nixos/modules/services/misc/sourcehut/hg.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4 let
   5   cfg = config.services.sourcehut;
   6   scfg = cfg.hg;
   7   iniKey = "hg.sr.ht";
   8   statePath = "/var/lib/sourcehut/hgsrht";
   9
  10   rcfg = config.services.redis;
  11   drv = pkgs.sourcehut.hgsrht;
  12 in
  13 {
  14   options.services.sourcehut.hg = {
  15     user = mkOption {
  16       type = types.str;
  17       internal = true;
  18       readOnly = true;
  19       default = "hg";
  20       description = ''
  21         User for hg.sr.ht.
  22       '';
  23     };
  24
  25     port = mkOption {
  26       type = types.port;
  27       default = 5010;
  28       description = ''
  29         Port on which the "hg" module should listen.
  30       '';
  31     };
  32
  33     database = mkOption {
  34       type = types.str;
  35       default = "hg.sr.ht";
  36       description = ''
  37         PostgreSQL database name for hg.sr.ht.
  38       '';
  39     };
  40
  41     cloneBundles = mkOption {
  42       type = types.bool;
  43       default = false;
  44       description = ''
  45         Generate clonebundles (which require more disk space but dramatically speed up cloning large repositories).
  46       '';
  47     };
  48   };
  49
  50   config = with scfg; lib.mkIf (cfg.enable && elem "hg" cfg.services) {
  51     # In case it ever comes into being
  52     environment.etc."ssh/hgsrht-dispatch" = {
  53       mode = "0755";
  54       text = ''
  55         #! ${pkgs.stdenv.shell}
  56         ${cfg.python}/bin/gitsrht-dispatch $@
  57       '';
  58     };
  59
  60     environment.systemPackages = [ pkgs.mercurial ];
  61
  62     users = {
  63       users = {
  64         "${user}" = {
  65           isSystemUser = true;
  66           group = user;
  67           # Assuming hg.sr.ht needs this too
  68           shell = pkgs.bash;
  69           description = "hg.sr.ht user";
  70         };
  71       };
  72
  73       groups = {
  74         "${user}" = { };
  75       };
  76     };
  77
  78     services = {
  79       cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/hgsrht-periodic" ]
  80         ++ optional cloneBundles "0 * * * * ${cfg.python}/bin/hgsrht-clonebundles";
  81
  82       openssh.authorizedKeysCommand = ''/etc/ssh/hgsrht-dispatch "%u" "%h" "%t" "%k"'';
  83       openssh.authorizedKeysCommandUser = "root";
  84       openssh.extraConfig = ''
  85         PermitUserEnvironment SRHT_*
  86       '';
  87
  88       postgresql = {
  89         authentication = ''
  90           local ${database} ${user} trust
  91         '';
  92         ensureDatabases = [ database ];
  93         ensureUsers = [
  94           {
  95             name = user;
  96             ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
  97           }
  98         ];
  99       };
 100     };
 101
 102     systemd = {
 103       tmpfiles.rules = [
 104         # /var/log is owned by root
 105         "f /var/log/hg-srht-shell 0644 ${user} ${user} -"
 106
 107         "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -"
 108       ];
 109
 110       services.hgsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
 111         after = [ "redis.service" "postgresql.service" "network.target" ];
 112         requires = [ "redis.service" "postgresql.service" ];
 113         wantedBy = [ "multi-user.target" ];
 114
 115         path = [ pkgs.mercurial ];
 116         description = "hg.sr.ht website service";
 117
 118         serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
 119       };
 120     };
 121
 122     services.sourcehut.settings = {
 123       # The authorized keys hook uses this to dispatch to various handlers
 124       # The format is a program to exec into as the key, and the user to match as the
 125       # value. When someone tries to log in as this user, this program is executed
 126       # and is expected to omit an AuthorizedKeys file.
 127       #
 128       # Uncomment the relevant lines to enable the various sr.ht dispatchers.
 129       "hg.sr.ht::dispatch"."/run/current-system/sw/bin/hgsrht-keys" = mkDefault "${user}:${user}";
 130     };
 131
 132     # TODO: requires testing and addition of hg-specific requirements
 133     services.nginx.virtualHosts."hg.${cfg.originBase}" = {
 134       forceSSL = true;
 135       locations."/".proxyPass = "http://${cfg.address}:${toString port}";
 136       locations."/query".proxyPass = cfgIni."meta.sr.ht".api-origin;
 137       locations."/static".root = "${pkgs.sourcehut.hgsrht}/${pkgs.sourcehut.python.sitePackages}/hgsrht";
 138     };
 139   };
 140 }