{ pkgs, lib, config, ... }: let inherit (config) networking; inherit (config.services) nginx sourcehut; inherit (config.users) users groups; inherit (config.security) gnupg; domain = "code.${networking.domain}"; in { security.gnupg.secrets = lib.genAttrs [ "sourcehut/network-key" "sourcehut/service-key" "sourcehut/webhook-key" "sourcehut/oauth-client-secret" ] (p: let srhts = [ "metasrht.service" "metasrht-api.service" "gitsrht.service" "listsrht.service" "todosrht.service" "todosrht-lmtp.service" ]; in { systemdConfig.before = srhts; systemdConfig.wantedBy = srhts; }); services.minio = { #enable = true; accessKey = "12345"; secretKey = "12345678"; #region = ""; browser = true; }; #environment.systemPackages = [ pkgs.minio-client ]; services.sourcehut = { enable = true; listenAddress = "localhost"; builds = { #enable = true; #enableWorker = true; images.nixos.unstable.x86_64 = import sourcehut/builds/nixos-unstable.nix "x86_64-linux" { inherit pkgs lib config; }; }; #dispatch.enable = true; #git.enable = true; #hub.enable = true; meta.enable = true; meta.port = 4999; #man.enable = true; #pages.enable = true; #paste.enable = true; todo.enable = true; #lists.enable = true; postgresql.enable = true; postfix.enable = true; redis.enable = true; nginx.enable = true; nginx.virtualHost = { useACMEHost = networking.domain; }; settings = { "sr.ht" = { environment = "production"; global-domain = domain; owner-email = "julm+srht@sourcephile.fr"; owner-name = "Sourcephile"; site-blurb = "a simple free software forge"; site-info = "https://${domain}"; site-name = "Sourcephile"; # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network network-key = gnupg.secrets."sourcehut/network-key".path; # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service service-key = gnupg.secrets."sourcehut/service-key".path; #redis-host = "redis://localhost:6379/"; }; objects = { s3-upstream = "localhost"; s3-access-key = "12345"; s3-secret-key = pkgs.writeText "s3-secret-key" "12345678"; }; # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu "builds.sr.ht" = { oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; allow-free = true; }; "dispatch.sr.ht" = { oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "pages.sr.ht" = { oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; s3-bucket = "pagesbuck"; }; "paste.sr.ht" = { oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "man.sr.ht" = { oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "meta.sr.ht" = { }; "meta.sr.ht::settings" = { onboarding-redirect = "https://meta.${domain}"; registration = false; }; "meta.sr.ht::api" = { #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"]; }; "todo.sr.ht" = { oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "git.sr.ht" = { outgoing-domain = "https://git.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "gitsrht"; }; "hub.sr.ht" = { oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "lists.sr.ht" = { oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "lists.sr.ht::worker" = { #sock = "/var/lib/postfix/queue/private/srht-lmtp"; }; # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo="; webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path; mail = { smtp-host = "localhost"; smtp-port = 25; smtp-user = null; smtp-password = null; smtp-from = "julm+hut@${networking.domain}"; error-to = "julm+hut+error@${networking.domain}"; error-from = "julm+hut+error@${networking.domain}"; pgp-privkey = null; pgp-pubkey = null; pgp-key-id = null; }; }; }; fileSystems."/var/lib/sourcehut" = { device = "rpool/var/sourcehut"; fsType = "zfs"; }; services.sanoid.datasets = { "rpool/var/sourcehut" = { use_template = [ "snap" ]; daily = 31; }; }; services.nginx = { virtualHosts."~^(?[^.]+).hut.${networking.domain}" = { forceSSL = true; useACMEHost = networking.domain; globalRedirect = "$subdomain.code.${networking.domain}"; }; virtualHosts."meta.${domain}" = { locations."/query".extraConfig = lib.mkForce '' if ($request_method = 'OPTIONS') { ${nginx.configs.https_add_headers} add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; } ${nginx.configs.https_add_headers} add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; ''; }; }; }