]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/sourcehut.nix
wireguard: prepare jettison of #128014
[sourcephile-nix.git] / hosts / losurdo / sourcehut.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config.services) sourcehut;
4 inherit (config.users) users groups;
5 inherit (config.security) gnupg;
6 domain = "sourcephile.wg";
7 sourcehut-services = [
8 "builds"
9 "dispatch"
10 "git"
11 "hg"
12 "hub"
13 "lists"
14 "meta"
15 "man"
16 "paste"
17 "pages"
18 "todo"
19 ];
20 in
21 {
22 #boot.isContainer = true;
23 #networking.firewall.allowedTCPPorts = [ 80 ];
24 networking.hosts = {
25 "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut-services;
26 };
27 networking.nftables.ruleset = ''
28 add rule inet filter fw2net meta skuid ${sourcehut.meta.user} tcp dport 25 counter accept comment "SMTP"
29 '';
30 security.gnupg.secrets = lib.genAttrs [
31 "sourcehut/network-key"
32 "sourcehut/service-key"
33 "sourcehut/webhook-key"
34 "sourcehut/oauth-client-secret"
35 ] (p: {
36 systemdConfig.before = [ "metasrht.service" "gitsrht.service" ];
37 systemdConfig.wantedBy = [ "metasrht.service" "gitsrht.service" ];
38 });
39 services.minio = {
40 enable = true;
41 accessKey = "12345";
42 secretKey = "12345678";
43 #region = "";
44 browser = true;
45 };
46 environment.systemPackages = [ pkgs.minio-client ];
47 services.sourcehut = {
48 enable = true;
49 listenAddress = "localhost";
50 builds = {
51 #enable = true;
52 enableWorker = true;
53 images.nixos.unstable.x86_64 = let
54 systemConfig = { pkgs, ... }: {
55 # passwordless ssh server
56 services.openssh = {
57 enable = true;
58 permitRootLogin = "yes";
59 extraConfig = "PermitEmptyPasswords yes";
60 };
61
62 users = {
63 mutableUsers = false;
64 # build user
65 extraUsers."build" = {
66 isNormalUser = true;
67 uid = 1000;
68 extraGroups = [ "wheel" ];
69 password = "";
70 };
71 users.root.password = "";
72 };
73
74 security.sudo.wheelNeedsPassword = false;
75 nix.trustedUsers = [ "root" "build" ];
76 documentation.nixos.enable = false;
77
78 # builds.sr.ht-image-specific network settings
79 networking = {
80 hostName = "build";
81 dhcpcd.enable = false;
82 defaultGateway.address = "10.0.2.2";
83 usePredictableInterfaceNames = false; # so that we just get eth0 and not some weird id
84 interfaces."eth0".ipv4.addresses = [{
85 address = "10.0.2.15";
86 prefixLength = 25;
87 }];
88 enableIPv6 = false;
89 nameservers = [
90 # OpenNIC anycast
91 "185.121.177.177"
92 "169.239.202.202"
93 # Google as a fallback :(
94 "8.8.8.8"
95 ];
96 firewall.allowedTCPPorts = [ 22 ]; # allow ssh
97 };
98
99 environment.systemPackages = [
100 pkgs.gitMinimal
101 #pkgs.mercurial
102 pkgs.curl
103 pkgs.gnupg
104 ];
105 };
106 qemuConfig = { pkgs, ... }: {
107 imports = [ systemConfig ];
108 fileSystems."/".device = "/dev/disk/by-label/nixos";
109 boot.initrd.availableKernelModules = [
110 "ahci"
111 "ehci_pci"
112 "sd_mod"
113 "usb_storage"
114 "usbhid"
115 "virtio_balloon"
116 "virtio_blk"
117 "virtio_pci"
118 "virtio_ring"
119 "xhci_pci"
120 ];
121 boot.loader = {
122 grub = {
123 version = 2;
124 device = "/dev/vda";
125 };
126 timeout = 0;
127 };
128 };
129 config = (import (pkgs.path + "/nixos/lib/eval-config.nix") {
130 inherit pkgs; modules = [ qemuConfig ];
131 system = "x86_64-linux";
132 }).config;
133 in
134 import (pkgs.path + "/nixos/lib/make-disk-image.nix") {
135 inherit pkgs lib config;
136 diskSize = 16000;
137 format = "qcow2-compressed";
138 contents = [
139 { source = pkgs.writeText "gitconfig" ''
140 [user]
141 name = builds.sr.ht
142 email = build@sr.ht
143 '';
144 target = "/home/build/.gitconfig";
145 user = "build";
146 group = "users";
147 mode = "644";
148 }
149 ];
150 };
151 };
152
153 #dispatch.enable = true;
154 git.enable = true;
155 #hub.enable = true;
156 meta.enable = true;
157 meta.port = 4999;
158 #man.enable = true;
159 #pages.enable = true;
160 #paste.enable = true;
161 #todo.enable = true;
162 #lists.enable = true;
163
164 postgresql.enable = true;
165 postfix.enable = true;
166 redis.enable = true;
167 nginx.enable = true;
168 settings = {
169 "sr.ht" = {
170 environment = "production";
171 global-domain = domain;
172 origin = "http://${domain}";
173 owner-email = "julm+srht@sourcephile.fr";
174 owner-name = "Sourcephile";
175 site-blurb = "software forge";
176 site-info = "http://${domain}";
177 site-name = "Sourcephile";
178 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
179 network-key = gnupg.secrets."sourcehut/network-key".path;
180 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
181 service-key = gnupg.secrets."sourcehut/service-key".path;
182 };
183 objects = {
184 s3-upstream = "localhost";
185 s3-access-key = "12345";
186 s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
187 };
188 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
189 "builds.sr.ht" = {
190 origin = "http://builds.${domain}";
191 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
192 oauth-client-id = "299db9f9c2013170";
193 allow-free = true;
194 };
195 "dispatch.sr.ht" = {
196 origin = "http://dispatch.${domain}";
197 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
198 oauth-client-id = "299db9f9c2013170";
199 };
200 "pages.sr.ht" = {
201 origin = "http://pages.${domain}";
202 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
203 oauth-client-id = "299db9f9c2013170";
204 s3-bucket = "pagesbuck";
205 };
206 "paste.sr.ht" = {
207 origin = "http://paste.${domain}";
208 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
209 oauth-client-id = "299db9f9c2013170";
210 };
211 "man.sr.ht" = {
212 origin = "http://man.${domain}";
213 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
214 oauth-client-id = "299db9f9c2013170";
215 };
216 "meta.sr.ht" = {
217 origin = "http://meta.${domain}";
218 api-origin = "http://localhost:5099";
219 };
220 "meta.sr.ht::settings" = {
221 onboarding-redirect = "http://meta.${domain}";
222 registration = true;
223 };
224 "meta.sr.ht::api" = {
225 # This is a temporary workaround
226 #
227 internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
228 };
229 "todo.sr.ht" = {
230 origin = "http://todo.${domain}";
231 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
232 oauth-client-id = "299db9f9c2013170";
233 };
234 "git.sr.ht" = {
235 origin = "http://git.${domain}";
236 outgoing-domain = "http://git.${domain}";
237 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
238 oauth-client-id = "299db9f9c2013170";
239 #repos = "/var/lib/git";
240 };
241 "hub.sr.ht" = {
242 origin = "http://hub.${domain}";
243 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
244 oauth-client-id = "299db9f9c2013170";
245 };
246 "lists.sr.ht" = {
247 origin = "http://lists.${domain}";
248 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
249 oauth-client-id = "299db9f9c2013170";
250 };
251 "lists.sr.ht::worker" = {
252 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
253 };
254 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
255 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
256 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
257 mail = {
258 smtp-host = "localhost";
259 smtp-port = 25;
260 smtp-user = null;
261 smtp-password = null;
262 smtp-from = "sourcehut@sourcephile.fr";
263 error-to = "julm+sourcehut+error@sourcephile.fr";
264 error-from = "sourcehut+error@sourcephile.fr";
265 pgp-privkey = null;
266 pgp-pubkey = null;
267 pgp-key-id = null;
268 };
269 };
270 };
271 services.nginx.virtualHosts = {
272 "builds.${domain}".forceSSL = lib.mkForce false;
273 "dispatch.${domain}".forceSSL = lib.mkForce false;
274 "git.${domain}".forceSSL = lib.mkForce false;
275 "hub.${domain}".forceSSL = lib.mkForce false;
276 "lists.${domain}".forceSSL = lib.mkForce false;
277 "logs.${domain}".forceSSL = lib.mkForce false;
278 "man.${domain}".forceSSL = lib.mkForce false;
279 "paste.${domain}".forceSSL = lib.mkForce false;
280 "pages.${domain}".forceSSL = lib.mkForce false;
281 "todo.${domain}".forceSSL = lib.mkForce false;
282 "meta.${domain}" = {
283 forceSSL = lib.mkForce false;
284 /*
285 extraConfig = ''
286 access_log /var/log/nginx/${domain}/meta/access.log json;
287 error_log /var/log/nginx/${domain}/meta/error.log warn;
288 '';
289 */
290 };
291 "${domain}".forceSSL = lib.mkForce false;
292 };
293 systemd.services.postgresql = {
294 /*
295 connection_limit=64 \
296 encoding=UTF8 \
297 lc_collate=fr_FR.UTF-8 \
298 lc_type=fr_FR.UTF-8 \
299 owner="${sourcehut.git.postgresql.database}" \
300 pg_createdb "${sourcehut.git.postgresql.database}" >/dev/null </dev/null
301
302 pg_adduser "${sourcehut.git.postgresql.database}" "${sourcehut.git.postgresql.database}" >/dev/null
303 postStart = lib.mkAfter ''
304 $PSQL -d "${sourcehut.builds.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
305 GRANT USAGE,CREATE ON schema public TO "${sourcehut.builds.user}";
306 EOF
307 $PSQL -d "${sourcehut.dispatch.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
308 GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
309 EOF
310 $PSQL -d "${sourcehut.git.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
311 GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
312 EOF
313 $PSQL -d "${sourcehut.hub.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
314 GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
315 EOF
316 $PSQL -d "${sourcehut.man.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
317 GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
318 EOF
319 $PSQL -d "${sourcehut.meta.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
320 GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
321 GRANT USAGE,CREATE ON schema public TO "${users.sshsrht.name}";
322 EOF
323 $PSQL -d "${sourcehut.pages.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
324 GRANT USAGE,CREATE ON schema public TO "${sourcehut.pages.user}";
325 EOF
326 $PSQL -d "${sourcehut.paste.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
327 GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
328 EOF
329 $PSQL -d "${sourcehut.todo.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
330 GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
331 EOF
332 $PSQL -d "${sourcehut.lists.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
333 GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";
334 EOF
335 '';
336 */
337 };
338 }