]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/sourcehut.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
sourcehut: wip
[sourcephile-nix.git] / hosts / losurdo / sourcehut.nix
1 { pkgs, lib, config, inputs, ... }:
2 let
3 inherit (config.services) sourcehut;
4 inherit (config.users) users groups;
5 inherit (config.security) gnupg;
6 domain = "sourcephile.wg";
7 sourcehut-services = [
8 "builds"
9 "dispatch"
10 "git"
11 "hg"
12 "hub"
13 "lists"
14 "meta"
15 "man"
16 "paste"
17 "todo"
18 ];
19 in
20 {
21 #boot.isContainer = true;
22 #networking.firewall.allowedTCPPorts = [ 80 ];
23 networking.hosts = {
24 "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut-services;
25 };
26 networking.nftables.ruleset = ''
27 add rule inet filter fw2net meta skuid ${sourcehut.meta.user} tcp dport 25 counter accept comment "SMTP"
28 '';
29 security.gnupg.secrets = lib.genAttrs [
30 "sourcehut/network-key"
31 "sourcehut/service-key"
32 "sourcehut/webhook-key"
33 "sourcehut/oauth-client-secret"
34 ] (p: {
35 systemdConfig.before = [ "metasrht.service" ];
36 systemdConfig.wantedBy = [ "metasrht.service" ];
37 });
38 services.minio = {
39 enable = true;
40 accessKey = "12345";
41 secretKey = "12345678";
42 #region = "";
43 browser = true;
44 };
45 environment.systemPackages = [ pkgs.minio-client ];
46 services.sourcehut = {
47 enable = true;
48 listenAddress = domain;
49 builds = {
50 enable = true;
51 enableWorker = true;
52 images.nixos.unstable.x86_64 =
53 let
54 makeDiskImage = import (inputs.nixpkgs + "/nixos/lib/make-disk-image.nix");
55 evalConfig = import (inputs.nixpkgs + "/nixos/lib/eval-config.nix");
56 systemConfig = { pkgs, ... }: {
57 # passwordless ssh server
58 services.openssh = {
59 enable = true;
60 permitRootLogin = "yes";
61 extraConfig = "PermitEmptyPasswords yes";
62 };
63
64 users = {
65 mutableUsers = false;
66 # build user
67 extraUsers."build" = {
68 isNormalUser = true;
69 uid = 1000;
70 extraGroups = [ "wheel" ];
71 password = "";
72 };
73 users.root.password = "";
74 };
75
76 security.sudo.wheelNeedsPassword = false;
77 nix.trustedUsers = [ "root" "build" ];
78 documentation.nixos.enable = false;
79
80 # builds.sr.ht-image-specific network settings
81 networking = {
82 hostName = "build";
83 dhcpcd.enable = false;
84 defaultGateway.address = "10.0.2.2";
85 usePredictableInterfaceNames = false; # so that we just get eth0 and not some weird id
86 interfaces."eth0".ipv4.addresses = [{
87 address = "10.0.2.15";
88 prefixLength = 25;
89 }];
90 enableIPv6 = false;
91 nameservers = [
92 # OpenNIC anycast
93 "185.121.177.177"
94 "169.239.202.202"
95 # Google as a fallback :(
96 "8.8.8.8"
97 ];
98 firewall.allowedTCPPorts = [ 22 ]; # allow ssh
99 };
100
101 environment.systemPackages = [
102 pkgs.gitMinimal
103 #pkgs.mercurial
104 pkgs.curl
105 pkgs.gnupg
106 ];
107 };
108 qemuConfig = { pkgs, ... }: {
109 imports = [ systemConfig ];
110 fileSystems."/".device = "/dev/disk/by-label/nixos";
111 boot.initrd.availableKernelModules = [
112 "ahci"
113 "ehci_pci"
114 "sd_mod"
115 "usb_storage"
116 "usbhid"
117 "virtio_balloon"
118 "virtio_blk"
119 "virtio_pci"
120 "virtio_ring"
121 "xhci_pci"
122 ];
123 boot.loader = {
124 grub = {
125 version = 2;
126 device = "/dev/vda";
127 };
128 timeout = 0;
129 };
130 };
131 config = (evalConfig {
132 inherit pkgs; modules = [ qemuConfig ];
133 system = "x86_64-linux";
134 }).config;
135 in
136 makeDiskImage {
137 inherit pkgs lib config;
138 diskSize = 16000;
139 format = "qcow2-compressed";
140 contents = [
141 { source = pkgs.writeText "gitconfig" ''
142 [user]
143 name = builds.sr.ht
144 email = build@sr.ht
145 '';
146 target = "/home/build/.gitconfig";
147 user = "build";
148 group = "users";
149 mode = "644";
150 }
151 ];
152 };
153 };
154
155 #dispatch.enable = true;
156 #git.enable = true;
157 #hub.enable = true;
158 meta.enable = true;
159 #man.enable = true;
160 #pages.enable = true;
161 #paste.enable = true;
162 #todo.enable = true;
163 #lists.enable = true;
164
165 postgresql.enable = true;
166 postfix.enable = true;
167 redis.enable = true;
168 #redis.firstDatabase = 0;
169 nginx.enable = true;
170 settings = {
171 "sr.ht" = {
172 environment = "production";
173 global-domain = domain;
174 origin = "http://${domain}";
175 owner-email = "julm+srht@sourcephile.fr";
176 owner-name = "Sourcephile";
177 site-blurb = "software forge";
178 site-info = "http://${domain}";
179 site-name = "Sourcephile";
180 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
181 network-key = gnupg.secrets."sourcehut/network-key".path;
182 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
183 service-key = gnupg.secrets."sourcehut/service-key".path;
184 };
185 objects = {
186 s3-upstream = "localhost";
187 s3-access-key = "12345";
188 s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
189 };
190 # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
191 "builds.sr.ht" = {
192 origin = "http://builds.${domain}";
193 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
194 oauth-client-id = "299db9f9c2013170";
195 allow-free = true;
196 };
197 "dispatch.sr.ht" = {
198 origin = "http://dispatch.${domain}";
199 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
200 oauth-client-id = "299db9f9c2013170";
201 };
202 "pages.sr.ht" = {
203 origin = "http://pages.${domain}";
204 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
205 oauth-client-id = "299db9f9c2013170";
206 s3-bucket = "pagesbuck";
207 };
208 "paste.sr.ht" = {
209 origin = "http://paste.${domain}";
210 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
211 oauth-client-id = "299db9f9c2013170";
212 };
213 "man.sr.ht" = {
214 origin = "http://man.${domain}";
215 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
216 oauth-client-id = "299db9f9c2013170";
217 };
218 "meta.sr.ht" = {
219 origin = "http://meta.${domain}";
220 api-origin = "http://meta.${domain}:5100";
221 };
222 "meta.sr.ht::settings" = {
223 onboarding-redirect = "http://meta.${domain}";
224 registration = true;
225 internal-ipnet = "127.0.0.0/8,192.168.42.0/24";
226 };
227 "meta.sr.ht::api" = {
228 internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
229 };
230 "todo.sr.ht" = {
231 origin = "http://todo.${domain}";
232 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
233 oauth-client-id = "299db9f9c2013170";
234 };
235 "git.sr.ht" = {
236 origin = "http://git.${domain}";
237 outgoing-domain = "http://git.${domain}";
238 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
239 oauth-client-id = "299db9f9c2013170";
240 repos = "/var/lib/git";
241 };
242 "hub.sr.ht" = {
243 origin = "http://hub.${domain}";
244 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
245 oauth-client-id = "299db9f9c2013170";
246 };
247 "lists.sr.ht" = {
248 origin = "http://lists.${domain}";
249 oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
250 oauth-client-id = "299db9f9c2013170";
251 };
252 "lists.sr.ht::worker" = {
253 #sock = "/var/lib/postfix/queue/private/srht-lmtp";
254 };
255 # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
256 #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
257 webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
258 mail = {
259 smtp-host = "localhost";
260 smtp-port = 25;
261 smtp-user = null;
262 smtp-password = null;
263 smtp-from = "sourcehut@sourcephile.fr";
264 error-to = "julm+sourcehut+error@sourcephile.fr";
265 error-from = "sourcehut+error@sourcephile.fr";
266 pgp-privkey = null;
267 pgp-pubkey = null;
268 pgp-key-id = null;
269 };
270 };
271 };
272 services.nginx.virtualHosts = {
273 "builds.${domain}".forceSSL = lib.mkForce false;
274 "dispatch.${domain}".forceSSL = lib.mkForce false;
275 "git.${domain}".forceSSL = lib.mkForce false;
276 "hub.${domain}".forceSSL = lib.mkForce false;
277 "lists.${domain}".forceSSL = lib.mkForce false;
278 "logs.${domain}".forceSSL = lib.mkForce false;
279 "man.${domain}".forceSSL = lib.mkForce false;
280 "paste.${domain}".forceSSL = lib.mkForce false;
281 "pages.${domain}".forceSSL = lib.mkForce false;
282 "todo.${domain}".forceSSL = lib.mkForce false;
283 "meta.${domain}" = {
284 forceSSL = lib.mkForce false;
285 /*
286 extraConfig = ''
287 access_log /var/log/nginx/${domain}/meta/access.log json;
288 error_log /var/log/nginx/${domain}/meta/error.log warn;
289 '';
290 */
291 };
292 "${domain}".forceSSL = lib.mkForce false;
293 };
294 systemd.services.postgresql = {
295 /*
296 connection_limit=64 \
297 encoding=UTF8 \
298 lc_collate=fr_FR.UTF-8 \
299 lc_type=fr_FR.UTF-8 \
300 owner="${sourcehut.git.database}" \
301 pg_createdb "${sourcehut.git.database}" >/dev/null </dev/null
302
303 pg_adduser "${sourcehut.git.database}" "${sourcehut.git.database}" >/dev/null
304 */
305 postStart = lib.mkAfter ''
306 $PSQL -d "${sourcehut.builds.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
307 GRANT USAGE,CREATE ON schema public TO "${sourcehut.builds.user}";
308 EOF
309 $PSQL -d "${sourcehut.dispatch.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
310 GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
311 EOF
312 $PSQL -d "${sourcehut.git.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
313 GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
314 EOF
315 $PSQL -d "${sourcehut.hub.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
316 GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
317 EOF
318 $PSQL -d "${sourcehut.man.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
319 GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
320 EOF
321 $PSQL -d "${sourcehut.meta.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
322 GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
323 GRANT USAGE,CREATE ON schema public TO "${users.sshsrht.name}";
324 EOF
325 $PSQL -d "${sourcehut.pages.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
326 GRANT USAGE,CREATE ON schema public TO "${sourcehut.pages.user}";
327 EOF
328 $PSQL -d "${sourcehut.paste.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
329 GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
330 EOF
331 $PSQL -d "${sourcehut.todo.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
332 GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
333 EOF
334 $PSQL -d "${sourcehut.lists.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
335 GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";
336 EOF
337 '';
338 };
339 }
NixOS configurations for Sourcephile's infrastructure