]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/sourcehut.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
losurdo: openvpn-calyx: update CA and IPv4
[sourcephile-nix.git] / hosts / losurdo / sourcehut.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config.services) sourcehut;
4 inherit (config.users) users;
5 inherit (config.security) gnupg;
6 domain = "sourcephile.wg";
7 sourcehut-services = [
8 "builds"
9 "dispatch"
10 "git"
11 "hg"
12 "hub"
13 "lists"
14 "meta"
15 "man"
16 "paste"
17 "pages"
18 "todo"
19 ];
20 in
21 {
22 #boot.isContainer = true;
23 #networking.firewall.allowedTCPPorts = [ 80 ];
24 networking.hosts = {
25 "192.168.42.2" = [ domain ] ++ map (d: "${d}.${domain}") sourcehut-services;
26 };
27 networking.nftables.ruleset = ''
28 table inet filter {
29 chain output-net {
30 skuid ${sourcehut.meta.user} \
31 tcp dport smtp counter \
32 accept comment "sourcehut: SMTP"
33 }
34 }
35 '';
36 security.gnupg.secrets = lib.genAttrs [
37 "sourcehut/network-key"
38 "sourcehut/service-key"
39 "sourcehut/webhook-key"
40 "sourcehut/oauth-client-secret"
41 ]
42 (_p: {
43 systemdConfig.before = [ "metasrht.service" "gitsrht.service" ];
44 systemdConfig.wantedBy = [ "metasrht.service" "gitsrht.service" ];
45 });
46 services.minio = {
47 enable = true;
48 accessKey = "12345";
49 secretKey = "12345678";
50 #region = "";
51 browser = true;
52 };
53 environment.systemPackages = [ pkgs.minio-client ];
54 services.sourcehut = {
55 enable = true;
56 listenAddress = "localhost";
57 builds = {
58 #enable = true;
59 enableWorker = true;
60 images.nixos.unstable.x86_64 =
61 let
62 systemConfig = { pkgs, ... }: {
63 # passwordless ssh server
64 services.openssh = {
65 enable = true;
66 permitRootLogin = "yes";
67 extraConfig = "PermitEmptyPasswords yes";
68 };
69
70 users = {
71 mutableUsers = false;
72 # build user
73 extraUsers."build" = {
74 isNormalUser = true;
75 uid = 1000;
76 extraGroups = [ "wheel" ];
77 password = "";
78 };
79 users.root.password = "";
80 };
81
82 security.sudo.wheelNeedsPassword = false;
83 nix.settings.trusted-users = [ "root" "build" ];
84 documentation.nixos.enable = false;
85
86 # builds.sr.ht-image-specific network settings
87 networking = {
88 hostName = "build";
89 dhcpcd.enable = false;
90 defaultGateway.address = "10.0.2.2";
91 usePredictableInterfaceNames = false; # so that we just get eth0 and not some weird id
92 interfaces."eth0".ipv4.addresses = [{
93 address = "10.0.2.15";
94 prefixLength = 25;
95 }];
96 enableIPv6 = false;
97 nameservers = [
98 # OpenNIC anycast
99 "185.121.177.177"
100 "169.239.202.202"
101 # Google as a fallback :(
102 "8.8.8.8"
103 ];
104 firewall.allowedTCPPorts = [ 22 ]; # allow ssh
105 };
106
107 environment.systemPackages = [
108 pkgs.gitMinimal
109 #pkgs.mercurial
110 pkgs.curl
111 pkgs.gnupg
112 ];
113 };
114 qemuConfig = { ... }: {
115 imports = [ systemConfig ];
116 fileSystems."/".device = "/dev/disk/by-label/nixos";
117 boot.initrd.availableKernelModules = [
118 "ahci"
119 "ehci_pci"
120 "sd_mod"
121 "usb_storage"
122 "usbhid"
123 "virtio_balloon"
124 "virtio_blk"
125 "virtio_pci"
126 "virtio_ring"
127 "xhci_pci"
128 ];
129 boot.loader = {
130 grub = {
131 device = "/dev/vda";
132 };
133 timeout = 0;
134 };
135 };
136 config = (import (pkgs.path + "/nixos/lib/eval-config.nix") {
137 inherit pkgs; modules = [ qemuConfig ];
138 system = "x86_64-linux";
139 }).config;
140 in
141 import (pkgs.path + "/nixos/lib/make-disk-image.nix") {
142 inherit pkgs lib config;
143 diskSize = 16000;
144 format = "qcow2-compressed";
145 contents = [
146 {
147 source = pkgs.writeText "gitconfig" ''
148 [user]
149 name = builds.sr.ht
150 email = build@sr.ht
151 '';
152 target = "/home/build/.gitconfig";
153 user = "build";
154 group = "users";
155 mode = "644";
156 }
157 ];
158 };
159 };
160
161 #dispatch.enable = true;
162 git.enable = true;
163 #hub.enable = true;
164 meta.enable = true;
165 meta.port = 4999;
166 #man.enable = true;
167 #pages.enable = true;
168 #paste.enable = true;
169 #todo.enable = true;
170 #lists.enable = true;
171
172 postgresql.enable = true;
173 postfix.enable = true;
174 redis.enable = true;
175 nginx.enable = true;
176 settings = {
177 "sr.ht" = {
178 environment = "production";
179 global-domain = domain;
180 origin = "http://${domain}";
181 owner-email = "julm+srht@sourcephile.fr";
182 owner-name = "Sourcephile";
183 site-blurb = "software forge";
184 site-info = "http://${domain}";
185 site-name = "Sourcephile";
186 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
187 network-key = gnupg.secrets."sourcehut/network-key".path;
188 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
189 service-key = gnupg.secrets."sourcehut/service-key".path;
190 };
191 objects = {
192 s3-upstream = "localhost";
193 s3-access-key = "12345";
194 s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
195 };
196 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
197 "builds.sr.ht" = {
198 origin = "http://builds.${domain}";
199 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
200 oauth-client-id = "299db9f9c2013170";
201 allow-free = true;
202 };
203 "dispatch.sr.ht" = {
204 origin = "http://dispatch.${domain}";
205 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
206 oauth-client-id = "299db9f9c2013170";
207 };
208 "pages.sr.ht" = {
209 origin = "http://pages.${domain}";
210 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
211 oauth-client-id = "299db9f9c2013170";
212 s3-bucket = "pagesbuck";
213 };
214 "paste.sr.ht" = {
215 origin = "http://paste.${domain}";
216 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
217 oauth-client-id = "299db9f9c2013170";
218 };
219 "man.sr.ht" = {
220 origin = "http://man.${domain}";
221 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
222 oauth-client-id = "299db9f9c2013170";
223 };
224 "meta.sr.ht" = {
225 origin = "http://meta.${domain}";
226 api-origin = "http://localhost:5099";
227 };
228 "meta.sr.ht::settings" = {
229 onboarding-redirect = "http://meta.${domain}";
230 registration = true;
231 };
232 "meta.sr.ht::api" = {
233 # This is a temporary workaround
234 #
235 internal-ipnet = [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8" ];
236 };
237 "todo.sr.ht" = {
238 origin = "http://todo.${domain}";
239 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
240 oauth-client-id = "299db9f9c2013170";
241 };
242 "git.sr.ht" = {
243 origin = "http://git.${domain}";
244 outgoing-domain = "http://git.${domain}";
245 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
246 oauth-client-id = "299db9f9c2013170";
247 #repos = "/var/lib/git";
248 };
249 "hub.sr.ht" = {
250 origin = "http://hub.${domain}";
251 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
252 oauth-client-id = "299db9f9c2013170";
253 };
254 "lists.sr.ht" = {
255 origin = "http://lists.${domain}";
256 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
257 oauth-client-id = "299db9f9c2013170";
258 };
259 "lists.sr.ht::worker" = {
260 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
261 };
262 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
263 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
264 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
265 mail = {
266 smtp-host = "localhost";
267 smtp-port = 25;
268 smtp-user = null;
269 smtp-password = null;
270 smtp-from = "sourcehut@sourcephile.fr";
271 error-to = "julm+sourcehut+error@sourcephile.fr";
272 error-from = "sourcehut+error@sourcephile.fr";
273 pgp-privkey = null;
274 pgp-pubkey = null;
275 pgp-key-id = null;
276 };
277 };
278 };
279 services.nginx.virtualHosts = {
280 "builds.${domain}".forceSSL = lib.mkForce false;
281 "dispatch.${domain}".forceSSL = lib.mkForce false;
282 "git.${domain}".forceSSL = lib.mkForce false;
283 "hub.${domain}".forceSSL = lib.mkForce false;
284 "lists.${domain}".forceSSL = lib.mkForce false;
285 "logs.${domain}".forceSSL = lib.mkForce false;
286 "man.${domain}".forceSSL = lib.mkForce false;
287 "paste.${domain}".forceSSL = lib.mkForce false;
288 "pages.${domain}".forceSSL = lib.mkForce false;
289 "todo.${domain}".forceSSL = lib.mkForce false;
290 "meta.${domain}" = {
291 forceSSL = lib.mkForce false;
292 /*
293 extraConfig = ''
294 access_log /var/log/nginx/${domain}/meta/access.log json;
295 error_log /var/log/nginx/${domain}/meta/error.log warn;
296 '';
297 */
298 };
299 "${domain}".forceSSL = lib.mkForce false;
300 };
301 systemd.services.postgresql = {
302 /*
303 connection_limit=64 \
304 encoding=UTF8 \
305 lc_collate=fr_FR.UTF-8 \
306 lc_type=fr_FR.UTF-8 \
307 owner="${sourcehut.git.postgresql.database}" \
308 pg_createdb "${sourcehut.git.postgresql.database}" >/dev/null </dev/null
309
310 pg_adduser "${sourcehut.git.postgresql.database}" "${sourcehut.git.postgresql.database}" >/dev/null
311 postStart = lib.mkAfter ''
312 $PSQL -d "${sourcehut.builds.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
313 GRANT USAGE,CREATE ON schema public TO "${sourcehut.builds.user}";
314 EOF
315 $PSQL -d "${sourcehut.dispatch.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
316 GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
317 EOF
318 $PSQL -d "${sourcehut.git.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
319 GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
320 EOF
321 $PSQL -d "${sourcehut.hub.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
322 GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
323 EOF
324 $PSQL -d "${sourcehut.man.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
325 GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
326 EOF
327 $PSQL -d "${sourcehut.meta.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
328 GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
329 GRANT USAGE,CREATE ON schema public TO "${users.sshsrht.name}";
330 EOF
331 $PSQL -d "${sourcehut.pages.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
332 GRANT USAGE,CREATE ON schema public TO "${sourcehut.pages.user}";
333 EOF
334 $PSQL -d "${sourcehut.paste.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
335 GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
336 EOF
337 $PSQL -d "${sourcehut.todo.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
338 GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
339 EOF
340 $PSQL -d "${sourcehut.lists.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
341 GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";
342 EOF
343 '';
344 */
345 };
346 }
NixOS configurations for Sourcephile's infrastructure