1 { pkgs, lib, config, ... }:
3 inherit (config.services) sourcehut;
4 inherit (config.users) groups;
5 domain = "sourcephile.wg";
20 #boot.isContainer = true;
21 #networking.firewall.allowedTCPPorts = [ 80 ];
23 "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut-services;
25 networking.nftables.ruleset = ''
26 add rule inet filter fw2net meta skuid ${sourcehut.meta.user} tcp dport 25 counter accept comment "SMTP"
28 services.sourcehut = {
30 listenAddress = domain;
36 dispatch.enable = true;
45 postgresql.enable = true;
46 postfix.enable = true;
48 redis.firstDatabase = 1;
55 environment = "production";
56 global-domain = domain;
57 origin = "http://${domain}";
58 owner-email = "julm+srht@sourcephile.fr";
59 owner-name = "Sourcephile";
60 site-blurb = "software forge";
61 site-info = "http://${domain}";
62 site-name = "Sourcephile";
63 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
64 network-key = "OeXzQ6A8Vcgt5QJkXScuxeXCtfdKzKev99BRNb3_CWQ=";
65 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
66 service-key = "62427596fed00fa48c19f95bc85c14d0c618a5f8c130b53ba9a6a6b403bf1507";
68 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
70 origin = "http://builds.${domain}";
71 oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
72 oauth-client-id = "299db9f9c2013170";
75 origin = "http://dispatch.${domain}";
76 oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
77 oauth-client-id = "299db9f9c2013170";
80 origin = "http://paste.${domain}";
81 oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
82 oauth-client-id = "299db9f9c2013170";
85 origin = "http://man.${domain}";
86 oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
87 oauth-client-id = "299db9f9c2013170";
90 origin = "http://meta.${domain}";
91 api-origin = "http://meta.${domain}:5100";
93 "meta.sr.ht::settings" = {
94 onboarding-redirect = "http://meta.${domain}";
96 internal-ipnet = "127.0.0.0/8,192.168.42.0/24";
99 internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
102 origin = "http://todo.${domain}";
103 oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
104 oauth-client-id = "299db9f9c2013170";
107 origin = "http://git.${domain}";
108 oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
109 oauth-client-id = "299db9f9c2013170";
112 origin = "http://hub.${domain}";
113 oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
114 oauth-client-id = "299db9f9c2013170";
116 "lists.sr.ht::worker" = {
117 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
120 origin = "http://lists.${domain}";
121 oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
122 oauth-client-id = "299db9f9c2013170";
124 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
125 webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
127 smtp-host = "localhost";
130 smtp-password = null;
131 smtp-from = "sourcehut@sourcephile.fr";
132 error-to = "julm+sourcehut+error@sourcephile.fr";
133 error-from = "sourcehut+error@sourcephile.fr";
140 services.nginx.virtualHosts = {
141 #"builds.${domain}".forceSSL = lib.mkForce false;
142 "dispatch.${domain}".forceSSL = lib.mkForce false;
143 "git.${domain}".forceSSL = lib.mkForce false;
144 "hub.${domain}".forceSSL = lib.mkForce false;
145 "lists.${domain}".forceSSL = lib.mkForce false;
146 "logs.${domain}".forceSSL = lib.mkForce false;
147 "man.${domain}".forceSSL = lib.mkForce false;
148 "paste.${domain}".forceSSL = lib.mkForce false;
149 "todo.${domain}".forceSSL = lib.mkForce false;
151 forceSSL = lib.mkForce false;
154 access_log /var/log/nginx/${domain}/meta/access.log json;
155 error_log /var/log/nginx/${domain}/meta/error.log warn;
159 "${domain}".forceSSL = lib.mkForce false;
161 systemd.services.nginx.serviceConfig.LogsDirectory =
162 lib.mkForce ["/var/log/nginx/${domain}/meta"];
163 systemd.services.postgresql = {
165 connection_limit=64 \
167 lc_collate=fr_FR.UTF-8 \
168 lc_type=fr_FR.UTF-8 \
169 owner="${sourcehut.git.database}" \
170 pg_createdb "${sourcehut.git.database}" >/dev/null </dev/null
172 pg_adduser "${sourcehut.git.database}" "${sourcehut.git.database}" >/dev/null
174 postStart = lib.mkAfter ''
175 $PSQL -d "${sourcehut.dispatch.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
176 GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
178 $PSQL -d "${sourcehut.git.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
179 GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
181 $PSQL -d "${sourcehut.hub.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
182 GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
184 $PSQL -d "${sourcehut.man.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
185 GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
187 $PSQL -d "${sourcehut.meta.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
188 GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
190 $PSQL -d "${sourcehut.paste.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
191 GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
193 $PSQL -d "${sourcehut.todo.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
194 GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
196 $PSQL -d "${sourcehut.lists.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
197 GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";