nixos/modules/services/misc/sourcehut/meta.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4 let
   5   cfg = config.services.sourcehut;
   6   cfgIni = cfg.settings;
   7   scfg = cfg.meta;
   8   iniKey = "meta.sr.ht";
   9
  10   rcfg = config.services.redis;
  11   drv = pkgs.sourcehut.metasrht;
  12 in
  13 {
  14   options.services.sourcehut.meta = {
  15     user = mkOption {
  16       type = types.str;
  17       default = "metasrht";
  18       description = ''
  19         User for meta.sr.ht.
  20       '';
  21     };
  22
  23     port = mkOption {
  24       type = types.port;
  25       default = 5000;
  26       description = ''
  27         Port on which the "meta" module should listen.
  28       '';
  29     };
  30
  31     database = mkOption {
  32       type = types.str;
  33       default = "meta.sr.ht";
  34       description = ''
  35         PostgreSQL database name for meta.sr.ht.
  36       '';
  37     };
  38
  39     statePath = mkOption {
  40       type = types.path;
  41       default = "${cfg.statePath}/metasrht";
  42       description = ''
  43         State path for meta.sr.ht.
  44       '';
  45     };
  46   };
  47
  48   config = with scfg; lib.mkIf (cfg.enable && elem "meta" cfg.services) {
  49     assertions =
  50       [
  51         {
  52           assertion = with cfgIni."meta.sr.ht::billing"; enabled == "yes" -> (stripe-public-key != null && stripe-secret-key != null);
  53           message = "If meta.sr.ht::billing is enabled, the keys should be defined.";
  54         }
  55       ];
  56
  57     users = {
  58       users = {
  59         ${user} = {
  60           isSystemUser = true;
  61           group = user;
  62           description = "meta.sr.ht user";
  63         };
  64       };
  65
  66       groups = {
  67         "${user}" = { };
  68       };
  69     };
  70
  71     services.cron.systemCronJobs = [ "0 0 * * * ${cfg.python}/bin/metasrht-daily" ];
  72     services.postgresql = {
  73       authentication = ''
  74         local ${database} ${user} trust
  75       '';
  76       ensureDatabases = [ database ];
  77       ensureUsers = [
  78         {
  79           name = user;
  80           ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
  81         }
  82       ];
  83     };
  84
  85     systemd = {
  86       tmpfiles.rules = [
  87         "d ${statePath} 0750 ${user} ${user} -"
  88       ];
  89
  90       services = let
  91         commonPreStart = ''
  92           # Configure client(s) as "preauthorized"
  93           ${concatMapStringsSep "\n\n"
  94             (attr: ''
  95               if ! test -e "${statePath}/${attr}.oauth" || [ "$(cat ${statePath}/${attr}.oauth)" != "${cfgIni."${attr}".oauth-client-id}" ]; then
  96                 # Configure ${attr}'s OAuth client as "preauthorized"
  97                 psql ${database} \
  98                   -c "UPDATE oauthclient SET preauthorized = true WHERE client_id = '${cfgIni."${attr}".oauth-client-id}'"
  99
 100                 printf "%s" "${cfgIni."${attr}".oauth-client-id}" > "${statePath}/${attr}.oauth"
 101               fi
 102             '')
 103             (builtins.attrNames (filterAttrs
 104               (k: v: !(hasInfix "::" k) && (v.oauth-client-id or null) != null)
 105               cfg.settings))}
 106         '';
 107         in {
 108         metasrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
 109           after = [ "postgresql.service" "network.target" ];
 110           requires = [ "postgresql.service" ];
 111           wantedBy = [ "multi-user.target" ];
 112
 113           description = "meta.sr.ht website service";
 114
 115           preStart = commonPreStart;
 116
 117           serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
 118         };
 119
 120         metasrht-api = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
 121           after = [ "postgresql.service" "network.target" ];
 122           requires = [ "postgresql.service" ];
 123           wantedBy = [ "multi-user.target" ];
 124
 125           description = "meta.sr.ht api service";
 126
 127           preStart = commonPreStart;
 128
 129           serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b :${toString (port + 100)}";
 130         };
 131
 132         metasrht-webhooks = {
 133           after = [ "postgresql.service" "network.target" ];
 134           requires = [ "postgresql.service" ];
 135           wantedBy = [ "multi-user.target" ];
 136
 137           description = "meta.sr.ht webhooks service";
 138           serviceConfig = {
 139             Type = "simple";
 140             User = user;
 141             Restart = "always";
 142             ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel INFO --pool eventlet";
 143           };
 144
 145         };
 146       };
 147     };
 148
 149     services.sourcehut.settings = {
 150       # URL meta.sr.ht is being served at (protocol://domain)
 151       "meta.sr.ht".origin = mkDefault "https://meta.${cfg.originBase}";
 152       # Address and port to bind the debug server to
 153       "meta.sr.ht".debug-host = mkDefault "0.0.0.0";
 154       "meta.sr.ht".debug-port = mkDefault port;
 155       # Configures the SQLAlchemy connection string for the database.
 156       "meta.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql";
 157       # If "yes", the user will be sent the stock sourcehut welcome emails after
 158       # signup (requires cron to be configured properly). These are specific to the
 159       # sr.ht instance so you probably want to patch these before enabling this.
 160       "meta.sr.ht".welcome-emails = mkDefault "no";
 161
 162       # The redis connection used for the webhooks worker
 163       "meta.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/6";
 164
 165       # If "no", public registration will not be permitted.
 166       "meta.sr.ht::settings".registration = mkDefault "no";
 167       # Where to redirect new users upon registration
 168       "meta.sr.ht::settings".onboarding-redirect = mkDefault "https://meta.${cfg.originBase}";
 169       # How many invites each user is issued upon registration (only applicable if
 170       # open registration is disabled)
 171       "meta.sr.ht::settings".user-invites = mkDefault 5;
 172
 173       # Origin URL for API, 100 more than web
 174       "meta.sr.ht".api-origin = mkDefault "http://localhost:5100";
 175
 176       # You can add aliases for the client IDs of commonly used OAuth clients here.
 177       #
 178       # Example:
 179       "meta.sr.ht::aliases" = mkDefault { };
 180       # "meta.sr.ht::aliases"."git.sr.ht" = 12345;
 181
 182       # "yes" to enable the billing system
 183       "meta.sr.ht::billing".enabled = mkDefault "no";
 184       # Get your keys at https://dashboard.stripe.com/account/apikeys
 185       "meta.sr.ht::billing".stripe-public-key = mkDefault null;
 186       "meta.sr.ht::billing".stripe-secret-key = mkDefault null;
 187     };
 188
 189     services.nginx.virtualHosts."meta.${cfg.originBase}" = {
 190       forceSSL = true;
 191       locations."/".proxyPass = "http://${cfg.address}:${toString port}";
 192       locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}";
 193       locations."/static".root = "${pkgs.sourcehut.metasrht}/${pkgs.sourcehut.python.sitePackages}/metasrht";
 194     };
 195   };
 196 }