{ config, lib, pkgs, ... }: with lib; let cfg = config.services.sourcehut; cfgIni = cfg.settings; scfg = cfg.meta; iniKey = "meta.sr.ht"; rcfg = config.services.redis; drv = pkgs.sourcehut.metasrht; in { options.services.sourcehut.meta = { user = mkOption { type = types.str; default = "metasrht"; description = '' User for meta.sr.ht. ''; }; port = mkOption { type = types.port; default = 5000; description = '' Port on which the "meta" module should listen. ''; }; database = mkOption { type = types.str; default = "meta.sr.ht"; description = '' PostgreSQL database name for meta.sr.ht. ''; }; statePath = mkOption { type = types.path; default = "${cfg.statePath}/metasrht"; description = '' State path for meta.sr.ht. ''; }; }; config = with scfg; lib.mkIf (cfg.enable && elem "meta" cfg.services) { assertions = [ { assertion = with cfgIni."meta.sr.ht::billing"; enabled == "yes" -> (stripe-public-key != null && stripe-secret-key != null); message = "If meta.sr.ht::billing is enabled, the keys should be defined."; } ]; users = { users = { ${user} = { isSystemUser = true; group = user; description = "meta.sr.ht user"; }; }; groups = { "${user}" = { }; }; }; services.cron.systemCronJobs = [ "0 0 * * * ${cfg.python}/bin/metasrht-daily" ]; services.postgresql = { authentication = '' local ${database} ${user} trust ''; ensureDatabases = [ database ]; ensureUsers = [ { name = user; ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; } ]; }; systemd = { tmpfiles.rules = [ "d ${statePath} 0750 ${user} ${user} -" ]; services = { metasrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { after = [ "postgresql.service" "network.target" ]; requires = [ "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; description = "meta.sr.ht website service"; preStart = '' # Configure client(s) as "preauthorized" ${concatMapStringsSep "\n\n" (attr: '' if ! test -e "${statePath}/${attr}.oauth" || [ "$(cat ${statePath}/${attr}.oauth)" != "${cfgIni."${attr}".oauth-client-id}" ]; then # Configure ${attr}'s OAuth client as "preauthorized" psql ${database} \ -c "UPDATE oauthclient SET preauthorized = true WHERE client_id = '${cfgIni."${attr}".oauth-client-id}'" printf "%s" "${cfgIni."${attr}".oauth-client-id}" > "${statePath}/${attr}.oauth" fi '') (builtins.attrNames (filterAttrs (k: v: !(hasInfix "::" k) && builtins.hasAttr "oauth-client-id" v && v.oauth-client-id != null) cfg.settings))} ''; serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; }; metasrht-api = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { after = [ "postgresql.service" "network.target" ]; requires = [ "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; description = "meta.sr.ht api service"; preStart = '' # Configure client(s) as "preauthorized" ${concatMapStringsSep "\n\n" (attr: '' if ! test -e "${statePath}/${attr}.oauth" || [ "$(cat ${statePath}/${attr}.oauth)" != "${cfgIni."${attr}".oauth-client-id}" ]; then # Configure ${attr}'s OAuth client as "preauthorized" psql ${database} \ -c "UPDATE oauthclient SET preauthorized = true WHERE client_id = '${cfgIni."${attr}".oauth-client-id}'" printf "%s" "${cfgIni."${attr}".oauth-client-id}" > "${statePath}/${attr}.oauth" fi '') (builtins.attrNames (filterAttrs (k: v: !(hasInfix "::" k) && builtins.hasAttr "oauth-client-id" v && v.oauth-client-id != null) cfg.settings))} ''; serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b :${toString (port + 100)}"; }; metasrht-webhooks = { after = [ "postgresql.service" "network.target" ]; requires = [ "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; description = "meta.sr.ht webhooks service"; serviceConfig = { Type = "simple"; User = user; Restart = "always"; ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel INFO --pool eventlet"; }; }; }; }; services.sourcehut.settings = { # URL meta.sr.ht is being served at (protocol://domain) "meta.sr.ht".origin = mkDefault "https://meta.${cfg.originBase}"; # Address and port to bind the debug server to "meta.sr.ht".debug-host = mkDefault "0.0.0.0"; "meta.sr.ht".debug-port = mkDefault port; # Configures the SQLAlchemy connection string for the database. "meta.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; # If "yes", the user will be sent the stock sourcehut welcome emails after # signup (requires cron to be configured properly). These are specific to the # sr.ht instance so you probably want to patch these before enabling this. "meta.sr.ht".welcome-emails = mkDefault "no"; # The redis connection used for the webhooks worker "meta.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/6"; # If "no", public registration will not be permitted. "meta.sr.ht::settings".registration = mkDefault "no"; # Where to redirect new users upon registration "meta.sr.ht::settings".onboarding-redirect = mkDefault "https://meta.${cfg.originBase}"; # How many invites each user is issued upon registration (only applicable if # open registration is disabled) "meta.sr.ht::settings".user-invites = mkDefault 5; # Origin URL for API, 100 more than web "meta.sr.ht".api-origin = mkDefault "http://localhost:5100"; # You can add aliases for the client IDs of commonly used OAuth clients here. # # Example: "meta.sr.ht::aliases" = mkDefault { }; # "meta.sr.ht::aliases"."git.sr.ht" = 12345; # "yes" to enable the billing system "meta.sr.ht::billing".enabled = mkDefault "no"; # Get your keys at https://dashboard.stripe.com/account/apikeys "meta.sr.ht::billing".stripe-public-key = mkDefault null; "meta.sr.ht::billing".stripe-secret-key = mkDefault null; }; services.nginx.virtualHosts."meta.${cfg.originBase}" = { forceSSL = true; locations."/".proxyPass = "http://${cfg.address}:${toString port}"; locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; locations."/static".root = "${pkgs.sourcehut.metasrht}/${pkgs.sourcehut.python.sitePackages}/metasrht"; }; }; }