]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/sourcehut.nix
carotte: avoid compiling zfs-kernel, and enable gpg-agent
[sourcephile-nix.git] / hosts / mermet / sourcehut.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) sourcehut;
5 inherit (config.users) users groups;
6 inherit (config.security) gnupg;
7 domain = "code.${networking.domain}";
8 in
9 {
10 security.gnupg.secrets = lib.genAttrs [
11 "sourcehut/network-key"
12 "sourcehut/service-key"
13 "sourcehut/webhook-key"
14 "sourcehut/oauth-client-secret"
15 ] (p: let srhts = [
16 "metasrht.service"
17 "gitsrht.service"
18 "listsrht.service"
19 ]; in {
20 systemdConfig.before = srhts;
21 systemdConfig.wantedBy = srhts;
22 });
23 services.minio = {
24 #enable = true;
25 accessKey = "12345";
26 secretKey = "12345678";
27 #region = "";
28 browser = true;
29 };
30 #environment.systemPackages = [ pkgs.minio-client ];
31 services.sourcehut = {
32 enable = true;
33 listenAddress = "localhost";
34 builds = {
35 #enable = true;
36 #enableWorker = true;
37 images.nixos.unstable.x86_64 =
38 import sourcehut/builds/nixos-unstable.nix
39 "x86_64-linux" { inherit pkgs lib config; };
40 };
41
42 #dispatch.enable = true;
43 git.enable = true;
44 hub.enable = true;
45 meta.enable = true;
46 meta.port = 4999;
47 #man.enable = true;
48 #pages.enable = true;
49 #paste.enable = true;
50 todo.enable = true;
51 #lists.enable = true;
52
53 postgresql.enable = true;
54 postfix.enable = true;
55 redis.enable = true;
56 nginx.enable = true;
57 nginx.virtualHost = {
58 useACMEHost = networking.domain;
59 };
60 settings = {
61 "sr.ht" = {
62 environment = "production";
63 global-domain = domain;
64 owner-email = "julm+srht@sourcephile.fr";
65 owner-name = "Sourcephile";
66 site-blurb = "a simple free software forge";
67 site-info = "https://${domain}";
68 site-name = "Sourcephile";
69 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
70 network-key = gnupg.secrets."sourcehut/network-key".path;
71 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
72 service-key = gnupg.secrets."sourcehut/service-key".path;
73 #redis-host = "redis://localhost:6379/";
74 };
75 objects = {
76 s3-upstream = "localhost";
77 s3-access-key = "12345";
78 s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
79 };
80 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
81 "builds.sr.ht" = {
82 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
83 oauth-client-id = "299db9f9c2013170";
84 allow-free = true;
85 };
86 "dispatch.sr.ht" = {
87 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
88 oauth-client-id = "299db9f9c2013170";
89 };
90 "pages.sr.ht" = {
91 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
92 oauth-client-id = "299db9f9c2013170";
93 s3-bucket = "pagesbuck";
94 };
95 "paste.sr.ht" = {
96 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
97 oauth-client-id = "299db9f9c2013170";
98 };
99 "man.sr.ht" = {
100 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
101 oauth-client-id = "299db9f9c2013170";
102 };
103 "meta.sr.ht" = {
104 };
105 "meta.sr.ht::settings" = {
106 onboarding-redirect = "https://meta.${domain}";
107 registration = false;
108 };
109 "meta.sr.ht::api" = {
110 #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
111 };
112 "todo.sr.ht" = {
113 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
114 oauth-client-id = "299db9f9c2013170";
115 };
116 "git.sr.ht" = {
117 outgoing-domain = "https://git.${domain}";
118 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
119 oauth-client-id = "gitsrht";
120 };
121 "hub.sr.ht" = {
122 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
123 oauth-client-id = "299db9f9c2013170";
124 };
125 "lists.sr.ht" = {
126 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
127 oauth-client-id = "299db9f9c2013170";
128 };
129 "lists.sr.ht::worker" = {
130 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
131 };
132 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
133 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
134 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
135 mail = {
136 smtp-host = "localhost";
137 smtp-port = 25;
138 smtp-user = null;
139 smtp-password = null;
140 smtp-from = "julm+hut@${networking.domain}";
141 error-to = "julm+hut+error@${networking.domain}";
142 error-from = "julm+hut+error@${networking.domain}";
143 pgp-privkey = null;
144 pgp-pubkey = null;
145 pgp-key-id = null;
146 };
147 };
148 };
149 fileSystems."/var/lib/sourcehut" = {
150 device = "rpool/var/sourcehut";
151 fsType = "zfs";
152 };
153 services.sanoid.datasets = {
154 "rpool/var/sourcehut" = {
155 use_template = [ "snap" ];
156 daily = 31;
157 };
158 };
159 services.nginx = {
160 virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
161 forceSSL = true;
162 useACMEHost = networking.domain;
163 globalRedirect = "$subdomain.code.${networking.domain}";
164 };
165 };
166 }