 locations."/".proxyPass = "http://${cfg.address}:${toString port}";
188 locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}";
189 locations."/static".root = "${pkgs.sourcehut.gitsrht}/${pkgs.sourcehut.python.sitePackages}/gitsrht";
190 extraConfig = ''
191 location = /authorize {
192 proxy_pass http://${cfg.address}:${toString port};
193 proxy_pass_request_body off;
194 proxy_set_header Content-Length "";
195 proxy_set_header X-Original-URI $request_uri;
196 }
197 location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
198 auth_request /authorize;
199 root /var/lib/git;
200 fastcgi_pass unix:/run/fcgiwrap.sock;
201 fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend;
202 fastcgi_param PATH_INFO $uri;
203 fastcgi_param GIT_PROJECT_ROOT $document_root;
204 fastcgi_read_timeout 500s;
205 include ${pkgs.nginx}/conf/fastcgi_params;
206 gzip off;
207 }
208 '';
209
210 };
211 };
212 }
NixOS configurations for Sourcephile's infrastructure