{ pkgs, lib, config, ... }:
let
inherit (config) networking;
inherit (config.services) nginx sourcehut;
inherit (config.security) gnupg;
domain = "code.${networking.domain}";
in
{
security.gnupg.secrets = lib.genAttrs [
"sourcehut/network-key"
"sourcehut/service-key"
"sourcehut/webhook-key"
"sourcehut/oauth-client-secret"
]
(_p:
let
srhts = [
"metasrht.service"
"metasrht-api.service"
"gitsrht.service"
"listsrht.service"
"todosrht.service"
"todosrht-lmtp.service"
];
in
{
systemdConfig.before = srhts;
systemdConfig.wantedBy = srhts;
});
services.minio = {
#enable = true;
accessKey = "12345";
secretKey = "12345678";
#region = "";
browser = true;
};
#environment.systemPackages = [ pkgs.minio-client ];
services.sourcehut = {
enable = true;
listenAddress = "localhost";
builds = {
#enable = true;
#enableWorker = true;
images.nixos.unstable.x86_64 =
import sourcehut/builds/nixos-unstable.nix
"x86_64-linux"
{ inherit pkgs lib config; };
};
#dispatch.enable = true;
#git.enable = true;
#hub.enable = true;
meta.enable = true;
meta.port = 4999;
#man.enable = true;
#pages.enable = true;
#paste.enable = true;
todo.enable = true;
#lists.enable = true;
postgresql.enable = true;
postfix.enable = true;
redis.enable = true;
nginx.enable = true;
nginx.virtualHost = {
useACMEHost = networking.domain;
};
settings = {
"sr.ht" = {
environment = "production";
global-domain = domain;
owner-email = "julm+srht@sourcephile.fr";
owner-name = "Sourcephile";
site-blurb = "a simple free software forge";
site-info = "https://${domain}";
site-name = "Sourcephile";
# nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
network-key = gnupg.secrets."sourcehut/network-key".path;
# nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
service-key = gnupg.secrets."sourcehut/service-key".path;
#redis-host = "redis://localhost:6379/";
};
objects = {
s3-upstream = "localhost";
s3-access-key = "12345";
s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
};
# nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
"builds.sr.ht" = {
oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
oauth-client-id = "299db9f9c2013170";
allow-free = true;
};
"dispatch.sr.ht" = {
oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
oauth-client-id = "299db9f9c2013170";
};
"pages.sr.ht" = {
oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
oauth-client-id = "299db9f9c2013170";
s3-bucket = "pagesbuck";
};
"paste.sr.ht" = {
oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
oauth-client-id = "299db9f9c2013170";
};
"man.sr.ht" = {
oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
oauth-client-id = "299db9f9c2013170";
};
"meta.sr.ht" = { };
"meta.sr.ht::settings" = {
onboarding-redirect = "https://meta.${domain}";
registration = false;
};
"meta.sr.ht::api" = {
#internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
};
"todo.sr.ht" = {
oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
oauth-client-id = "299db9f9c2013170";
};
"git.sr.ht" = {
outgoing-domain = "https://git.${domain}";
oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
oauth-client-id = "gitsrht";
};
"hub.sr.ht" = {
oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
oauth-client-id = "299db9f9c2013170";
};
"lists.sr.ht" = {
oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
oauth-client-id = "299db9f9c2013170";
};
"lists.sr.ht::worker" = {
#sock = "/var/lib/postfix/queue/private/srht-lmtp";
};
# nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
#webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
mail = {
smtp-host = "localhost";
smtp-port = 25;
smtp-user = null;
smtp-password = null;
smtp-from = "julm+hut@${networking.domain}";
error-to = "julm+hut+error@${networking.domain}";
error-from = "julm+hut+error@${networking.domain}";
pgp-privkey = null;
pgp-pubkey = null;
pgp-key-id = null;
};
};
};
fileSystems."/var/lib/sourcehut" = {
device = "rpool/var/sourcehut";
fsType = "zfs";
};
services.sanoid.datasets = {
"rpool/var/sourcehut" = {
use_template = [ "snap" ];
daily = 31;
};
};
services.nginx = {
virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
forceSSL = true;
useACMEHost = networking.domain;
globalRedirect = "$subdomain.code.${networking.domain}";
};
virtualHosts."meta.${domain}" = {
locations."/query".extraConfig = lib.mkForce ''
if ($request_method = 'OPTIONS') {
${nginx.configs.https_add_headers}
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
${nginx.configs.https_add_headers}
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
'';
};
};
}