hosts/mermet/sourcehut.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config) networking;
   4   inherit (config.services) sourcehut;
   5   inherit (config.users) users groups;
   6   inherit (config.security) gnupg;
   7   domain = "hut.${networking.domain}";
   8 in
   9 {
  10 security.gnupg.secrets = lib.genAttrs [
  11     "sourcehut/network-key"
  12     "sourcehut/service-key"
  13     "sourcehut/webhook-key"
  14     "sourcehut/oauth-client-secret"
  15   ] (p: {
  16   systemdConfig.before = [ "metasrht.service" ];
  17   systemdConfig.wantedBy = [ "metasrht.service" ];
  18 });
  19 services.minio = {
  20   #enable = true;
  21   accessKey = "12345";
  22   secretKey = "12345678";
  23   #region = "";
  24   browser = true;
  25 };
  26 #environment.systemPackages = [ pkgs.minio-client ];
  27 services.sourcehut = {
  28   enable = true;
  29   listenAddress = "localhost";
  30   builds = {
  31     #enable = true;
  32     #enableWorker = true;
  33     images.nixos.unstable.x86_64 =
  34       import sourcehut/builds/nixos-unstable.nix
  35         "x86_64-linux" { inherit pkgs lib config; };
  36   };
  37
  38   #dispatch.enable = true;
  39   git.enable = true;
  40   #hub.enable = true;
  41   meta.enable = true;
  42   meta.port = 4999;
  43   #man.enable = true;
  44   #pages.enable = true;
  45   #paste.enable = true;
  46   #todo.enable = true;
  47   lists.enable = true;
  48
  49   postgresql.enable = true;
  50   postfix.enable = true;
  51   redis.enable = true;
  52   #redis.url = "redis+socket:///run/redis-sourcehut/redis.sock?virtual_host=";
  53   nginx.enable = true;
  54   nginx.virtualHost = {
  55     useACMEHost = networking.domain;
  56   };
  57   settings = {
  58     "sr.ht" = {
  59       environment = "production";
  60       global-domain = domain;
  61       owner-email = "julm+srht@sourcephile.fr";
  62       owner-name = "Sourcephile";
  63       site-blurb = "a simple free software forge";
  64       site-info = "https://${domain}";
  65       site-name = "Sourcephile";
  66       # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
  67       network-key = gnupg.secrets."sourcehut/network-key".path;
  68       # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
  69       service-key = gnupg.secrets."sourcehut/service-key".path;
  70       #redis-host = "redis://localhost:6379/";
  71     };
  72     objects = {
  73       s3-upstream = "localhost";
  74       s3-access-key = "12345";
  75       s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
  76     };
  77     # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
  78     "builds.sr.ht" = {
  79       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  80       oauth-client-id = "299db9f9c2013170";
  81       allow-free = true;
  82     };
  83     "dispatch.sr.ht" = {
  84       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  85       oauth-client-id = "299db9f9c2013170";
  86     };
  87     "pages.sr.ht" = {
  88       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  89       oauth-client-id = "299db9f9c2013170";
  90       s3-bucket = "pagesbuck";
  91     };
  92     "paste.sr.ht" = {
  93       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  94       oauth-client-id = "299db9f9c2013170";
  95     };
  96     "man.sr.ht" = {
  97       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
  98       oauth-client-id = "299db9f9c2013170";
  99     };
 100     "meta.sr.ht" = {
 101     };
 102     "meta.sr.ht::settings" = {
 103       onboarding-redirect = "https://meta.${domain}";
 104       registration = false;
 105     };
 106     "meta.sr.ht::api" = {
 107       #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
 108     };
 109     "todo.sr.ht" = {
 110       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 111       oauth-client-id = "299db9f9c2013170";
 112     };
 113     "git.sr.ht" = {
 114       outgoing-domain = "https://git.${domain}";
 115       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 116       oauth-client-id = "gitsrht";
 117     };
 118     "hub.sr.ht" = {
 119       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 120       oauth-client-id = "299db9f9c2013170";
 121     };
 122     "lists.sr.ht" = {
 123       oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
 124       oauth-client-id = "299db9f9c2013170";
 125     };
 126     "lists.sr.ht::worker" = {
 127       #sock = "/var/lib/postfix/queue/private/srht-lmtp";
 128     };
 129     # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
 130     #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
 131     webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
 132     mail = {
 133       smtp-host = "localhost";
 134       smtp-port = 25;
 135       smtp-user = null;
 136       smtp-password = null;
 137       smtp-from = "julm+hut@${networking.domain}";
 138       error-to = "julm+hut+error@${networking.domain}";
 139       error-from = "julm+hut+error@${networking.domain}";
 140       pgp-privkey = null;
 141       pgp-pubkey = null;
 142       pgp-key-id = null;
 143     };
 144   };
 145 };
 146 fileSystems."/var/lib/sourcehut" = {
 147   device = "rpool/var/sourcehut";
 148   fsType = "zfs";
 149 };
 150 services.sanoid.datasets = {
 151   "rpool/var/sourcehut" = {
 152     use_template = [ "snap" ];
 153     daily = 31;
 154   };
 155 };
 156 }