hosts/losurdo/sourcehut.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config.services) sourcehut;
   4   inherit (config.users) groups;
   5   domain = "sourcephile.wg";
   6   sourcehut-services = [
   7     "builds"
   8     "dispatch"
   9     "git"
  10     "hg"
  11     "hub"
  12     "lists"
  13     "meta"
  14     "man"
  15     "paste"
  16     "todo"
  17   ];
  18 in
  19 {
  20 #boot.isContainer = true;
  21 #networking.firewall.allowedTCPPorts = [ 80 ];
  22 networking.hosts = {
  23   "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut-services;
  24 };
  25 networking.nftables.ruleset = ''
  26   add rule inet filter fw2net meta skuid ${sourcehut.meta.user} tcp dport 25 counter accept comment "SMTP"
  27 '';
  28 services.sourcehut = {
  29   enable = true;
  30   listenAddress = domain;
  31   /*
  32   builds = {
  33     enableWorker = true;
  34   };
  35   */
  36   dispatch.enable = true;
  37   git = {
  38     enable = true;
  39   };
  40   hub.enable = true;
  41   meta = {
  42     enable = true;
  43     port = 5000;
  44   };
  45   postgresql.enable = true;
  46   postfix.enable = true;
  47   redis.enable = true;
  48   redis.firstDatabase = 1;
  49   nginx.enable = true;
  50   man.enable = true;
  51   paste.enable = true;
  52   todo.enable = false;
  53   settings = {
  54     "sr.ht" = {
  55       environment = "production";
  56       global-domain = domain;
  57       origin = "http://${domain}";
  58       owner-email = "julm+srht@sourcephile.fr";
  59       owner-name = "Sourcephile";
  60       site-blurb = "software forge";
  61       site-info = "http://${domain}";
  62       site-name = "Sourcephile";
  63       # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
  64       network-key = "OeXzQ6A8Vcgt5QJkXScuxeXCtfdKzKev99BRNb3_CWQ=";
  65       # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
  66       service-key = "62427596fed00fa48c19f95bc85c14d0c618a5f8c130b53ba9a6a6b403bf1507";
  67     };
  68     # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
  69     "builds.sr.ht" = {
  70       origin = "http://builds.${domain}";
  71       oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
  72       oauth-client-id = "299db9f9c2013170";
  73     };
  74     "dispatch.sr.ht" = {
  75       origin = "http://dispatch.${domain}";
  76       oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
  77       oauth-client-id = "299db9f9c2013170";
  78     };
  79     "paste.sr.ht" = {
  80       origin = "http://paste.${domain}";
  81       oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
  82       oauth-client-id = "299db9f9c2013170";
  83     };
  84     "man.sr.ht" = {
  85       origin = "http://man.${domain}";
  86       oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
  87       oauth-client-id = "299db9f9c2013170";
  88     };
  89     "meta.sr.ht" = {
  90       origin = "http://meta.${domain}";
  91       api-origin = "http://meta.${domain}:5100";
  92     };
  93     "meta.sr.ht::settings" = {
  94       onboarding-redirect = "http://meta.${domain}";
  95       registration = true;
  96       internal-ipnet = "127.0.0.0/8,192.168.42.0/24";
  97     };
  98     "meta.sr.ht::api" = {
  99       internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
 100     };
 101     "todo.sr.ht" = {
 102       origin = "http://todo.${domain}";
 103       oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
 104       oauth-client-id = "299db9f9c2013170";
 105     };
 106     "git.sr.ht" = {
 107       origin = "http://git.${domain}";
 108       oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
 109       oauth-client-id = "299db9f9c2013170";
 110     };
 111     "hub.sr.ht" = {
 112       origin = "http://hub.${domain}";
 113       oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
 114       oauth-client-id = "299db9f9c2013170";
 115     };
 116     "lists.sr.ht::worker" = {
 117       #sock = "/var/lib/postfix/queue/private/srht-lmtp";
 118     };
 119     "lists.sr.ht" = {
 120       origin = "http://lists.${domain}";
 121       oauth-client-secret = "8f5fc39b5948907e62c737f6b48462dc";
 122       oauth-client-id = "299db9f9c2013170";
 123     };
 124     # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
 125     webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
 126     mail = {
 127       smtp-host = "localhost";
 128       smtp-port = 25;
 129       smtp-user = null;
 130       smtp-password = null;
 131       smtp-from = "sourcehut@sourcephile.fr";
 132       error-to = "julm+sourcehut+error@sourcephile.fr";
 133       error-from = "sourcehut+error@sourcephile.fr";
 134       pgp-privkey = null;
 135       pgp-pubkey = null;
 136       pgp-key-id = null;
 137     };
 138   };
 139 };
 140 services.nginx.virtualHosts = {
 141   #"builds.${domain}".forceSSL = lib.mkForce false;
 142   "dispatch.${domain}".forceSSL = lib.mkForce false;
 143   "git.${domain}".forceSSL = lib.mkForce false;
 144   "hub.${domain}".forceSSL = lib.mkForce false;
 145   "lists.${domain}".forceSSL = lib.mkForce false;
 146   "logs.${domain}".forceSSL = lib.mkForce false;
 147   "man.${domain}".forceSSL = lib.mkForce false;
 148   "paste.${domain}".forceSSL = lib.mkForce false;
 149   "todo.${domain}".forceSSL = lib.mkForce false;
 150   "meta.${domain}" = {
 151     forceSSL = lib.mkForce false;
 152     /*
 153     extraConfig = ''
 154       access_log /var/log/nginx/${domain}/meta/access.log json;
 155       error_log /var/log/nginx/${domain}/meta/error.log warn;
 156     '';
 157     */
 158   };
 159   "${domain}".forceSSL = lib.mkForce false;
 160 };
 161 systemd.services.nginx.serviceConfig.LogsDirectory =
 162   lib.mkForce ["/var/log/nginx/${domain}/meta"];
 163 systemd.services.postgresql = {
 164   /*
 165     connection_limit=64 \
 166     encoding=UTF8 \
 167     lc_collate=fr_FR.UTF-8 \
 168     lc_type=fr_FR.UTF-8 \
 169     owner="${sourcehut.git.database}" \
 170     pg_createdb "${sourcehut.git.database}" >/dev/null </dev/null
 171
 172     pg_adduser "${sourcehut.git.database}" "${sourcehut.git.database}" >/dev/null
 173   */
 174   postStart = lib.mkAfter ''
 175     $PSQL -d "${sourcehut.dispatch.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
 176       GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
 177     EOF
 178     $PSQL -d "${sourcehut.git.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
 179       GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
 180     EOF
 181     $PSQL -d "${sourcehut.hub.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
 182       GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
 183     EOF
 184     $PSQL -d "${sourcehut.man.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
 185       GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
 186     EOF
 187     $PSQL -d "${sourcehut.meta.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
 188       GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
 189     EOF
 190     $PSQL -d "${sourcehut.paste.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
 191       GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
 192     EOF
 193     $PSQL -d "${sourcehut.todo.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
 194       GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
 195     EOF
 196     $PSQL -d "${sourcehut.lists.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
 197       GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";
 198     EOF
 199   '';
 200 };
 201 }