nixos/modules/services/misc/sourcehut/git.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4 let
   5   cfg = config.services.sourcehut;
   6   scfg = cfg.git;
   7   iniKey = "git.sr.ht";
   8   statePath = "/var/lib/sourcehut/gitsrht";
   9
  10   rcfg = config.services.redis;
  11   drv = pkgs.sourcehut.gitsrht;
  12 in
  13 {
  14   options.services.sourcehut.git = {
  15     enable = mkEnableOption "git service";
  16
  17     user = mkOption {
  18       type = types.str;
  19       visible = false;
  20       internal = true;
  21       readOnly = true;
  22       default = "git";
  23       description = ''
  24         User for git.sr.ht.
  25       '';
  26     };
  27
  28     port = mkOption {
  29       type = types.port;
  30       default = 5001;
  31       description = ''
  32         Port on which the "git" module should listen.
  33       '';
  34     };
  35
  36     database = mkOption {
  37       type = types.str;
  38       default = "git.sr.ht";
  39       description = ''
  40         PostgreSQL database name for git.sr.ht.
  41       '';
  42     };
  43
  44     package = mkOption {
  45       type = types.package;
  46       default = pkgs.git;
  47       example = literalExample "pkgs.gitFull";
  48       description = ''
  49         Git package for git.sr.ht. This can help silence collisions.
  50       '';
  51     };
  52   };
  53
  54   config = with scfg; lib.mkIf (cfg.enable && scfg.enable) {
  55     # sshd refuses to run with `Unsafe AuthorizedKeysCommand ... bad ownership or modes for directory /nix/store`
  56     environment.etc."ssh/gitsrht-dispatch" = {
  57       mode = "0755";
  58       text = ''
  59         #! ${pkgs.stdenv.shell}
  60         ${cfg.python}/bin/gitsrht-dispatch "$@"
  61       '';
  62     };
  63
  64     # Needs this in the $PATH when sshing into the server
  65     environment.systemPackages = [ cfg.git.package ];
  66
  67     users = {
  68       users = {
  69         "${user}" = {
  70           isSystemUser = true;
  71           group = user;
  72           # https://stackoverflow.com/questions/22314298/git-push-results-in-fatal-protocol-error-bad-line-length-character-this
  73           # Probably could use gitsrht-shell if output is restricted to just parameters...
  74           shell = pkgs.bash;
  75           description = "git.sr.ht user";
  76         };
  77       };
  78
  79       groups = {
  80         "${user}" = { };
  81       };
  82     };
  83
  84     services = {
  85       fcgiwrap.enable = true;
  86
  87       openssh.authorizedKeysCommand = ''/etc/ssh/gitsrht-dispatch "%u" "%h" "%t" "%k"'';
  88       openssh.authorizedKeysCommandUser = "root";
  89       openssh.extraConfig = ''
  90         PermitUserEnvironment SRHT_*
  91       '';
  92
  93       postgresql = {
  94         authentication = ''
  95           local ${database} ${user} trust
  96         '';
  97         ensureDatabases = [ database ];
  98         ensureUsers = [
  99           {
 100             name = user;
 101             ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
 102           }
 103         ];
 104       };
 105     };
 106
 107     systemd = {
 108       tmpfiles.rules = [
 109         # /var/log is owned by root
 110         "f /var/log/git-srht-shell 0644 ${user} ${user} -"
 111
 112         "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -"
 113       ];
 114
 115       services = {
 116         gitsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
 117           after = [ "redis.service" "postgresql.service" "network.target" ];
 118           requires = [ "redis.service" "postgresql.service" ];
 119           wantedBy = [ "gitsrht.target" ];
 120
 121           # Needs internally to create repos at the very least
 122           path = [ pkgs.git ];
 123           description = "git.sr.ht website service";
 124
 125           serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
 126         };
 127
 128         gitsrht-periodic = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
 129           after = [ "gitsrht.service" ];
 130           requires = [ "gitsrht.service" ];
 131
 132           description = "git.sr.ht periodic service";
 133
 134           serviceConfig.Type = mkForce "oneshot";
 135           serviceConfig.Restart = mkForce "no";
 136           serviceConfig.ExecStart = "${cfg.python}/bin/gitsrht-periodic";
 137         };
 138
 139         gitsrht-webhooks = {
 140           after = [ "postgresql.service" "network.target" ];
 141           requires = [ "postgresql.service" ];
 142           wantedBy = [ "multi-user.target" ];
 143
 144           description = "git.sr.ht webhooks service";
 145           serviceConfig = {
 146             Type = "simple";
 147             User = user;
 148             Restart = "always";
 149           };
 150
 151           serviceConfig.ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel INFO --pool eventlet";
 152         };
 153       };
 154     };
 155
 156     systemd.timers = {
 157       gitsrht-periodic = {
 158         description = "gitsrht periodic timer";
 159         wantedBy = [ "timers.target" ];
 160         timerConfig = {
 161           OnCalendar = "20min";
 162           Persistent = true;
 163         };
 164       };
 165     };
 166
 167     services.sourcehut.settings = {
 168       # The authorized keys hook uses this to dispatch to various handlers
 169       # The format is a program to exec into as the key, and the user to match as the
 170       # value. When someone tries to log in as this user, this program is executed
 171       # and is expected to omit an AuthorizedKeys file.
 172       #
 173       # Discard of the string context is in order to allow derivation-derived strings.
 174       # This is safe if the relevant package is installed which will be the case if the setting is utilized.
 175       "git.sr.ht::dispatch".${builtins.unsafeDiscardStringContext "${pkgs.sourcehut.gitsrht}/bin/gitsrht-keys"} = mkDefault "${user}:${user}";
 176     };
 177
 178     services.nginx.virtualHosts."git.${cfg.originBase}" = {
 179       forceSSL = true;
 180       locations."/".proxyPass = "http://${cfg.address}:${toString port}";
 181       locations."/query".proxyPass = cfgIni."meta.sr.ht".api-origin;
 182       locations."/static".root = "${pkgs.sourcehut.gitsrht}/${pkgs.sourcehut.python.sitePackages}/gitsrht";
 183       extraConfig = ''
 184             location = /authorize {
 185             proxy_pass http://${cfg.address}:${toString port};
 186             proxy_pass_request_body off;
 187             proxy_set_header Content-Length "";
 188             proxy_set_header X-Original-URI $request_uri;
 189         }
 190             location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
 191                 auth_request /authorize;
 192                 root /var/lib/git;
 193                 fastcgi_pass unix:/run/fcgiwrap.sock;
 194                 fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend;
 195                 fastcgi_param PATH_INFO $uri;
 196                 fastcgi_param GIT_PROJECT_ROOT $document_root;
 197                 fastcgi_read_timeout 500s;
 198                 include ${pkgs.nginx}/conf/fastcgi_params;
 199                 gzip off;
 200             }
 201       '';
 202
 203     };
 204   };
 205 }