mermet: pleroma: fix restart
[sourcephile-nix.git] / hosts / mermet / sourcehut.nix
index 5b082d3c9b101bd772b587a1444c93557fda8567..d216b94df4f42e9a6e0e222ede65d5273ac39f4e 100644 (file)
 { pkgs, lib, config, ... }:
 let
   inherit (config) networking;
-  inherit (config.services) sourcehut;
-  inherit (config.users) users groups;
+  inherit (config.services) nginx sourcehut;
   inherit (config.security) gnupg;
   domain = "code.${networking.domain}";
 in
 {
-security.gnupg.secrets = lib.genAttrs [
+  security.gnupg.secrets = lib.genAttrs [
     "sourcehut/network-key"
     "sourcehut/service-key"
     "sourcehut/webhook-key"
     "sourcehut/oauth-client-secret"
-  ] (p: let srhts = [
-    "metasrht.service"
-    "gitsrht.service"
-    "listsrht.service"
-  ]; in {
-  systemdConfig.before = srhts;
-  systemdConfig.wantedBy = srhts;
-});
-services.minio = {
-  #enable = true;
-  accessKey = "12345";
-  secretKey = "12345678";
-  #region = "";
-  browser = true;
-};
-#environment.systemPackages = [ pkgs.minio-client ];
-services.sourcehut = {
-  enable = true;
-  listenAddress = "localhost";
-  builds = {
+  ]
+    (_p:
+      let
+        srhts = [
+          "metasrht.service"
+          "metasrht-api.service"
+          "gitsrht.service"
+          "listsrht.service"
+          "todosrht.service"
+          "todosrht-lmtp.service"
+        ];
+      in
+      {
+        systemdConfig.before = srhts;
+        systemdConfig.wantedBy = srhts;
+      });
+  services.minio = {
     #enable = true;
-    #enableWorker = true;
-    images.nixos.unstable.x86_64 =
-      import sourcehut/builds/nixos-unstable.nix
-        "x86_64-linux" { inherit pkgs lib config; };
+    accessKey = "12345";
+    secretKey = "12345678";
+    #region = "";
+    browser = true;
   };
+  #environment.systemPackages = [ pkgs.minio-client ];
+  services.sourcehut = {
+    enable = true;
+    listenAddress = "localhost";
+    builds = {
+      #enable = true;
+      #enableWorker = true;
+      images.nixos.unstable.x86_64 =
+        import sourcehut/builds/nixos-unstable.nix
+          "x86_64-linux"
+          { inherit pkgs lib config; };
+    };
 
-  #dispatch.enable = true;
-  git.enable = true;
-  #hub.enable = true;
-  meta.enable = true;
-  meta.port = 4999;
-  #man.enable = true;
-  #pages.enable = true;
-  #paste.enable = true;
-  todo.enable = true;
-  #lists.enable = true;
+    #dispatch.enable = true;
+    #git.enable = true;
+    #hub.enable = true;
+    meta.enable = true;
+    meta.port = 4999;
+    #man.enable = true;
+    #pages.enable = true;
+    #paste.enable = true;
+    todo.enable = true;
+    #lists.enable = true;
 
-  postgresql.enable = true;
-  postfix.enable = true;
-  redis.enable = true;
-  nginx.enable = true;
-  nginx.virtualHost = {
-    useACMEHost = networking.domain;
-  };
-  settings = {
-    "sr.ht" = {
-      environment = "production";
-      global-domain = domain;
-      owner-email = "julm+srht@sourcephile.fr";
-      owner-name = "Sourcephile";
-      site-blurb = "a simple free software forge";
-      site-info = "https://${domain}";
-      site-name = "Sourcephile";
-      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
-      network-key = gnupg.secrets."sourcehut/network-key".path;
-      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
-      service-key = gnupg.secrets."sourcehut/service-key".path;
-      #redis-host = "redis://localhost:6379/";
-    };
-    objects = {
-      s3-upstream = "localhost";
-      s3-access-key = "12345";
-      s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
-    };
-    # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
-    "builds.sr.ht" = {
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-      allow-free = true;
-    };
-    "dispatch.sr.ht" = {
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "pages.sr.ht" = {
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-      s3-bucket = "pagesbuck";
-    };
-    "paste.sr.ht" = {
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "man.sr.ht" = {
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "meta.sr.ht" = {
-    };
-    "meta.sr.ht::settings" = {
-      onboarding-redirect = "https://meta.${domain}";
-      registration = false;
-    };
-    "meta.sr.ht::api" = {
-      #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
-    };
-    "todo.sr.ht" = {
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "git.sr.ht" = {
-      outgoing-domain = "https://git.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "gitsrht";
-    };
-    "hub.sr.ht" = {
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "lists.sr.ht" = {
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "lists.sr.ht::worker" = {
-      #sock = "/var/lib/postfix/queue/private/srht-lmtp";
-    };
-    # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
-    #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
-    webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
-    mail = {
-      smtp-host = "localhost";
-      smtp-port = 25;
-      smtp-user = null;
-      smtp-password = null;
-      smtp-from = "julm+hut@${networking.domain}";
-      error-to = "julm+hut+error@${networking.domain}";
-      error-from = "julm+hut+error@${networking.domain}";
-      pgp-privkey = null;
-      pgp-pubkey = null;
-      pgp-key-id = null;
+    postgresql.enable = true;
+    postfix.enable = true;
+    redis.enable = true;
+    nginx.enable = true;
+    nginx.virtualHost = {
+      useACMEHost = networking.domain;
+    };
+    settings = {
+      "sr.ht" = {
+        environment = "production";
+        global-domain = domain;
+        owner-email = "julm+srht@sourcephile.fr";
+        owner-name = "Sourcephile";
+        site-blurb = "a simple free software forge";
+        site-info = "https://${domain}";
+        site-name = "Sourcephile";
+        # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
+        network-key = gnupg.secrets."sourcehut/network-key".path;
+        # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
+        service-key = gnupg.secrets."sourcehut/service-key".path;
+        #redis-host = "redis://localhost:6379/";
+      };
+      objects = {
+        s3-upstream = "localhost";
+        s3-access-key = "12345";
+        s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
+      };
+      # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
+      "builds.sr.ht" = {
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+        allow-free = true;
+      };
+      "dispatch.sr.ht" = {
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "pages.sr.ht" = {
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+        s3-bucket = "pagesbuck";
+      };
+      "paste.sr.ht" = {
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "man.sr.ht" = {
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "meta.sr.ht" = { };
+      "meta.sr.ht::settings" = {
+        onboarding-redirect = "https://meta.${domain}";
+        registration = false;
+      };
+      "meta.sr.ht::api" = {
+        #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
+      };
+      "todo.sr.ht" = {
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "git.sr.ht" = {
+        outgoing-domain = "https://git.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "gitsrht";
+      };
+      "hub.sr.ht" = {
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "lists.sr.ht" = {
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "lists.sr.ht::worker" = {
+        #sock = "/var/lib/postfix/queue/private/srht-lmtp";
+      };
+      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
+      #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
+      webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
+      mail = {
+        smtp-host = "localhost";
+        smtp-port = 25;
+        smtp-user = null;
+        smtp-password = null;
+        smtp-from = "julm+hut@${networking.domain}";
+        error-to = "julm+hut+error@${networking.domain}";
+        error-from = "julm+hut+error@${networking.domain}";
+        pgp-privkey = null;
+        pgp-pubkey = null;
+        pgp-key-id = null;
+      };
     };
   };
-};
-fileSystems."/var/lib/sourcehut" = {
-  device = "rpool/var/sourcehut";
-  fsType = "zfs";
-};
-services.sanoid.datasets = {
-  "rpool/var/sourcehut" = {
-    use_template = [ "snap" ];
-    daily = 31;
+  fileSystems."/var/lib/sourcehut" = {
+    device = "rpool/var/sourcehut";
+    fsType = "zfs";
+  };
+  services.sanoid.datasets = {
+    "rpool/var/sourcehut" = {
+      use_template = [ "snap" ];
+      daily = 31;
+    };
   };
-};
-services.nginx = {
-  virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
-    forceSSL = true;
-    useACMEHost = networking.domain;
-    globalRedirect = "$subdomain.code.${networking.domain}";
+  services.nginx = {
+    virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
+      forceSSL = true;
+      useACMEHost = networking.domain;
+      globalRedirect = "$subdomain.code.${networking.domain}";
+    };
+    virtualHosts."meta.${domain}" = {
+      locations."/query".extraConfig = lib.mkForce ''
+        if ($request_method = 'OPTIONS') {
+          ${nginx.configs.https_add_headers}
+          add_header 'Access-Control-Allow-Origin' '*';
+          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+          add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+          add_header 'Access-Control-Max-Age' 1728000;
+          add_header 'Content-Type' 'text/plain; charset=utf-8';
+          add_header 'Content-Length' 0;
+          return 204;
+        }
+
+        ${nginx.configs.https_add_headers}
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+      '';
+    };
   };
-};
 }