1 { pkgs, lib, config, ... }:
3 inherit (config.services) sourcehut;
4 inherit (config.users) users groups;
5 inherit (config.security) gnupg;
6 domain = "sourcephile.wg";
21 #boot.isContainer = true;
22 #networking.firewall.allowedTCPPorts = [ 80 ];
24 "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut-services;
26 networking.nftables.ruleset = ''
27 add rule inet filter fw2net meta skuid ${sourcehut.meta.user} tcp dport 25 counter accept comment "SMTP"
29 security.gnupg.secrets = lib.genAttrs [
30 "sourcehut/network-key"
31 "sourcehut/service-key"
32 "sourcehut/webhook-key"
33 "sourcehut/oauth-client-secret"
35 systemdConfig.before = [ "metasrht.service" ];
36 systemdConfig.wantedBy = [ "metasrht.service" ];
41 secretKey = "12345678";
45 environment.systemPackages = [ pkgs.minio-client ];
46 services.sourcehut = {
48 listenAddress = domain;
54 #dispatch.enable = true;
64 postgresql.enable = true;
65 postfix.enable = true;
67 #redis.firstDatabase = 0;
71 environment = "production";
72 global-domain = domain;
73 origin = "http://${domain}";
74 owner-email = "julm+srht@sourcephile.fr";
75 owner-name = "Sourcephile";
76 site-blurb = "software forge";
77 site-info = "http://${domain}";
78 site-name = "Sourcephile";
79 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
80 network-key = gnupg.secrets."sourcehut/network-key".path;
81 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
82 service-key = gnupg.secrets."sourcehut/service-key".path;
85 s3-upstream = "localhost";
86 s3-access-key = "12345";
87 s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
89 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
91 origin = "http://builds.${domain}";
92 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
93 oauth-client-id = "299db9f9c2013170";
96 origin = "http://dispatch.${domain}";
97 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
98 oauth-client-id = "299db9f9c2013170";
101 origin = "http://pages.${domain}";
102 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
103 oauth-client-id = "299db9f9c2013170";
104 s3-bucket = "pagesbuck";
107 origin = "http://paste.${domain}";
108 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
109 oauth-client-id = "299db9f9c2013170";
112 origin = "http://man.${domain}";
113 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
114 oauth-client-id = "299db9f9c2013170";
117 origin = "http://meta.${domain}";
118 api-origin = "http://meta.${domain}:5100";
120 "meta.sr.ht::settings" = {
121 onboarding-redirect = "http://meta.${domain}";
123 internal-ipnet = "127.0.0.0/8,192.168.42.0/24";
125 "meta.sr.ht::api" = {
126 internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
129 origin = "http://todo.${domain}";
130 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
131 oauth-client-id = "299db9f9c2013170";
134 origin = "http://git.${domain}";
135 outgoing-domain = "http://git.${domain}";
136 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
137 oauth-client-id = "299db9f9c2013170";
140 origin = "http://hub.${domain}";
141 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
142 oauth-client-id = "299db9f9c2013170";
145 origin = "http://lists.${domain}";
146 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
147 oauth-client-id = "299db9f9c2013170";
149 "lists.sr.ht::worker" = {
150 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
152 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
153 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
154 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
156 smtp-host = "localhost";
159 smtp-password = null;
160 smtp-from = "sourcehut@sourcephile.fr";
161 error-to = "julm+sourcehut+error@sourcephile.fr";
162 error-from = "sourcehut+error@sourcephile.fr";
169 services.nginx.virtualHosts = {
170 "builds.${domain}".forceSSL = lib.mkForce false;
171 "dispatch.${domain}".forceSSL = lib.mkForce false;
172 "git.${domain}".forceSSL = lib.mkForce false;
173 "hub.${domain}".forceSSL = lib.mkForce false;
174 "lists.${domain}".forceSSL = lib.mkForce false;
175 "logs.${domain}".forceSSL = lib.mkForce false;
176 "man.${domain}".forceSSL = lib.mkForce false;
177 "paste.${domain}".forceSSL = lib.mkForce false;
178 "pages.${domain}".forceSSL = lib.mkForce false;
179 "todo.${domain}".forceSSL = lib.mkForce false;
181 forceSSL = lib.mkForce false;
184 access_log /var/log/nginx/${domain}/meta/access.log json;
185 error_log /var/log/nginx/${domain}/meta/error.log warn;
189 "${domain}".forceSSL = lib.mkForce false;
191 systemd.services.nginx.serviceConfig.LogsDirectory =
192 lib.mkForce ["/var/log/nginx/${domain}/meta"];
193 systemd.services.postgresql = {
195 connection_limit=64 \
197 lc_collate=fr_FR.UTF-8 \
198 lc_type=fr_FR.UTF-8 \
199 owner="${sourcehut.git.database}" \
200 pg_createdb "${sourcehut.git.database}" >/dev/null </dev/null
202 pg_adduser "${sourcehut.git.database}" "${sourcehut.git.database}" >/dev/null
204 postStart = lib.mkAfter ''
205 $PSQL -d "${sourcehut.dispatch.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
206 GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
208 $PSQL -d "${sourcehut.git.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
209 GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
211 $PSQL -d "${sourcehut.hub.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
212 GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
214 $PSQL -d "${sourcehut.man.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
215 GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
217 $PSQL -d "${sourcehut.meta.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
218 GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
219 GRANT USAGE,CREATE ON schema public TO "${users.sshsrht.name}";
221 $PSQL -d "${sourcehut.pages.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
222 GRANT USAGE,CREATE ON schema public TO "${sourcehut.pages.user}";
224 $PSQL -d "${sourcehut.paste.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
225 GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
227 $PSQL -d "${sourcehut.todo.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
228 GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
230 $PSQL -d "${sourcehut.lists.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
231 GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";