knot: sourcephile.fr: setup lebureau as a secondary NS
[sourcephile-nix.git] / hosts / losurdo / sourcehut.nix
index c06e92e16116aaeac06f6e2fdffbab8353e30ec4..c2645663667596c3d58a1d95673094a962974e2c 100644 (file)
@@ -1,7 +1,7 @@
 { pkgs, lib, config, ... }:
 let
   inherit (config.services) sourcehut;
-  inherit (config.users) users groups;
+  inherit (config.users) users;
   inherit (config.security) gnupg;
   domain = "sourcephile.wg";
   sourcehut-services = [
@@ -14,206 +14,333 @@ let
     "meta"
     "man"
     "paste"
+    "pages"
     "todo"
   ];
 in
 {
-#boot.isContainer = true;
-#networking.firewall.allowedTCPPorts = [ 80 ];
-networking.hosts = {
-  "192.168.42.2" = [domain] ++ map (d: "${d}.${domain}") sourcehut-services;
-};
-networking.nftables.ruleset = ''
-  add rule inet filter fw2net meta skuid ${sourcehut.meta.user} tcp dport 25 counter accept comment "SMTP"
-'';
-security.gnupg.secrets = lib.genAttrs [
+  #boot.isContainer = true;
+  #networking.firewall.allowedTCPPorts = [ 80 ];
+  networking.hosts = {
+    "192.168.42.2" = [ domain ] ++ map (d: "${d}.${domain}") sourcehut-services;
+  };
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain output-net {
+        skuid ${sourcehut.meta.user} \
+          tcp dport smtp counter \
+          accept comment "sourcehut: SMTP"
+      }
+    }
+  '';
+  security.gnupg.secrets = lib.genAttrs [
     "sourcehut/network-key"
     "sourcehut/service-key"
     "sourcehut/webhook-key"
     "sourcehut/oauth-client-secret"
-  ] (p: {
-  systemdConfig.before = [ "metasrht.service" ];
-  systemdConfig.wantedBy = [ "metasrht.service" ];
-});
-services.sourcehut = {
-  enable = true;
-  listenAddress = domain;
-  /*
-  builds = {
-    enableWorker = true;
+  ]
+    (_p: {
+      systemdConfig.before = [ "metasrht.service" "gitsrht.service" ];
+      systemdConfig.wantedBy = [ "metasrht.service" "gitsrht.service" ];
+    });
+  services.minio = {
+    enable = true;
+    accessKey = "12345";
+    secretKey = "12345678";
+    #region = "";
+    browser = true;
   };
-  */
-  #dispatch.enable = true;
-  git.enable = true;
-  #hub.enable = true;
-  meta.enable = true;
-  #man.enable = true;
-  #pages.enable = true;
-  #paste.enable = true;
-  #todo.enable = true;
-  #lists.enable = true;
+  environment.systemPackages = [ pkgs.minio-client ];
+  services.sourcehut = {
+    enable = true;
+    listenAddress = "localhost";
+    builds = {
+      #enable = true;
+      enableWorker = true;
+      images.nixos.unstable.x86_64 =
+        let
+          systemConfig = { pkgs, ... }: {
+            # passwordless ssh server
+            services.openssh = {
+              enable = true;
+              permitRootLogin = "yes";
+              extraConfig = "PermitEmptyPasswords yes";
+            };
 
-  postgresql.enable = true;
-  postfix.enable = true;
-  redis.enable = true;
-  #redis.firstDatabase = 0;
-  nginx.enable = true;
-  settings = {
-    "sr.ht" = {
-      environment = "production";
-      global-domain = domain;
-      origin = "http://${domain}";
-      owner-email = "julm+srht@sourcephile.fr";
-      owner-name = "Sourcephile";
-      site-blurb = "software forge";
-      site-info = "http://${domain}";
-      site-name = "Sourcephile";
-      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
-      network-key = gnupg.secrets."sourcehut/network-key".path;
-      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
-      service-key = gnupg.secrets."sourcehut/service-key".path;
-    };
-    # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
-    "builds.sr.ht" = {
-      origin = "http://builds.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "dispatch.sr.ht" = {
-      origin = "http://dispatch.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    /*
-    "pages.sr.ht" = {
-      origin = "http://pages.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    */
-    "paste.sr.ht" = {
-      origin = "http://paste.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "man.sr.ht" = {
-      origin = "http://man.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "meta.sr.ht" = {
-      origin = "http://meta.${domain}";
-      api-origin = "http://meta.${domain}:5100";
-    };
-    "meta.sr.ht::settings" = {
-      onboarding-redirect = "http://meta.${domain}";
-      registration = true;
-      internal-ipnet = "127.0.0.0/8,192.168.42.0/24";
-    };
-    "meta.sr.ht::api" = {
-      internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
-    };
-    "todo.sr.ht" = {
-      origin = "http://todo.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "git.sr.ht" = {
-      origin = "http://git.${domain}";
-      outgoing-domain = "http://git.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "hub.sr.ht" = {
-      origin = "http://hub.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "lists.sr.ht" = {
-      origin = "http://lists.${domain}";
-      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
-      oauth-client-id = "299db9f9c2013170";
-    };
-    "lists.sr.ht::worker" = {
-      #sock = "/var/lib/postfix/queue/private/srht-lmtp";
+            users = {
+              mutableUsers = false;
+              # build user
+              extraUsers."build" = {
+                isNormalUser = true;
+                uid = 1000;
+                extraGroups = [ "wheel" ];
+                password = "";
+              };
+              users.root.password = "";
+            };
+
+            security.sudo.wheelNeedsPassword = false;
+            nix.settings.trusted-users = [ "root" "build" ];
+            documentation.nixos.enable = false;
+
+            # builds.sr.ht-image-specific network settings
+            networking = {
+              hostName = "build";
+              dhcpcd.enable = false;
+              defaultGateway.address = "10.0.2.2";
+              usePredictableInterfaceNames = false; # so that we just get eth0 and not some weird id
+              interfaces."eth0".ipv4.addresses = [{
+                address = "10.0.2.15";
+                prefixLength = 25;
+              }];
+              enableIPv6 = false;
+              nameservers = [
+                # OpenNIC anycast
+                "185.121.177.177"
+                "169.239.202.202"
+                # Google as a fallback :(
+                "8.8.8.8"
+              ];
+              firewall.allowedTCPPorts = [ 22 ]; # allow ssh
+            };
+
+            environment.systemPackages = [
+              pkgs.gitMinimal
+              #pkgs.mercurial
+              pkgs.curl
+              pkgs.gnupg
+            ];
+          };
+          qemuConfig = { ... }: {
+            imports = [ systemConfig ];
+            fileSystems."/".device = "/dev/disk/by-label/nixos";
+            boot.initrd.availableKernelModules = [
+              "ahci"
+              "ehci_pci"
+              "sd_mod"
+              "usb_storage"
+              "usbhid"
+              "virtio_balloon"
+              "virtio_blk"
+              "virtio_pci"
+              "virtio_ring"
+              "xhci_pci"
+            ];
+            boot.loader = {
+              grub = {
+                device = "/dev/vda";
+              };
+              timeout = 0;
+            };
+          };
+          config = (import (pkgs.path + "/nixos/lib/eval-config.nix") {
+            inherit pkgs; modules = [ qemuConfig ];
+            system = "x86_64-linux";
+          }).config;
+        in
+        import (pkgs.path + "/nixos/lib/make-disk-image.nix") {
+          inherit pkgs lib config;
+          diskSize = 16000;
+          format = "qcow2-compressed";
+          contents = [
+            {
+              source = pkgs.writeText "gitconfig" ''
+                [user]
+                  name = builds.sr.ht
+                  email = build@sr.ht
+              '';
+              target = "/home/build/.gitconfig";
+              user = "build";
+              group = "users";
+              mode = "644";
+            }
+          ];
+        };
     };
-    # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
-    #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
-    webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
-    mail = {
-      smtp-host = "localhost";
-      smtp-port = 25;
-      smtp-user = null;
-      smtp-password = null;
-      smtp-from = "sourcehut@sourcephile.fr";
-      error-to = "julm+sourcehut+error@sourcephile.fr";
-      error-from = "sourcehut+error@sourcephile.fr";
-      pgp-privkey = null;
-      pgp-pubkey = null;
-      pgp-key-id = null;
+
+    #dispatch.enable = true;
+    git.enable = true;
+    #hub.enable = true;
+    meta.enable = true;
+    meta.port = 4999;
+    #man.enable = true;
+    #pages.enable = true;
+    #paste.enable = true;
+    #todo.enable = true;
+    #lists.enable = true;
+
+    postgresql.enable = true;
+    postfix.enable = true;
+    redis.enable = true;
+    nginx.enable = true;
+    settings = {
+      "sr.ht" = {
+        environment = "production";
+        global-domain = domain;
+        origin = "http://${domain}";
+        owner-email = "julm+srht@sourcephile.fr";
+        owner-name = "Sourcephile";
+        site-blurb = "software forge";
+        site-info = "http://${domain}";
+        site-name = "Sourcephile";
+        # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
+        network-key = gnupg.secrets."sourcehut/network-key".path;
+        # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
+        service-key = gnupg.secrets."sourcehut/service-key".path;
+      };
+      objects = {
+        s3-upstream = "localhost";
+        s3-access-key = "12345";
+        s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
+      };
+      # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
+      "builds.sr.ht" = {
+        origin = "http://builds.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+        allow-free = true;
+      };
+      "dispatch.sr.ht" = {
+        origin = "http://dispatch.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "pages.sr.ht" = {
+        origin = "http://pages.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+        s3-bucket = "pagesbuck";
+      };
+      "paste.sr.ht" = {
+        origin = "http://paste.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "man.sr.ht" = {
+        origin = "http://man.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "meta.sr.ht" = {
+        origin = "http://meta.${domain}";
+        api-origin = "http://localhost:5099";
+      };
+      "meta.sr.ht::settings" = {
+        onboarding-redirect = "http://meta.${domain}";
+        registration = true;
+      };
+      "meta.sr.ht::api" = {
+        # This is a temporary workaround
+        #
+        internal-ipnet = [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8" ];
+      };
+      "todo.sr.ht" = {
+        origin = "http://todo.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "git.sr.ht" = {
+        origin = "http://git.${domain}";
+        outgoing-domain = "http://git.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+        #repos = "/var/lib/git";
+      };
+      "hub.sr.ht" = {
+        origin = "http://hub.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "lists.sr.ht" = {
+        origin = "http://lists.${domain}";
+        oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
+        oauth-client-id = "299db9f9c2013170";
+      };
+      "lists.sr.ht::worker" = {
+        #sock = "/var/lib/postfix/queue/private/srht-lmtp";
+      };
+      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
+      #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
+      webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
+      mail = {
+        smtp-host = "localhost";
+        smtp-port = 25;
+        smtp-user = null;
+        smtp-password = null;
+        smtp-from = "sourcehut@sourcephile.fr";
+        error-to = "julm+sourcehut+error@sourcephile.fr";
+        error-from = "sourcehut+error@sourcephile.fr";
+        pgp-privkey = null;
+        pgp-pubkey = null;
+        pgp-key-id = null;
+      };
     };
   };
-};
-services.nginx.virtualHosts = {
-  #"builds.${domain}".forceSSL = lib.mkForce false;
-  "dispatch.${domain}".forceSSL = lib.mkForce false;
-  "git.${domain}".forceSSL = lib.mkForce false;
-  "hub.${domain}".forceSSL = lib.mkForce false;
-  "lists.${domain}".forceSSL = lib.mkForce false;
-  "logs.${domain}".forceSSL = lib.mkForce false;
-  "man.${domain}".forceSSL = lib.mkForce false;
-  "paste.${domain}".forceSSL = lib.mkForce false;
-  "todo.${domain}".forceSSL = lib.mkForce false;
-  "meta.${domain}" = {
-    forceSSL = lib.mkForce false;
-    /*
-    extraConfig = ''
+  services.nginx.virtualHosts = {
+    "builds.${domain}".forceSSL = lib.mkForce false;
+    "dispatch.${domain}".forceSSL = lib.mkForce false;
+    "git.${domain}".forceSSL = lib.mkForce false;
+    "hub.${domain}".forceSSL = lib.mkForce false;
+    "lists.${domain}".forceSSL = lib.mkForce false;
+    "logs.${domain}".forceSSL = lib.mkForce false;
+    "man.${domain}".forceSSL = lib.mkForce false;
+    "paste.${domain}".forceSSL = lib.mkForce false;
+    "pages.${domain}".forceSSL = lib.mkForce false;
+    "todo.${domain}".forceSSL = lib.mkForce false;
+    "meta.${domain}" = {
+      forceSSL = lib.mkForce false;
+      /*
+        extraConfig = ''
       access_log /var/log/nginx/${domain}/meta/access.log json;
       error_log /var/log/nginx/${domain}/meta/error.log warn;
-    '';
-    */
+        '';
+      */
+    };
+    "${domain}".forceSSL = lib.mkForce false;
   };
-  "${domain}".forceSSL = lib.mkForce false;
-};
-systemd.services.nginx.serviceConfig.LogsDirectory =
-  lib.mkForce ["/var/log/nginx/${domain}/meta"];
-systemd.services.postgresql = {
-  /*
-    connection_limit=64 \
-    encoding=UTF8 \
-    lc_collate=fr_FR.UTF-8 \
-    lc_type=fr_FR.UTF-8 \
-    owner="${sourcehut.git.database}" \
-    pg_createdb "${sourcehut.git.database}" >/dev/null </dev/null
+  systemd.services.postgresql = {
+    /*
+      connection_limit=64 \
+      encoding=UTF8 \
+      lc_collate=fr_FR.UTF-8 \
+      lc_type=fr_FR.UTF-8 \
+      owner="${sourcehut.git.postgresql.database}" \
+      pg_createdb "${sourcehut.git.postgresql.database}" >/dev/null </dev/null
 
-    pg_adduser "${sourcehut.git.database}" "${sourcehut.git.database}" >/dev/null
-  */
-  postStart = lib.mkAfter ''
-    $PSQL -d "${sourcehut.dispatch.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      pg_adduser "${sourcehut.git.postgresql.database}" "${sourcehut.git.postgresql.database}" >/dev/null
+      postStart = lib.mkAfter ''
+      $PSQL -d "${sourcehut.builds.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      GRANT USAGE,CREATE ON schema public TO "${sourcehut.builds.user}";
+      EOF
+      $PSQL -d "${sourcehut.dispatch.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
       GRANT USAGE,CREATE ON schema public TO "${sourcehut.dispatch.user}";
-    EOF
-    $PSQL -d "${sourcehut.git.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      EOF
+      $PSQL -d "${sourcehut.git.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
       GRANT USAGE,CREATE ON schema public TO "${sourcehut.git.user}";
-    EOF
-    $PSQL -d "${sourcehut.hub.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      EOF
+      $PSQL -d "${sourcehut.hub.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
       GRANT USAGE,CREATE ON schema public TO "${sourcehut.hub.user}";
-    EOF
-    $PSQL -d "${sourcehut.man.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      EOF
+      $PSQL -d "${sourcehut.man.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
       GRANT USAGE,CREATE ON schema public TO "${sourcehut.man.user}";
-    EOF
-    $PSQL -d "${sourcehut.meta.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      EOF
+      $PSQL -d "${sourcehut.meta.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
       GRANT USAGE,CREATE ON schema public TO "${sourcehut.meta.user}";
       GRANT USAGE,CREATE ON schema public TO "${users.sshsrht.name}";
-    EOF
-    $PSQL -d "${sourcehut.paste.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      EOF
+      $PSQL -d "${sourcehut.pages.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      GRANT USAGE,CREATE ON schema public TO "${sourcehut.pages.user}";
+      EOF
+      $PSQL -d "${sourcehut.paste.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
       GRANT USAGE,CREATE ON schema public TO "${sourcehut.paste.user}";
-    EOF
-    $PSQL -d "${sourcehut.todo.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      EOF
+      $PSQL -d "${sourcehut.todo.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
       GRANT USAGE,CREATE ON schema public TO "${sourcehut.todo.user}";
-    EOF
-    $PSQL -d "${sourcehut.lists.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
+      EOF
+      $PSQL -d "${sourcehut.lists.postgresql.database}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
       GRANT USAGE,CREATE ON schema public TO "${sourcehut.lists.user}";
-    EOF
-  '';
-};
+      EOF
+      '';
+    */
+  };
 }