nixos/modules/services/misc/sourcehut/hg.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4 let
   5   cfg = config.services.sourcehut;
   6   scfg = cfg.hg;
   7   iniKey = "hg.sr.ht";
   8
   9   rcfg = config.services.redis;
  10   drv = pkgs.sourcehut.hgsrht;
  11 in
  12 {
  13   options.services.sourcehut.hg = {
  14     user = mkOption {
  15       type = types.str;
  16       internal = true;
  17       readOnly = true;
  18       default = "hg";
  19       description = ''
  20         User for hg.sr.ht.
  21       '';
  22     };
  23
  24     port = mkOption {
  25       type = types.port;
  26       default = 5010;
  27       description = ''
  28         Port on which the "hg" module should listen.
  29       '';
  30     };
  31
  32     database = mkOption {
  33       type = types.str;
  34       default = "hg.sr.ht";
  35       description = ''
  36         PostgreSQL database name for hg.sr.ht.
  37       '';
  38     };
  39
  40     statePath = mkOption {
  41       type = types.path;
  42       default = "${cfg.statePath}/hgsrht";
  43       description = ''
  44         State path for hg.sr.ht.
  45       '';
  46     };
  47
  48     cloneBundles = mkOption {
  49       type = types.bool;
  50       default = false;
  51       description = ''
  52         Generate clonebundles (which require more disk space but dramatically speed up cloning large repositories).
  53       '';
  54     };
  55   };
  56
  57   config = with scfg; lib.mkIf (cfg.enable && elem "hg" cfg.services) {
  58     # In case it ever comes into being
  59     environment.etc."ssh/hgsrht-dispatch" = {
  60       mode = "0755";
  61       text = ''
  62         #! ${pkgs.stdenv.shell}
  63         ${cfg.python}/bin/gitsrht-dispatch $@
  64       '';
  65     };
  66
  67     environment.systemPackages = [ pkgs.mercurial ];
  68
  69     users = {
  70       users = {
  71         "${user}" = {
  72           isSystemUser = true;
  73           group = user;
  74           # Assuming hg.sr.ht needs this too
  75           shell = pkgs.bash;
  76           description = "hg.sr.ht user";
  77         };
  78       };
  79
  80       groups = {
  81         "${user}" = { };
  82       };
  83     };
  84
  85     services = {
  86       cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/hgsrht-periodic" ]
  87         ++ optional cloneBundles "0 * * * * ${cfg.python}/bin/hgsrht-clonebundles";
  88
  89       openssh.authorizedKeysCommand = ''/etc/ssh/hgsrht-dispatch "%u" "%h" "%t" "%k"'';
  90       openssh.authorizedKeysCommandUser = "root";
  91       openssh.extraConfig = ''
  92         PermitUserEnvironment SRHT_*
  93       '';
  94
  95       postgresql = {
  96         authentication = ''
  97           local ${database} ${user} trust
  98         '';
  99         ensureDatabases = [ database ];
 100         ensureUsers = [
 101           {
 102             name = user;
 103             ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
 104           }
 105         ];
 106       };
 107     };
 108
 109     systemd = {
 110       tmpfiles.rules = [
 111         # /var/log is owned by root
 112         "f /var/log/hg-srht-shell 0644 ${user} ${user} -"
 113
 114         "d ${statePath} 0750 ${user} ${user} -"
 115         "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -"
 116       ];
 117
 118       services.hgsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
 119         after = [ "redis.service" "postgresql.service" "network.target" ];
 120         requires = [ "redis.service" "postgresql.service" ];
 121         wantedBy = [ "multi-user.target" ];
 122
 123         path = [ pkgs.mercurial ];
 124         description = "hg.sr.ht website service";
 125
 126         serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
 127       };
 128     };
 129
 130     services.sourcehut.settings = {
 131       # The authorized keys hook uses this to dispatch to various handlers
 132       # The format is a program to exec into as the key, and the user to match as the
 133       # value. When someone tries to log in as this user, this program is executed
 134       # and is expected to omit an AuthorizedKeys file.
 135       #
 136       # Uncomment the relevant lines to enable the various sr.ht dispatchers.
 137       "hg.sr.ht::dispatch"."/run/current-system/sw/bin/hgsrht-keys" = mkDefault "${user}:${user}";
 138     };
 139
 140     # TODO: requires testing and addition of hg-specific requirements
 141     services.nginx.virtualHosts."hg.${cfg.originBase}" = {
 142       forceSSL = true;
 143       locations."/".proxyPass = "http://${cfg.address}:${toString port}";
 144       locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}";
 145       locations."/static".root = "${pkgs.sourcehut.hgsrht}/${pkgs.sourcehut.python.sitePackages}/hgsrht";
 146     };
 147   };
 148 }