{ pkgs, lib, config, ... }: let inherit (config.services) sourcehut; inherit (config.users) users groups; inherit (config.security) gnupg; domain = "sourcephile.wg"; sourcehut-services = [ "builds" "dispatch" "git" "hg" "hub" "lists" "meta" "man" "paste" "todo" ]; in { #boot.isContainer = true; #networking.firewall.allowedTCPPorts = [ 80 ]; networking.hosts = { "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut-services; }; networking.nftables.ruleset = '' add rule inet filter fw2net meta skuid ${sourcehut.meta.user} tcp dport 25 counter accept comment "SMTP" ''; security.gnupg.secrets = lib.genAttrs [ "sourcehut/network-key" "sourcehut/service-key" "sourcehut/webhook-key" "sourcehut/oauth-client-secret" ] (p: { systemdConfig.before = [ "metasrht.service" ]; systemdConfig.wantedBy = [ "metasrht.service" ]; }); services.sourcehut = { enable = true; listenAddress = domain; /* builds = { enableWorker = true; }; */ #dispatch.enable = true; git.enable = true; #hub.enable = true; meta.enable = true; #man.enable = true; #pages.enable = true; #paste.enable = true; #todo.enable = true; #lists.enable = true; postgresql.enable = true; postfix.enable = true; redis.enable = true; #redis.firstDatabase = 0; nginx.enable = true; settings = { "sr.ht" = { environment = "production"; global-domain = domain; origin = "http://${domain}"; owner-email = "julm+srht@sourcephile.fr"; owner-name = "Sourcephile"; site-blurb = "software forge"; site-info = "http://${domain}"; site-name = "Sourcephile"; # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network network-key = gnupg.secrets."sourcehut/network-key".path; # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service service-key = gnupg.secrets."sourcehut/service-key".path; }; # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu "builds.sr.ht" = { origin = "http://builds.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "dispatch.sr.ht" = { origin = "http://dispatch.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; /* "pages.sr.ht" = { origin = "http://pages.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; */ "paste.sr.ht" = { origin = "http://paste.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "man.sr.ht" = { origin = "http://man.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "meta.sr.ht" = { origin = "http://meta.${domain}"; api-origin = "http://meta.${domain}:5100"; }; "meta.sr.ht::settings" = { onboarding-redirect = "http://meta.${domain}"; registration = true; internal-ipnet = "127.0.0.0/8,192.168.42.0/24"; }; "meta.sr.ht::api" = { internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"]; }; "todo.sr.ht" = { origin = "http://todo.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "git.sr.ht" = { origin = "http://git.${domain}"; outgoing-domain = "http://git.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "hub.sr.ht" = { origin = "http://hub.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "lists.sr.ht" = { origin = "http://lists.${domain}"; oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path; oauth-client-id = "299db9f9c2013170"; }; "lists.sr.ht::worker" = { #sock = "/var/lib/postfix/queue/private/srht-lmtp"; }; # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo="; webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path; mail = { smtp-host = "localhost"; smtp-port = 25; smtp-user = null; smtp-password = null; smtp-from = "sourcehut@sourcephile.fr"; error-to = "julm+sourcehut+error@sourcephile.fr"; error-from = "sourcehut+error@sourcephile.fr"; pgp-privkey = null; pgp-pubkey = null; pgp-key-id = null; }; }; }; services.nginx.virtualHosts = { #"builds.${domain}".forceSSL = lib.mkForce false; "dispatch.${domain}".forceSSL = lib.mkForce false; "git.${domain}".forceSSL = lib.mkForce false; "hub.${domain}".forceSSL = lib.mkForce false; "lists.${domain}".forceSSL = lib.mkForce false; "logs.${domain}".forceSSL = lib.mkForce false; "man.${domain}".forceSSL = lib.mkForce false; "paste.${domain}".forceSSL = lib.mkForce false; "todo.${domain}".forceSSL = lib.mkForce false; "meta.${domain}" = { forceSSL = lib.mkForce false; /* extraConfig = '' access_log /var/log/nginx/${domain}/meta/access.log json; error_log /var/log/nginx/${domain}/meta/error.log warn; ''; */ }; "${domain}".forceSSL = lib.mkForce false; }; systemd.services.nginx.serviceConfig.LogsDirectory = lib.mkForce ["/var/log/nginx/${domain}/meta"]; systemd.services.postgresql = { /* connection_limit=64 \ encoding=UTF8 \ lc_collate=fr_FR.UTF-8 \ lc_type=fr_FR.UTF-8 \ owner="${sourcehut.git.database}" \ pg_createdb "${sourcehut.git.database}" >/dev/null /dev/null */ postStart = lib.mkAfter '' $PSQL -d "${sourcehut.dispatch.database}" -AqtX --set ON_ERROR_STOP=1 -f - <