{ pkgs, lib, config, ... }:
let
inherit (config) networking;
- inherit (config.services) sourcehut;
- inherit (config.users) users groups;
+ inherit (config.services) nginx sourcehut;
inherit (config.security) gnupg;
- domain = "hut.${networking.domain}";
+ domain = "code.${networking.domain}";
in
{
-security.gnupg.secrets = lib.genAttrs [
+ security.gnupg.secrets = lib.genAttrs [
"sourcehut/network-key"
"sourcehut/service-key"
"sourcehut/webhook-key"
"sourcehut/oauth-client-secret"
- ] (p: {
- systemdConfig.before = [ "metasrht.service" ];
- systemdConfig.wantedBy = [ "metasrht.service" ];
-});
-services.minio = {
- #enable = true;
- accessKey = "12345";
- secretKey = "12345678";
- #region = "";
- browser = true;
-};
-#environment.systemPackages = [ pkgs.minio-client ];
-services.sourcehut = {
- enable = true;
- listenAddress = "localhost";
- builds = {
+ ]
+ (_p:
+ let
+ srhts = [
+ "metasrht.service"
+ "metasrht-api.service"
+ "gitsrht.service"
+ "listsrht.service"
+ "todosrht.service"
+ "todosrht-lmtp.service"
+ ];
+ in
+ {
+ systemdConfig.before = srhts;
+ systemdConfig.wantedBy = srhts;
+ });
+ services.minio = {
#enable = true;
- #enableWorker = true;
- images.nixos.unstable.x86_64 =
- import sourcehut/builds/nixos-unstable.nix
- "x86_64-linux" { inherit pkgs lib config; };
+ accessKey = "12345";
+ secretKey = "12345678";
+ #region = "";
+ browser = true;
};
+ #environment.systemPackages = [ pkgs.minio-client ];
+ services.sourcehut = {
+ enable = true;
+ listenAddress = "localhost";
+ builds = {
+ #enable = true;
+ #enableWorker = true;
+ images.nixos.unstable.x86_64 =
+ import sourcehut/builds/nixos-unstable.nix
+ "x86_64-linux"
+ { inherit pkgs lib config; };
+ };
- #dispatch.enable = true;
- git.enable = true;
- #hub.enable = true;
- meta.enable = true;
- meta.port = 4999;
- #man.enable = true;
- #pages.enable = true;
- #paste.enable = true;
- #todo.enable = true;
- lists.enable = true;
+ #dispatch.enable = true;
+ #git.enable = true;
+ #hub.enable = true;
+ meta.enable = true;
+ meta.port = 4999;
+ #man.enable = true;
+ #pages.enable = true;
+ #paste.enable = true;
+ todo.enable = true;
+ #lists.enable = true;
- postgresql.enable = true;
- postfix.enable = true;
- redis.enable = true;
- #redis.url = "redis+socket:///run/redis-sourcehut/redis.sock?virtual_host=";
- nginx.enable = true;
- nginx.virtualHost = {
- useACMEHost = networking.domain;
- };
- settings = {
- "sr.ht" = {
- environment = "production";
- global-domain = domain;
- owner-email = "julm+srht@sourcephile.fr";
- owner-name = "Sourcephile";
- site-blurb = "a simple free software forge";
- site-info = "https://${domain}";
- site-name = "Sourcephile";
- # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
- network-key = gnupg.secrets."sourcehut/network-key".path;
- # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
- service-key = gnupg.secrets."sourcehut/service-key".path;
- #redis-host = "redis://localhost:6379/";
- };
- objects = {
- s3-upstream = "localhost";
- s3-access-key = "12345";
- s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
- };
- # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
- "builds.sr.ht" = {
- oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
- oauth-client-id = "299db9f9c2013170";
- allow-free = true;
- };
- "dispatch.sr.ht" = {
- oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
- oauth-client-id = "299db9f9c2013170";
- };
- "pages.sr.ht" = {
- oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
- oauth-client-id = "299db9f9c2013170";
- s3-bucket = "pagesbuck";
- };
- "paste.sr.ht" = {
- oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
- oauth-client-id = "299db9f9c2013170";
- };
- "man.sr.ht" = {
- oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
- oauth-client-id = "299db9f9c2013170";
- };
- "meta.sr.ht" = {
- };
- "meta.sr.ht::settings" = {
- onboarding-redirect = "https://meta.${domain}";
- registration = false;
+ postgresql.enable = true;
+ postfix.enable = true;
+ redis.enable = true;
+ nginx.enable = true;
+ nginx.virtualHost = {
+ useACMEHost = networking.domain;
+ };
+ settings = {
+ "sr.ht" = {
+ environment = "production";
+ global-domain = domain;
+ owner-email = "julm+srht@sourcephile.fr";
+ owner-name = "Sourcephile";
+ site-blurb = "a simple free software forge";
+ site-info = "https://${domain}";
+ site-name = "Sourcephile";
+ # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
+ network-key = gnupg.secrets."sourcehut/network-key".path;
+ # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
+ service-key = gnupg.secrets."sourcehut/service-key".path;
+ #redis-host = "redis://localhost:6379/";
+ };
+ objects = {
+ s3-upstream = "localhost";
+ s3-access-key = "12345";
+ s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
+ };
+ # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
+ "builds.sr.ht" = {
+ oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+ oauth-client-id = "299db9f9c2013170";
+ allow-free = true;
+ };
+ "dispatch.sr.ht" = {
+ oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+ oauth-client-id = "299db9f9c2013170";
+ };
+ "pages.sr.ht" = {
+ oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+ oauth-client-id = "299db9f9c2013170";
+ s3-bucket = "pagesbuck";
+ };
+ "paste.sr.ht" = {
+ oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+ oauth-client-id = "299db9f9c2013170";
+ };
+ "man.sr.ht" = {
+ oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+ oauth-client-id = "299db9f9c2013170";
+ };
+ "meta.sr.ht" = { };
+ "meta.sr.ht::settings" = {
+ onboarding-redirect = "https://meta.${domain}";
+ registration = false;
+ };
+ "meta.sr.ht::api" = {
+ #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
+ };
+ "todo.sr.ht" = {
+ oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+ oauth-client-id = "299db9f9c2013170";
+ };
+ "git.sr.ht" = {
+ outgoing-domain = "https://git.${domain}";
+ oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+ oauth-client-id = "gitsrht";
+ };
+ "hub.sr.ht" = {
+ oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+ oauth-client-id = "299db9f9c2013170";
+ };
+ "lists.sr.ht" = {
+ oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+ oauth-client-id = "299db9f9c2013170";
+ };
+ "lists.sr.ht::worker" = {
+ #sock = "/var/lib/postfix/queue/private/srht-lmtp";
+ };
+ # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
+ #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
+ webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
+ mail = {
+ smtp-host = "localhost";
+ smtp-port = 25;
+ smtp-user = null;
+ smtp-password = null;
+ smtp-from = "julm+hut@${networking.domain}";
+ error-to = "julm+hut+error@${networking.domain}";
+ error-from = "julm+hut+error@${networking.domain}";
+ pgp-privkey = null;
+ pgp-pubkey = null;
+ pgp-key-id = null;
+ };
};
- "meta.sr.ht::api" = {
- #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
- };
- "todo.sr.ht" = {
- oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
- oauth-client-id = "299db9f9c2013170";
- };
- "git.sr.ht" = {
- outgoing-domain = "https://git.${domain}";
- oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
- oauth-client-id = "gitsrht";
- };
- "hub.sr.ht" = {
- oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
- oauth-client-id = "299db9f9c2013170";
- };
- "lists.sr.ht" = {
- oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
- oauth-client-id = "299db9f9c2013170";
- };
- "lists.sr.ht::worker" = {
- #sock = "/var/lib/postfix/queue/private/srht-lmtp";
- };
- # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
- #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
- webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
- mail = {
- smtp-host = "localhost";
- smtp-port = 25;
- smtp-user = null;
- smtp-password = null;
- smtp-from = "julm+hut@${networking.domain}";
- error-to = "julm+hut+error@${networking.domain}";
- error-from = "julm+hut+error@${networking.domain}";
- pgp-privkey = null;
- pgp-pubkey = null;
- pgp-key-id = null;
+ };
+ fileSystems."/var/lib/sourcehut" = {
+ device = "rpool/var/sourcehut";
+ fsType = "zfs";
+ };
+ services.sanoid.datasets = {
+ "rpool/var/sourcehut" = {
+ use_template = [ "snap" ];
+ daily = 31;
};
};
-};
-fileSystems."/var/lib/sourcehut" = {
- device = "rpool/var/sourcehut";
- fsType = "zfs";
-};
-services.sanoid.datasets = {
- "rpool/var/sourcehut" = {
- use_template = [ "snap" ];
- daily = 31;
+ services.nginx = {
+ virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
+ forceSSL = true;
+ useACMEHost = networking.domain;
+ globalRedirect = "$subdomain.code.${networking.domain}";
+ };
+ virtualHosts."meta.${domain}" = {
+ locations."/query".extraConfig = lib.mkForce ''
+ if ($request_method = 'OPTIONS') {
+ ${nginx.configs.https_add_headers}
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain; charset=utf-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+
+ ${nginx.configs.https_add_headers}
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+ add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+ '';
+ };
};
-};
}