1 { pkgs, lib, config, ... }:
3 inherit (config) networking;
4 inherit (config.services) nginx sourcehut;
5 inherit (config.users) users groups;
6 inherit (config.security) gnupg;
7 domain = "code.${networking.domain}";
10 security.gnupg.secrets = lib.genAttrs [
11 "sourcehut/network-key"
12 "sourcehut/service-key"
13 "sourcehut/webhook-key"
14 "sourcehut/oauth-client-secret"
20 systemdConfig.before = srhts;
21 systemdConfig.wantedBy = srhts;
26 secretKey = "12345678";
30 #environment.systemPackages = [ pkgs.minio-client ];
31 services.sourcehut = {
33 listenAddress = "localhost";
37 images.nixos.unstable.x86_64 =
38 import sourcehut/builds/nixos-unstable.nix
39 "x86_64-linux" { inherit pkgs lib config; };
42 #dispatch.enable = true;
53 postgresql.enable = true;
54 postfix.enable = true;
58 useACMEHost = networking.domain;
62 environment = "production";
63 global-domain = domain;
64 owner-email = "julm+srht@sourcephile.fr";
65 owner-name = "Sourcephile";
66 site-blurb = "a simple free software forge";
67 site-info = "https://${domain}";
68 site-name = "Sourcephile";
69 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
70 network-key = gnupg.secrets."sourcehut/network-key".path;
71 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
72 service-key = gnupg.secrets."sourcehut/service-key".path;
73 #redis-host = "redis://localhost:6379/";
76 s3-upstream = "localhost";
77 s3-access-key = "12345";
78 s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
80 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
82 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
83 oauth-client-id = "299db9f9c2013170";
87 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
88 oauth-client-id = "299db9f9c2013170";
91 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
92 oauth-client-id = "299db9f9c2013170";
93 s3-bucket = "pagesbuck";
96 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
97 oauth-client-id = "299db9f9c2013170";
100 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
101 oauth-client-id = "299db9f9c2013170";
105 "meta.sr.ht::settings" = {
106 onboarding-redirect = "https://meta.${domain}";
107 registration = false;
109 "meta.sr.ht::api" = {
110 #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
113 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
114 oauth-client-id = "299db9f9c2013170";
117 outgoing-domain = "https://git.${domain}";
118 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
119 oauth-client-id = "gitsrht";
122 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
123 oauth-client-id = "299db9f9c2013170";
126 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
127 oauth-client-id = "299db9f9c2013170";
129 "lists.sr.ht::worker" = {
130 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
132 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
133 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
134 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
136 smtp-host = "localhost";
139 smtp-password = null;
140 smtp-from = "julm+hut@${networking.domain}";
141 error-to = "julm+hut+error@${networking.domain}";
142 error-from = "julm+hut+error@${networking.domain}";
149 fileSystems."/var/lib/sourcehut" = {
150 device = "rpool/var/sourcehut";
153 services.sanoid.datasets = {
154 "rpool/var/sourcehut" = {
155 use_template = [ "snap" ];
160 virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
162 useACMEHost = networking.domain;
163 globalRedirect = "$subdomain.code.${networking.domain}";
165 virtualHosts."meta.${domain}" = {
166 locations."/query".extraConfig = lib.mkForce ''
167 if ($request_method = 'OPTIONS') {
168 ${nginx.configs.https_add_headers}
169 add_header 'Access-Control-Allow-Origin' '*';
170 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
171 add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
172 add_header 'Access-Control-Max-Age' 1728000;
173 add_header 'Content-Type' 'text/plain; charset=utf-8';
174 add_header 'Content-Length' 0;
178 ${nginx.configs.https_add_headers}
179 add_header 'Access-Control-Allow-Origin' '*';
180 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
181 add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
182 add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';