]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/sourcehut.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nixos/sourcehut: massive rewrite
[sourcephile-nix.git] / hosts / losurdo / sourcehut.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config.services) sourcehut;
4 inherit (config.users) users groups;
5 inherit (config.security) gnupg;
6 domain = "sourcephile.wg";
7 sourcehut-services = [
8 "builds"
9 "dispatch"
10 "git"
11 "hg"
12 "hub"
13 "lists"
14 "meta"
15 "man"
16 "paste"
17 "todo"
18 ];
19 in
20 {
21 #boot.isContainer = true;
22 #networking.firewall.allowedTCPPorts = [ 80 ];
23 networking.hosts = {
24 "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut-services;
25 };
26 networking.nftables.ruleset = ''
27 add rule inet filter fw2net meta skuid ${sourcehut.meta.user} tcp dport 25 counter accept comment "SMTP"
28 '';
29 security.gnupg.secrets = lib.genAttrs [
30 "sourcehut/network-key"
31 "sourcehut/service-key"
32 "sourcehut/webhook-key"
33 "sourcehut/oauth-client-secret"
34 ] (p: {
35 systemdConfig.before = [ "metasrht.service" ];
36 systemdConfig.wantedBy = [ "metasrht.service" ];
37 });
38 services.sourcehut = {
39 enable = true;
40 listenAddress = domain;
41 /*
42 builds = {
43 enableWorker = true;
44 };
45 */
46 #dispatch.enable = true;
47 git.enable = true;
48 #hub.enable = true;
49 meta.enable = true;
50 #man.enable = true;
51 #pages.enable = true;
52 #paste.enable = true;
53 #todo.enable = true;
54 #lists.enable = true;
55
56 postgresql.enable = true;
57 postfix.enable = true;
58 redis.enable = true;
59 #redis.firstDatabase = 0;
60 nginx.enable = true;
61 settings = {
62 "sr.ht" = {
63 environment = "production";
64 global-domain = domain;
65 origin = "http://${domain}";
66 owner-email = "julm+srht@sourcephile.fr";
67 owner-name = "Sourcephile";
68 site-blurb = "software forge";
69 site-info = "http://${domain}";
70 site-name = "Sourcephile";
71 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
72 network-key = gnupg.secrets."sourcehut/network-key".path;
73 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
74 service-key = gnupg.secrets."sourcehut/service-key".path;
75 };
76 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
77 "builds.sr.ht" = {
78 origin = "http://builds.${domain}";
79 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
80 oauth-client-id = "299db9f9c2013170";
81 };
82 "dispatch.sr.ht" = {
83 origin = "http://dispatch.${domain}";
84 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
85 oauth-client-id = "299db9f9c2013170";
86 };
87 /*
88 "pages.sr.ht" = {
89 origin = "http://pages.${domain}";
90 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
91 oauth-client-id = "299db9f9c2013170";
92 };
93 */
94 "paste.sr.ht" = {
95 origin = "http://paste.${domain}";
96 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
97 oauth-client-id = "299db9f9c2013170";
98 };
99 "man.sr.ht" = {
100 origin = "http://man.${domain}";
101 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
102 oauth-client-id = "299db9f9c2013170";
103 };
104 "meta.sr.ht" = {
105 origin = "http://meta.${domain}";
106 api-origin = "http://meta.${domain}:5100";
107 };
108 "meta.sr.ht::settings" = {
109 onboarding-redirect = "http://meta.${domain}";
110 registration = true;
111 internal-ipnet = "127.0.0.0/8,192.168.42.0/24";
112 };
113 "meta.sr.ht::api" = {
114 internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
115 };
116 "todo.sr.ht" = {
117 origin = "http://todo.${domain}";
118 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
119 oauth-client-id = "299db9f9c2013170";
120 };
121 "git.sr.ht" = {
122 origin = "http://git.${domain}";
123 outgoing-domain = "http://git.${domain}";
124 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
125 oauth-client-id = "299db9f9c2013170";
126 };
127 "hub.sr.ht" = {
128 origin = "http://hub.${domain}";
129 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
130 oauth-client-id = "299db9f9c2013170";
131 };
132 "lists.sr.ht" = {
133 origin = "http://lists.${domain}";
134 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
135 oauth-client-id = "299db9f9c2013170";
136 };
137 "lists.sr.ht::worker" = {
138 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
139 };
140 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
141 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
142 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
143 mail = {
144 smtp-host = "localhost";
145 smtp-port = 25;
146 smtp-user = null;
147 smtp-password = null;
148 smtp-from = "sourcehut@sourcephile.fr";
149 error-to = "julm+sourcehut+error@sourcephile.fr";
150 error-from = "sourcehut+error@sourcephile.fr";
151 pgp-privkey = null;
152 pgp-pubkey = null;
153 pgp-key-id = null;
154 };
155 };
156 };
157 services.nginx.virtualHosts = {
158 #"builds.${domain}".forceSSL = lib.mkForce false;
159 "dispatch.${domain}".forceSSL = lib.mkForce false;
160 "git.${domain}".forceSSL = lib.mkForce false;
161 "hub.${domain}".forceSSL = lib.mkForce false;
162 "lists.${domain}".forceSSL = lib.mkForce false;
163 "logs.${domain}".forceSSL = lib.mkForce false;
164 "man.${domain}".forceSSL = lib.mkForce false;
165 "paste.${domain}".forceSSL = lib.mkForce false;
166 "todo.${domain}".forceSSL = lib.mkForce false;
167 "meta.${domain}" = {
168 forceSSL = lib.mkForce false;
169 /*
170 extraConfig = ''
171 access_log /var/log/nginx/${domain}/meta/access.log json;
172 error_log /var/log/nginx/${domain}/meta/error.log warn;
173 '';
174 */
175 };
176 "${domain}".forceSSL = lib.mkForce false;
177 };
178 systemd.services.nginx.serviceConfig.LogsDirectory =
179 lib.mkForce ["/var/log/nginx/${domain}/meta"];
180 systemd.services.postgresql = {
181 /*
182 connection_limit=64 \
183 encoding=UTF8 \
184 lc_collate=fr_FR.UTF-8 \
185 lc_type=fr_FR.UTF-8 \
186 owner="${sourcehut.git.database}" \
187 pg_createdb "${sourcehut.git.database}" >/dev/null </dev/null
188
189 pg_adduser "${sourcehut.git.database}" "${sourcehut.git.database}" >/dev/null
190 */
191 postStart = lib.mkAfter ''
192 $PSQL -d "${sourcehut.dispatch.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
193 GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
194 EOF
195 $PSQL -d "${sourcehut.git.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
196 GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
197 EOF
198 $PSQL -d "${sourcehut.hub.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
199 GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
200 EOF
201 $PSQL -d "${sourcehut.man.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
202 GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
203 EOF
204 $PSQL -d "${sourcehut.meta.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
205 GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
206 GRANT USAGE,CREATE ON schema public TO "${users.sshsrht.name}";
207 EOF
208 $PSQL -d "${sourcehut.paste.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
209 GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
210 EOF
211 $PSQL -d "${sourcehut.todo.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
212 GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
213 EOF
214 $PSQL -d "${sourcehut.lists.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
215 GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";
216 EOF
217 '';
218 };
219 }
NixOS configurations for Sourcephile's infrastructure