From 3dd76a1f15cc38156db4bb0bd62131d054900f0f Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 24 Feb 2022 04:44:59 +0100 Subject: [PATCH 01/16] carotte: linux: enable WiFi dongle --- nixos/profiles/hardware/cubieboard2.nix | 12 ++++++++++++ nixos/profiles/systems/crossCompilation.nix | 8 -------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/nixos/profiles/hardware/cubieboard2.nix b/nixos/profiles/hardware/cubieboard2.nix index d8c0f80..0560f99 100644 --- a/nixos/profiles/hardware/cubieboard2.nix +++ b/nixos/profiles/hardware/cubieboard2.nix @@ -74,6 +74,7 @@ nixpkgs.overlays = [ USB_SERIAL_PL2303 = module; REGULATOR = lib.mkForce no; MFD_CORE = no; + PCI = yes; # # File systems @@ -102,6 +103,16 @@ nixpkgs.overlays = [ LIB80211_CRYPT_CCMP = module; MAC80211 = module; MAC80211_HWSIM = module; + NETDEVICES = yes; + WLAN = yes; + WLAN_VENDOR_REALTEK = yes; + NET_VENDOR_REALTEK = yes; + REALTEK_PHY = yes; + RTL_CARDS = module; + RTL8188EE = module; # For 7392:7811 Edimax Technology Co., Ltd EW-7811Un 802.11n Wireless Adapter [Realtek RTL8188CUS] + RTLWIFI = module; + RTLWIFI_PCI = module; + RTLWIFI_DEBUG = yes; # Sound options SND_SOC_ADI = no; @@ -693,6 +704,7 @@ nixpkgs.overlays = [ MPI = no; RAID6 = no; STAGING = lib.mkForce no; + ATH11K_PCI = no; "6LOWPAN" = no; ARCNET = no; diff --git a/nixos/profiles/systems/crossCompilation.nix b/nixos/profiles/systems/crossCompilation.nix index 0899a0e..2c1cf57 100644 --- a/nixos/profiles/systems/crossCompilation.nix +++ b/nixos/profiles/systems/crossCompilation.nix @@ -2,14 +2,6 @@ { nixpkgs.overlays = [ (final: super: { - # TODO: remove after liburing-2.1 - liburing = super.liburing.overrideAttrs (old: { - src = super.fetchgit { - url = "http://git.kernel.dk/${old.pname}"; - rev = "cb350a8989adbd65db574325d9a86d5437d800da"; - sha256 = "sha256-ZMev2RjiswuR9seVwHbnVUtnpaPW/XJbelBgvIuYiGg="; - }; - }); gnupg = super.gnupg.override { # Wants polkit which wants spidermonkey (slow to compile) pcsclite = null; -- 2.47.0 From 01970428b414dd65eadce669842dec0bd89025b8 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 24 Feb 2022 04:54:59 +0100 Subject: [PATCH 02/16] gpg: set default-key --- shell.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/shell.nix b/shell.nix index 5621ffb..24d0a83 100644 --- a/shell.nix +++ b/shell.nix @@ -18,6 +18,7 @@ let gpgExtraConf = '' # julm@sourcephile.fr trusted-key 0xB2450D97085B7B8C + default-key 0x4FE467034C11017B429BAC53A58CD81C3863926F ''; gpgAgentExtraConf = '' #pretend-request-origin remote -- 2.47.0 From 6dfdc99216d028eb29b80762823c651fb6700deb Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 25 Feb 2022 13:13:59 +0100 Subject: [PATCH 03/16] mermet: dovecot: try to fix list.sieve --- hosts/mermet/dovecot.nix | 3 ++ hosts/mermet/dovecot/sieve/global/list.sieve | 32 ++++++++------------ 2 files changed, 15 insertions(+), 20 deletions(-) diff --git a/hosts/mermet/dovecot.nix b/hosts/mermet/dovecot.nix index 9337be8..f471f2c 100644 --- a/hosts/mermet/dovecot.nix +++ b/hosts/mermet/dovecot.nix @@ -63,6 +63,9 @@ imports = [ dovecot/sourcephile.fr.nix dovecot/autogeree.net.nix ]; +environment.systemPackages = [ + pkgs.dovecot_pigeonhole +]; users.groups.acme.members = [ dovecot2.user ]; systemd.services.dovecot2 = { after = [ diff --git a/hosts/mermet/dovecot/sieve/global/list.sieve b/hosts/mermet/dovecot/sieve/global/list.sieve index a543d1b..3b57cd4 100644 --- a/hosts/mermet/dovecot/sieve/global/list.sieve +++ b/hosts/mermet/dovecot/sieve/global/list.sieve @@ -14,29 +14,21 @@ if exists "X-MC-User" { } } elsif exists "List-Id" { - if header :matches "List-Id" "*<*/*.*.lists.sr.ht>*" { - if allof (not string :is "${2}" "", not string :is "${3}" "", not string :is "${4}" "") { - fileinto :create "Listes+sr-ht+${2}+${3}+${4}"; - stop; - } + if allof (header :matches "List-Id" "*<*/*.*.lists.sr.ht>*", not string :is "${2}" "", not string :is "${3}" "", not string :is "${4}" "") { + fileinto :create "Listes+sr-ht+${2}+${3}+${4}"; + stop; } - elsif header :matches "List-Id" "*<*/*.lists.sr.ht>*" { - if allof (not string :is "${2}" "", not string :is "${3}" "") { - fileinto :create "Listes+sr.ht+${2}+${3}"; - stop; - } + elsif allof (header :matches "List-Id" "*<*/*.lists.sr.ht>*", not string :is "${2}" "", not string :is "${3}" "") { + fileinto :create "Listes+sr-ht+${2}+${3}"; + stop; } - elsif header :matches "List-Id" "*<*.*.*.*>*" { - if allof (not string :is "${2}" "", not string :is "${3}" "", not string :is "${4}" "") { - fileinto :create "Listes+${4}+${3}+${2}"; - stop; - } + elsif allof (header :matches "List-Id" "*<*.*.*.*>*", not string :is "${2}" "", not string :is "${3}" "", not string :is "${4}" "") { + fileinto :create "Listes+${4}+${3}+${2}"; + stop; } - elsif header :matches "List-Id" "*<*.*.*>*" { - if allof (not string :is "${2}" "", not string :is "${3}" "") { - fileinto :create "Listes+${3}+${2}"; - stop; - } + elsif allof (header :matches "List-Id" "*<*.*.*>*", not string :is "${2}" "", not string :is "${3}" "") { + fileinto :create "Listes+${3}+${2}"; + stop; } } -- 2.47.0 From f7698f5a18fcf5576bd40514133bcc901178eeae Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 27 Mar 2022 07:19:53 +0200 Subject: [PATCH 04/16] nix: update nixpkgs --- flake.lock | 35 +++++++++++++++++------------------ flake.nix | 2 +- hosts/carotte/security.nix | 5 ----- hosts/losurdo/security.nix | 3 --- hosts/mermet/security.nix | 3 --- nixpkgs/patches.nix | 4 ++-- shell.nix | 2 +- 7 files changed, 21 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index ec69913..3479870 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "doom-emacs": { "flake": false, "locked": { - "lastModified": 1643252771, - "narHash": "sha256-T1H4uXm0dwDBxa+3aYE+xl/6hiW4VXX0ax6DEGvy25Y=", + "lastModified": 1647913749, + "narHash": "sha256-JlPq+PAJW00rDFOSdLYCdd+nnQzNkjztK2zXAS2S2zY=", "owner": "hlissner", "repo": "doom-emacs", - "rev": "ff4609835a4c47312b3d685e09330034d6f4c8a4", + "rev": "aed2972d7400834210759727117c50de34826db9", "type": "github" }, "original": { @@ -51,11 +51,11 @@ }, "emacs-overlay": { "locked": { - "lastModified": 1643252190, - "narHash": "sha256-V774e49jTUgdsHRfkPDNsH4BHT4hxbhCYkayLEwOHdM=", + "lastModified": 1648290468, + "narHash": "sha256-Mibv/7lr2QxNwydU0WP1VDC0GMu6Xn0E5Yez73xDjQE=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "8e5d094f0a82b37c24e77577c46f1787887f5af8", + "rev": "adf05412cca0a492c2465ac5de719954834c449e", "type": "github" }, "original": { @@ -168,17 +168,16 @@ ] }, "locked": { - "lastModified": 1639329010, - "narHash": "sha256-k9OXwR06419/s0FAnRalUs24+8EI6GepGaatAXhBc+0=", + "lastModified": 1648283590, + "narHash": "sha256-OjoAiY2XWr2ah73rY+kvEYLF+q40S/X61tUC0JPuCKw=", "owner": "nix-community", "repo": "home-manager", - "rev": "3d46c011d2cc2c9ca24d9b803e9daf156d9429ea", + "rev": "8afee75d0d1cb054cfeddfdc9f7193adc7741c95", "type": "github" }, "original": { "owner": "nix-community", "repo": "home-manager", - "rev": "3d46c011d2cc2c9ca24d9b803e9daf156d9429ea", "type": "github" } }, @@ -196,11 +195,11 @@ ] }, "locked": { - "lastModified": 1645673937, - "narHash": "sha256-GsuQdhO/ImvqsL5aFi3f/XV7n79s4DXCiK1lsQMtAlY=", + "lastModified": 1648339732, + "narHash": "sha256-RFPWIdtuMhWNiZ91bci/8AkD2me7uB851XEwQN0ONoY=", "ref": "main", - "rev": "5814f328f41d08fa566c4f556c4fb72617dd8609", - "revCount": 404, + "rev": "fc82f153463773e0c2558ca9984fafd30fac12f6", + "revCount": 425, "type": "git", "url": "file:///home/julm/work/sourcephile/nix/julm-nix" }, @@ -274,17 +273,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1645334861, - "narHash": "sha256-We9ECiMglthzbZ5S6Myqqf+RHzBFZPoM2qL5/jDkUjs=", + "lastModified": 1646497237, + "narHash": "sha256-Ccpot1h/rV8MgcngDp5OrdmLTMaUTbStZTR5/sI7zW0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d5f237872975e6fb6f76eef1368b5634ffcd266f", + "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026", "type": "github" }, "original": { "owner": "NixOS", "repo": "nixpkgs", - "rev": "d5f237872975e6fb6f76eef1368b5634ffcd266f", + "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026", "type": "github" } }, diff --git a/flake.nix b/flake.nix index c9d90d0..b45df28 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { # Pin down nixpkgs from github, instead of using global, system or user registries. -inputs.nixpkgs.url = "github:NixOS/nixpkgs/d5f237872975e6fb6f76eef1368b5634ffcd266f"; +inputs.nixpkgs.url = "github:NixOS/nixpkgs/062a0c5437b68f950b081bbfc8a699d57a4ee026"; #inputs.nixpkgs.url = "flake:nixpkgs"; inputs.flake-utils.url = "github:numtide/flake-utils"; inputs.home-manager.follows = "julm-nix/home-manager"; diff --git a/hosts/carotte/security.nix b/hosts/carotte/security.nix index 0d766d7..6d64833 100644 --- a/hosts/carotte/security.nix +++ b/hosts/carotte/security.nix @@ -12,9 +12,4 @@ services.openssh.extraConfig = '' # This is for removing remote gpg-agent's socket StreamLocalBindUnlink yes ''; -/* -environment.systemPackages = [ - pkgs.tshark -]; -*/ } diff --git a/hosts/losurdo/security.nix b/hosts/losurdo/security.nix index ec10f9c..5fb302e 100644 --- a/hosts/losurdo/security.nix +++ b/hosts/losurdo/security.nix @@ -10,7 +10,4 @@ services.openssh.extraConfig = '' # This is for removing remote gpg-agent's socket StreamLocalBindUnlink yes ''; -environment.systemPackages = [ - pkgs.tshark -]; } diff --git a/hosts/mermet/security.nix b/hosts/mermet/security.nix index 959204f..bc67471 100644 --- a/hosts/mermet/security.nix +++ b/hosts/mermet/security.nix @@ -9,7 +9,4 @@ services.openssh.extraConfig = '' # This is for removing remote gpg-agent's socket StreamLocalBindUnlink yes ''; -environment.systemPackages = [ - pkgs.tshark -]; } diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix index 945a5a2..f558cb6 100644 --- a/nixpkgs/patches.nix +++ b/nixpkgs/patches.nix @@ -14,7 +14,7 @@ { meta.description = "Update public-inbox to 1.7.0 and add systemd services"; url = "https://github.com/NixOS/nixpkgs/pull/104457.diff"; - sha256 = "sha256-ACscGu6ABe15DrCxT9f0BTeg/0xWdx+VaeiUFGyB8Yo="; + sha256 = "sha256-E4rSzICzJ+vK/rdu2Te3cyZhRV6Wod5bDiBbDC+V4cc="; } { meta.description = "nixos/openvpn: add network namespace support"; @@ -31,6 +31,6 @@ { meta.description = "nixos/syncoid: enable N:N dataset mappings"; url = "https://github.com/NixOS/nixpkgs/pull/147559.diff"; - sha256 = "sha256-QwA0ivFsGCB9vy93kNud4ZeiSdDoBk+9s4U1V2H3JH4="; + sha256 = "sha256-6sOCmG5UM9cuqzEPnjaQOcN+jMhsPGI8oE4hLonL4mA="; } ] diff --git a/shell.nix b/shell.nix index 24d0a83..efd1ead 100644 --- a/shell.nix +++ b/shell.nix @@ -137,7 +137,7 @@ pkgs.mkShell { #pkgs.zfstools pkgs.linuxPackages.perf #pkgs.go2nix - pkgs.wireguard + pkgs.wireguard-tools pkgs.stun pkgs.mkpasswd #pkgs.ubootTools -- 2.47.0 From 1adcabb4b9729eff487b75392c08fd9de0232499 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 27 Mar 2022 07:20:50 +0200 Subject: [PATCH 05/16] mermet: enable miniflux --- flake.lock | 2 +- hosts/mermet.nix | 1 + hosts/mermet/knot/sourcephile.fr.nix | 1 + hosts/mermet/miniflux.nix | 89 ++++++++++++++++++++++++++++ 4 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 hosts/mermet/miniflux.nix diff --git a/flake.lock b/flake.lock index 3479870..9a49954 100644 --- a/flake.lock +++ b/flake.lock @@ -370,7 +370,7 @@ "pass": { "flake": false, "locked": { - "narHash": "sha256-tuh9RcCovyUu4a9J1q2YVZQH8kgS0fGEbyo84yAXb1U=", + "narHash": "sha256-9wS8Q/NInoCpR4PClm0kiU3078L53iX1hTxLnze/kAI=", "path": "/home/julm/work/sourcephile/nix/pass", "type": "path" }, diff --git a/hosts/mermet.nix b/hosts/mermet.nix index cad1e8f..fac7561 100644 --- a/hosts/mermet.nix +++ b/hosts/mermet.nix @@ -21,6 +21,7 @@ modules = [ mermet/gitolite.nix mermet/hardware.nix mermet/knot.nix + mermet/miniflux.nix #mermet/mlmmj.nix mermet/murmur.nix mermet/networking.nix diff --git a/hosts/mermet/knot/sourcephile.fr.nix b/hosts/mermet/knot/sourcephile.fr.nix index ad55976..c816ea4 100644 --- a/hosts/mermet/knot/sourcephile.fr.nix +++ b/hosts/mermet/knot/sourcephile.fr.nix @@ -115,6 +115,7 @@ services.knot.zones."${domain}" = { pages.code A ${hosts.mermet._module.args.ipv4} paste.code A ${hosts.mermet._module.args.ipv4} todo.code A ${hosts.mermet._module.args.ipv4} + miniflux A ${hosts.mermet._module.args.ipv4} ; CNAME (Canonical Name) losurdo CNAME bureau1 diff --git a/hosts/mermet/miniflux.nix b/hosts/mermet/miniflux.nix new file mode 100644 index 0000000..2835fac --- /dev/null +++ b/hosts/mermet/miniflux.nix @@ -0,0 +1,89 @@ +{ pkgs, lib, config, hostName, ... }: +let + inherit (config.networking) domain; + inherit (config.security) gnupg; + inherit (config.services) nginx postgresql; + inherit (config.users) users groups; + srv = "miniflux"; +in +{ +systemd.sockets.miniflux = { + listenStreams = [ "/run/miniflux.sock" ]; + wantedBy = [ "sockets.target" ]; + socketConfig.SocketMode = "600"; + socketConfig.SocketUser = nginx.user; +}; +services.miniflux = { + enable = true; + config = { + BASE_URL = "https://${srv}.${domain}"; # Base URL to generate HTML links and base path for cookies. + BATCH_SIZE = "3"; # Number of feeds to send to the queue for each interval. + CLEANUP_ARCHIVE_UNREAD_DAYS = "60"; + CLEANUP_ARCHIVE_READ_DAYS = "30"; + #DEBUG = "on"; + LISTEN_ADDR = ""; + #METRICS_COLLECTOR = "1"; + POLLING_FREQUENCY = "180"; + POLLING_SCHEDULER = "entry_frequency"; + SCHEDULER_ENTRY_FREQUENCY_MAX_INTERVAL = "10080"; # 7*24*60 = 7d + WATCHDOG = "1"; + WORKER_POOL_SIZE = "2"; + }; + adminCredentialsFile = gnupg.secrets."miniflux/credentials".path; +}; +security.gnupg.secrets."miniflux/credentials" = {}; +systemd.services.miniflux = { + after = [ gnupg.secrets."miniflux/credentials".service ]; + wants = [ gnupg.secrets."miniflux/credentials".service ]; + # For the socket-activation + wantedBy = lib.mkForce [ ]; + unitConfig = { + RefuseManualStart = true; + }; + serviceConfig = { + # For postgres auth + User = users."miniflux".name; + Group = groups."postgres".name; + # For the confinement + BindReadOnlyPaths = [ + "/run/systemd/journal/socket" + "/run/postgresql" + "/etc/pki/tls/certs/ca-bundle.crt" + "/etc/hosts" + ]; + Type = "notify"; + DynamicUser = lib.mkForce false; + UMask = lib.mkForce "0022"; + # For the hardening + NoNewPrivileges = true; + PrivateTmp = true; + RemoveIPC = true; + #ProtectSystem = true; + }; + confinement = { + enable = true; + binSh = null; + mode = "chroot-only"; + }; +}; +services.postgresql.identMap = '' + # MAPNAME SYSTEM-USERNAME PG-USERNAME + user ${users.miniflux.name} ${users.miniflux.name} +''; +users.users."miniflux" = { + isSystemUser = true; + group = groups."postgres".name; +}; +services.nginx.virtualHosts."${srv}.${domain}" = { + forceSSL = true; + useACMEHost = domain; + extraConfig = '' + access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k; + error_log /var/log/nginx/${domain}/${srv}/error.log warn; + ''; + locations."/" = { + proxyPass = "http://unix:/run/miniflux.sock:/"; + }; +}; +systemd.services.nginx.serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"]; +} -- 2.47.0 From efd1ae0a5adcb64f3f19f02fffb3c5008fa32cda Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 3 Apr 2022 20:17:00 +0200 Subject: [PATCH 06/16] logrotate: rotate nginx access.json --- nixos/profiles/services/nginx.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nixos/profiles/services/nginx.nix b/nixos/profiles/services/nginx.nix index 5e15a3b..9d125ac 100644 --- a/nixos/profiles/services/nginx.nix +++ b/nixos/profiles/services/nginx.nix @@ -42,6 +42,12 @@ services.logrotate = { "/var/log/nginx/*/*.log" "/var/log/nginx/*/*/*.log" "/var/log/nginx/*/*/*/*.log" + "/var/log/nginx/*/*/*/*/*.log" + "/var/log/nginx/*.json" + "/var/log/nginx/*/*.json" + "/var/log/nginx/*/*/*.json" + "/var/log/nginx/*/*/*/*.json" + "/var/log/nginx/*/*/*/*/*.json" ]; frequency = "weekly"; keep = 26; -- 2.47.0 From ce0e583ce1338b3d78cb3aa7c21df70a332c6deb Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 9 Apr 2022 04:27:59 +0200 Subject: [PATCH 07/16] prosody: restarting is needed to reload TLS certificates --- hosts/mermet/prosody.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/mermet/prosody.nix b/hosts/mermet/prosody.nix index 7b496dd..41b3068 100644 --- a/hosts/mermet/prosody.nix +++ b/hosts/mermet/prosody.nix @@ -48,7 +48,7 @@ services.tor.relay.hiddenServices."${domain}/xmpp".map = [ 5222 5269 5000 ] ++ p */ users.groups.acme.members = [ prosody.user ]; security.acme.certs."${domain}" = { - postRun = "systemctl reload prosody"; + postRun = "systemctl restart prosody"; }; fileSystems."/var/lib/prosody" = { device = "rpool/var/prosody"; -- 2.47.0 From 17e0499da141194e7f49a24932030b3646e19fd7 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 17 Apr 2022 22:55:55 +0200 Subject: [PATCH 08/16] nix: update inputs --- flake.lock | 22 +++++++++++----------- flake.nix | 2 +- nixos/profiles/services/nginx.nix | 16 +++++++--------- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index 9a49954..025557b 100644 --- a/flake.lock +++ b/flake.lock @@ -168,11 +168,11 @@ ] }, "locked": { - "lastModified": 1648283590, - "narHash": "sha256-OjoAiY2XWr2ah73rY+kvEYLF+q40S/X61tUC0JPuCKw=", + "lastModified": 1650190514, + "narHash": "sha256-BoBvGT71yOfrNDTZQs7+FX0zb4yjMBETgIjtTsdJw+o=", "owner": "nix-community", "repo": "home-manager", - "rev": "8afee75d0d1cb054cfeddfdc9f7193adc7741c95", + "rev": "620ed197f3624dafa5f42e61d5c043f39b8df366", "type": "github" }, "original": { @@ -195,11 +195,11 @@ ] }, "locked": { - "lastModified": 1648339732, - "narHash": "sha256-RFPWIdtuMhWNiZ91bci/8AkD2me7uB851XEwQN0ONoY=", + "lastModified": 1650231401, + "narHash": "sha256-I69JoSaTxQqDn78andUGwObM0xuQoA0NzXIwukdum3Q=", "ref": "main", - "rev": "fc82f153463773e0c2558ca9984fafd30fac12f6", - "revCount": 425, + "rev": "5916c378e9bef85adccc08a803dab072a8bb69ea", + "revCount": 437, "type": "git", "url": "file:///home/julm/work/sourcephile/nix/julm-nix" }, @@ -273,17 +273,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1646497237, - "narHash": "sha256-Ccpot1h/rV8MgcngDp5OrdmLTMaUTbStZTR5/sI7zW0=", + "lastModified": 1650076401, + "narHash": "sha256-QGxadqKWICchuuLIF2QwmHPVaUk+qO33ml5p1wW4IyA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026", + "rev": "75ad56bdc927f3a9f9e05e3c3614c4c1fcd99fcb", "type": "github" }, "original": { "owner": "NixOS", "repo": "nixpkgs", - "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026", + "rev": "75ad56bdc927f3a9f9e05e3c3614c4c1fcd99fcb", "type": "github" } }, diff --git a/flake.nix b/flake.nix index b45df28..79b3a78 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { # Pin down nixpkgs from github, instead of using global, system or user registries. -inputs.nixpkgs.url = "github:NixOS/nixpkgs/062a0c5437b68f950b081bbfc8a699d57a4ee026"; +inputs.nixpkgs.url = "github:NixOS/nixpkgs/75ad56bdc927f3a9f9e05e3c3614c4c1fcd99fcb"; #inputs.nixpkgs.url = "flake:nixpkgs"; inputs.flake-utils.url = "github:numtide/flake-utils"; inputs.home-manager.follows = "julm-nix/home-manager"; diff --git a/nixos/profiles/services/nginx.nix b/nixos/profiles/services/nginx.nix index 9d125ac..bb7b1f2 100644 --- a/nixos/profiles/services/nginx.nix +++ b/nixos/profiles/services/nginx.nix @@ -36,8 +36,8 @@ systemd.services.nginx = { }; services.logrotate = { enable = true; - paths.nginx = { - path = [ + settings.nginx = { + files = [ "/var/log/nginx/*.log" "/var/log/nginx/*/*.log" "/var/log/nginx/*/*/*.log" @@ -50,13 +50,11 @@ services.logrotate = { "/var/log/nginx/*/*/*/*/*.json" ]; frequency = "weekly"; - keep = 26; - extraConfig = '' - compress - delaycompress - postrotate - [ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid` - endscript + rotate = 26; + compress = true; + delaycompress = true; + postrotate = '' + [ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid` ''; }; }; -- 2.47.0 From c552fd4025adf8d53c75fd46119ba60c72050dc3 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 Apr 2022 18:29:09 +0200 Subject: [PATCH 09/16] public-inbox: update PR --- nixpkgs/patches.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix index f558cb6..4232c4e 100644 --- a/nixpkgs/patches.nix +++ b/nixpkgs/patches.nix @@ -14,7 +14,7 @@ { meta.description = "Update public-inbox to 1.7.0 and add systemd services"; url = "https://github.com/NixOS/nixpkgs/pull/104457.diff"; - sha256 = "sha256-E4rSzICzJ+vK/rdu2Te3cyZhRV6Wod5bDiBbDC+V4cc="; + sha256 = "sha256-vkWhVVJDaw2nVSELl0+SEald1k9gEn+My4hJ7WxZDIs="; } { meta.description = "nixos/openvpn: add network namespace support"; -- 2.47.0 From 8fb00254652e89ad82c5a37785b65affc66e9736 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 Apr 2022 18:29:33 +0200 Subject: [PATCH 10/16] hostapd: try to fix the network --- hosts/losurdo/networking/wireless.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/losurdo/networking/wireless.nix b/hosts/losurdo/networking/wireless.nix index 58e6f1b..e6fd02a 100644 --- a/hosts/losurdo/networking/wireless.nix +++ b/hosts/losurdo/networking/wireless.nix @@ -10,8 +10,8 @@ networking.interfaces.${iface} = { }; # Fix to set the address before starting dhcpd4.service systemd.services."network-addresses-${iface}" = { - before = ["network.target"]; - wantedBy = ["network.target"]; + before = ["network.target" "hostapd.service"]; + wantedBy = ["network.target" "hostapd.service"]; }; boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1; networking.nftables.ruleset = '' -- 2.47.0 From 96de496bdda45a33b400fab51bb874b0acd8a2b0 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 22 Apr 2022 01:53:25 +0200 Subject: [PATCH 11/16] prosody: update to 0.12 --- hosts/losurdo/networking/wireless.nix | 4 ++-- hosts/mermet/prosody.nix | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/hosts/losurdo/networking/wireless.nix b/hosts/losurdo/networking/wireless.nix index e6fd02a..0c96250 100644 --- a/hosts/losurdo/networking/wireless.nix +++ b/hosts/losurdo/networking/wireless.nix @@ -10,8 +10,8 @@ networking.interfaces.${iface} = { }; # Fix to set the address before starting dhcpd4.service systemd.services."network-addresses-${iface}" = { - before = ["network.target" "hostapd.service"]; - wantedBy = ["network.target" "hostapd.service"]; + bindsTo = [ "hostapd.service"]; + wantedBy = ["network.target"]; }; boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1; networking.nftables.ruleset = '' diff --git a/hosts/mermet/prosody.nix b/hosts/mermet/prosody.nix index 41b3068..d8db93a 100644 --- a/hosts/mermet/prosody.nix +++ b/hosts/mermet/prosody.nix @@ -82,6 +82,7 @@ services.prosody = { proxy65 = false; }; extraModules = [ + "turn_external" "turncredentials" #"net_multiplex" #"extdisco" @@ -109,6 +110,12 @@ services.prosody = { turncredentials_host = "turn.${domain}" turncredentials_port = 3478 turncredentials_secret = "${lib.removeSuffix "\n" (builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"))}"; + + turn_external_secret = "${lib.removeSuffix "\n" (builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"))}" + turn_external_host = ""turn.${domain}" + turn_external_port = 3478 + turn_external_ttl = 86400 + smacks_enabled_s2s = true; smacks_s2s_resend = true; @@ -125,6 +132,11 @@ services.prosody = { Component "biboumi.${domain}" component_secret = "useless-secret-on-loopback" + + Component "tmp.${domain}" "http_file_share" + http_file_share_size_limit = 16*1024*1024 -- 16 MiB + http_file_share_daily_quota = 100*1024*1024 -- 100 MiB per day per user + http_file_share_global_quota = 1024*1024*1024 -- 1 GiB total ''; #ports = {80}; #ssl_ports = {443}; -- 2.47.0 From 4c0efa07a56b4016c280a5f5ffdced8c704ce168 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 26 Apr 2022 10:40:43 +0200 Subject: [PATCH 12/16] prosody: update to 0.12 --- hosts/mermet/prosody.nix | 32 +- nixos/modules.nix | 2 + nixos/modules/services/networking/prosody.nix | 921 ++++++++++++++++++ 3 files changed, 936 insertions(+), 19 deletions(-) create mode 100644 nixos/modules/services/networking/prosody.nix diff --git a/hosts/mermet/prosody.nix b/hosts/mermet/prosody.nix index d8db93a..29d593a 100644 --- a/hosts/mermet/prosody.nix +++ b/hosts/mermet/prosody.nix @@ -71,7 +71,8 @@ services.prosody = { modules = { announce = true; blocklist = true; - cloud_notify = true; + cloud_notify = false; # not encrypted even with OMEMO + #cloud_notify_encrypted = true; groups = true; limits = false; motd = true; @@ -83,7 +84,7 @@ services.prosody = { }; extraModules = [ "turn_external" - "turncredentials" + #"turncredentials" #"net_multiplex" #"extdisco" ]; @@ -107,12 +108,12 @@ services.prosody = { } legacy_ssl_ports = { 5222 } - turncredentials_host = "turn.${domain}" - turncredentials_port = 3478 - turncredentials_secret = "${lib.removeSuffix "\n" (builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"))}"; + -- turncredentials_host = "turn.${domain}" + -- turncredentials_port = 3478 + -- turncredentials_secret = "${lib.removeSuffix "\n" (builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"))}"; turn_external_secret = "${lib.removeSuffix "\n" (builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"))}" - turn_external_host = ""turn.${domain}" + turn_external_host = "turn.${domain}" turn_external_port = 3478 turn_external_ttl = 86400 @@ -132,25 +133,18 @@ services.prosody = { Component "biboumi.${domain}" component_secret = "useless-secret-on-loopback" - - Component "tmp.${domain}" "http_file_share" - http_file_share_size_limit = 16*1024*1024 -- 16 MiB - http_file_share_daily_quota = 100*1024*1024 -- 100 MiB per day per user - http_file_share_global_quota = 1024*1024*1024 -- 1 GiB total ''; + httpFileShare = { + domain = "tmp.${domain}"; + size_limit = 16*1024*1024; # 16 MiB + daily_quota = 100*1024*1024; # 100 MiB per day per user + global_quota = 1024*1024*1024; # 1 GiB total + }; #ports = {80}; #ssl_ports = {443}; c2sRequireEncryption = true; s2sRequireEncryption = true; s2sSecureAuth = true; - uploadHttp = { - domain = "tmp.${domain}"; - # Prosody's HTTP parser limit on body size - uploadFileSizeLimit = "10485760"; - userQuota = 100 * 1024 * 1024; - uploadExpireAfter = "60 * 60 * 24 * 7"; - httpUploadPath = "/var/lib/prosody/upload"; - }; muc = [ { domain = "salons.${domain}"; diff --git a/nixos/modules.nix b/nixos/modules.nix index c53b175..07389fc 100644 --- a/nixos/modules.nix +++ b/nixos/modules.nix @@ -28,6 +28,7 @@ imports = [ #modules/security/wrappers/default.nix #modules/config/console.nix #modules/services/x11/display-managers/default.nix + modules/services/networking/prosody.nix ]; disabledModules = [ #"config/console.nix" @@ -61,5 +62,6 @@ disabledModules = [ #"services.misc/sourcehut/dispatch.nix" #"services/logging/logrotate.nix" #"security/wrappers/default.nix" + "services/networking/prosody.nix" ]; } diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix new file mode 100644 index 0000000..184726b --- /dev/null +++ b/nixos/modules/services/networking/prosody.nix @@ -0,0 +1,921 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.prosody; + + sslOpts = { ... }: { + + options = { + + key = mkOption { + type = types.path; + description = "Path to the key file."; + }; + + # TODO: rename to certificate to match the prosody config + cert = mkOption { + type = types.path; + description = "Path to the certificate file."; + }; + + extraOptions = mkOption { + type = types.attrs; + default = {}; + description = "Extra SSL configuration options."; + }; + + }; + }; + + discoOpts = { + options = { + url = mkOption { + type = types.str; + description = "URL of the endpoint you want to make discoverable"; + }; + description = mkOption { + type = types.str; + description = "A short description of the endpoint you want to advertise"; + }; + }; + }; + + moduleOpts = { + # Required for compliance with https://compliance.conversations.im/about/ + roster = mkOption { + type = types.bool; + default = true; + description = "Allow users to have a roster"; + }; + + saslauth = mkOption { + type = types.bool; + default = true; + description = "Authentication for clients and servers. Recommended if you want to log in."; + }; + + tls = mkOption { + type = types.bool; + default = true; + description = "Add support for secure TLS on c2s/s2s connections"; + }; + + dialback = mkOption { + type = types.bool; + default = true; + description = "s2s dialback support"; + }; + + disco = mkOption { + type = types.bool; + default = true; + description = "Service discovery"; + }; + + # Not essential, but recommended + carbons = mkOption { + type = types.bool; + default = true; + description = "Keep multiple clients in sync"; + }; + + csi = mkOption { + type = types.bool; + default = true; + description = "Implements the CSI protocol that allows clients to report their active/inactive state to the server"; + }; + + cloud_notify = mkOption { + type = types.bool; + default = true; + description = "Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online"; + }; + + pep = mkOption { + type = types.bool; + default = true; + description = "Enables users to publish their mood, activity, playing music and more"; + }; + + private = mkOption { + type = types.bool; + default = true; + description = "Private XML storage (for room bookmarks, etc.)"; + }; + + blocklist = mkOption { + type = types.bool; + default = true; + description = "Allow users to block communications with other users"; + }; + + vcard = mkOption { + type = types.bool; + default = false; + description = "Allow users to set vCards"; + }; + + vcard_legacy = mkOption { + type = types.bool; + default = true; + description = "Converts users profiles and Avatars between old and new formats"; + }; + + bookmarks = mkOption { + type = types.bool; + default = true; + description = "Allows interop between older clients that use XEP-0048: Bookmarks in its 1.0 version and recent clients which use it in PEP"; + }; + + # Nice to have + version = mkOption { + type = types.bool; + default = true; + description = "Replies to server version requests"; + }; + + uptime = mkOption { + type = types.bool; + default = true; + description = "Report how long server has been running"; + }; + + time = mkOption { + type = types.bool; + default = true; + description = "Let others know the time here on this server"; + }; + + ping = mkOption { + type = types.bool; + default = true; + description = "Replies to XMPP pings with pongs"; + }; + + register = mkOption { + type = types.bool; + default = true; + description = "Allow users to register on this server using a client and change passwords"; + }; + + mam = mkOption { + type = types.bool; + default = true; + description = "Store messages in an archive and allow users to access it"; + }; + + smacks = mkOption { + type = types.bool; + default = true; + description = "Allow a client to resume a disconnected session, and prevent message loss"; + }; + + # Admin interfaces + admin_adhoc = mkOption { + type = types.bool; + default = true; + description = "Allows administration via an XMPP client that supports ad-hoc commands"; + }; + + http_files = mkOption { + type = types.bool; + default = true; + description = "Serve static files from a directory over HTTP"; + }; + + proxy65 = mkOption { + type = types.bool; + default = true; + description = "Enables a file transfer proxy service which clients behind NAT can use"; + }; + + admin_telnet = mkOption { + type = types.bool; + default = false; + description = "Opens telnet console interface on localhost port 5582"; + }; + + # HTTP modules + bosh = mkOption { + type = types.bool; + default = false; + description = "Enable BOSH clients, aka 'Jabber over HTTP'"; + }; + + websocket = mkOption { + type = types.bool; + default = false; + description = "Enable WebSocket support"; + }; + + # Other specific functionality + limits = mkOption { + type = types.bool; + default = false; + description = "Enable bandwidth limiting for XMPP connections"; + }; + + groups = mkOption { + type = types.bool; + default = false; + description = "Shared roster support"; + }; + + server_contact_info = mkOption { + type = types.bool; + default = false; + description = "Publish contact information for this service"; + }; + + announce = mkOption { + type = types.bool; + default = false; + description = "Send announcement to all online users"; + }; + + welcome = mkOption { + type = types.bool; + default = false; + description = "Welcome users who register accounts"; + }; + + watchregistrations = mkOption { + type = types.bool; + default = false; + description = "Alert admins of registrations"; + }; + + motd = mkOption { + type = types.bool; + default = false; + description = "Send a message to users when they log in"; + }; + + legacyauth = mkOption { + type = types.bool; + default = false; + description = "Legacy authentication. Only used by some old clients and bots"; + }; + }; + + toLua = x: + if builtins.isString x then ''"${x}"'' + else if builtins.isBool x then boolToString x + else if builtins.isInt x then toString x + else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }'' + else throw "Invalid Lua value"; + + settingsToLua = prefix: settings: generators.toKeyValue { + listsAsDuplicateKeys = false; + mkKeyValue = k: + generators.mkKeyValueDefault { + mkValueString = toLua; + } " = " (prefix + k); + } + (filterAttrs (k: v: v != null) settings); + + createSSLOptsStr = o: '' + ssl = { + cafile = "/etc/ssl/certs/ca-bundle.crt"; + key = "${o.key}"; + certificate = "${o.cert}"; + ${concatStringsSep "\n" (mapAttrsToList (name: value: "${name} = ${toLua value};") o.extraOptions)} + }; + ''; + + mucOpts = { ... }: { + options = { + domain = mkOption { + type = types.str; + description = "Domain name of the MUC"; + }; + name = mkOption { + type = types.str; + description = "The name to return in service discovery responses for the MUC service itself"; + default = "Prosody Chatrooms"; + }; + restrictRoomCreation = mkOption { + type = types.enum [ true false "admin" "local" ]; + default = false; + description = "Restrict room creation to server admins"; + }; + maxHistoryMessages = mkOption { + type = types.int; + default = 20; + description = "Specifies a limit on what each room can be configured to keep"; + }; + roomLocking = mkOption { + type = types.bool; + default = true; + description = '' + Enables room locking, which means that a room must be + configured before it can be used. Locked rooms are invisible + and cannot be entered by anyone but the creator + ''; + }; + roomLockTimeout = mkOption { + type = types.int; + default = 300; + description = '' + Timout after which the room is destroyed or unlocked if not + configured, in seconds + ''; + }; + tombstones = mkOption { + type = types.bool; + default = true; + description = '' + When a room is destroyed, it leaves behind a tombstone which + prevents the room being entered or recreated. It also allows + anyone who was not in the room at the time it was destroyed + to learn about it, and to update their bookmarks. Tombstones + prevents the case where someone could recreate a previously + semi-anonymous room in order to learn the real JIDs of those + who often join there. + ''; + }; + tombstoneExpiry = mkOption { + type = types.int; + default = 2678400; + description = '' + This settings controls how long a tombstone is considered + valid. It defaults to 31 days. After this time, the room in + question can be created again. + ''; + }; + + vcard_muc = mkOption { + type = types.bool; + default = true; + description = "Adds the ability to set vCard for Multi User Chat rooms"; + }; + + # Extra parameters. Defaulting to prosody default values. + # Adding them explicitly to make them visible from the options + # documentation. + # + # See https://prosody.im/doc/modules/mod_muc for more details. + roomDefaultPublic = mkOption { + type = types.bool; + default = true; + description = "If set, the MUC rooms will be public by default."; + }; + roomDefaultMembersOnly = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will only be accessible to the members by default."; + }; + roomDefaultModerated = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will be moderated by default."; + }; + roomDefaultPublicJids = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will display the public JIDs by default."; + }; + roomDefaultChangeSubject = mkOption { + type = types.bool; + default = false; + description = "If set, the rooms will display the public JIDs by default."; + }; + roomDefaultHistoryLength = mkOption { + type = types.int; + default = 20; + description = "Number of history message sent to participants by default."; + }; + roomDefaultLanguage = mkOption { + type = types.str; + default = "en"; + description = "Default room language."; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional MUC specific configuration"; + }; + }; + }; + + uploadHttpOpts = { ... }: { + options = { + domain = mkOption { + type = types.nullOr types.str; + description = "Domain name for the http-upload service"; + }; + uploadFileSizeLimit = mkOption { + type = types.str; + default = "50 * 1024 * 1024"; + description = "Maximum file size, in bytes. Defaults to 50MB."; + }; + uploadExpireAfter = mkOption { + type = types.str; + default = "60 * 60 * 24 * 7"; + description = "Max age of a file before it gets deleted, in seconds."; + }; + userQuota = mkOption { + type = types.nullOr types.int; + default = null; + example = 1234; + description = '' + Maximum size of all uploaded files per user, in bytes. There + will be no quota if this option is set to null. + ''; + }; + httpUploadPath = mkOption { + type = types.str; + description = '' + Directory where the uploaded files will be stored + when the http_upload module is used. + By default, uploaded files are put in a sub-directory of the + default Prosody storage path (usually /var/lib/prosody). + ''; + default = "/var/lib/prosody"; + }; + }; + }; + + httpFileShareOpts = { ... }: { + freeformType = with types; + let atom = oneOf [ int bool str (listOf atom) ]; in + attrsOf (nullOr atom); + options.domain = mkOption { + type = with types; nullOr str; + description = "Domain name for a http_file_share service."; + }; + }; + + vHostOpts = { ... }: { + + options = { + + # TODO: require attribute + domain = mkOption { + type = types.str; + description = "Domain name"; + }; + + enabled = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the virtual host"; + }; + + ssl = mkOption { + type = types.nullOr (types.submodule sslOpts); + default = null; + description = "Paths to SSL files"; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional virtual host specific configuration"; + }; + + }; + + }; + +in + +{ + + ###### interface + + options = { + + services.prosody = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the prosody server"; + }; + + xmppComplianceSuite = mkOption { + type = types.bool; + default = true; + description = '' + The XEP-0423 defines a set of recommended XEPs to implement + for a server. It's generally a good idea to implement this + set of extensions if you want to provide your users with a + good XMPP experience. + + This NixOS module aims to provide a "advanced server" + experience as per defined in the XEP-0423[1] specification. + + Setting this option to true will prevent you from building a + NixOS configuration which won't comply with this standard. + You can explicitely decide to ignore this standard if you + know what you are doing by setting this option to false. + + [1] https://xmpp.org/extensions/xep-0423.html + ''; + }; + + package = mkOption { + type = types.package; + description = "Prosody package to use"; + default = pkgs.prosody; + defaultText = literalExpression "pkgs.prosody"; + example = literalExpression '' + pkgs.prosody.override { + withExtraLibs = [ pkgs.luaPackages.lpty ]; + withCommunityModules = [ "auth_external" ]; + }; + ''; + }; + + dataDir = mkOption { + type = types.path; + description = "Directory where Prosody stores its data"; + default = "/var/lib/prosody"; + }; + + disco_items = mkOption { + type = types.listOf (types.submodule discoOpts); + default = []; + description = "List of discoverable items you want to advertise."; + }; + + user = mkOption { + type = types.str; + default = "prosody"; + description = "User account under which prosody runs."; + }; + + group = mkOption { + type = types.str; + default = "prosody"; + description = "Group account under which prosody runs."; + }; + + allowRegistration = mkOption { + type = types.bool; + default = false; + description = "Allow account creation"; + }; + + # HTTP server-related options + httpPorts = mkOption { + type = types.listOf types.int; + description = "Listening HTTP ports list for this service."; + default = [ 5280 ]; + }; + + httpInterfaces = mkOption { + type = types.listOf types.str; + default = [ "*" "::" ]; + description = "Interfaces on which the HTTP server will listen on."; + }; + + httpsPorts = mkOption { + type = types.listOf types.int; + description = "Listening HTTPS ports list for this service."; + default = [ 5281 ]; + }; + + httpsInterfaces = mkOption { + type = types.listOf types.str; + default = [ "*" "::" ]; + description = "Interfaces on which the HTTPS server will listen on."; + }; + + c2sRequireEncryption = mkOption { + type = types.bool; + default = true; + description = '' + Force clients to use encrypted connections? This option will + prevent clients from authenticating unless they are using encryption. + ''; + }; + + s2sRequireEncryption = mkOption { + type = types.bool; + default = true; + description = '' + Force servers to use encrypted connections? This option will + prevent servers from authenticating unless they are using encryption. + Note that this is different from authentication. + ''; + }; + + s2sSecureAuth = mkOption { + type = types.bool; + default = false; + description = '' + Force certificate authentication for server-to-server connections? + This provides ideal security, but requires servers you communicate + with to support encryption AND present valid, trusted certificates. + For more information see https://prosody.im/doc/s2s#security + ''; + }; + + s2sInsecureDomains = mkOption { + type = types.listOf types.str; + default = []; + example = [ "insecure.example.com" ]; + description = '' + Some servers have invalid or self-signed certificates. You can list + remote domains here that will not be required to authenticate using + certificates. They will be authenticated using DNS instead, even + when s2s_secure_auth is enabled. + ''; + }; + + s2sSecureDomains = mkOption { + type = types.listOf types.str; + default = []; + example = [ "jabber.org" ]; + description = '' + Even if you leave s2s_secure_auth disabled, you can still require valid + certificates for some domains by specifying a list here. + ''; + }; + + + modules = moduleOpts; + + extraModules = mkOption { + type = types.listOf types.str; + default = []; + description = "Enable custom modules"; + }; + + extraPluginPaths = mkOption { + type = types.listOf types.path; + default = []; + description = "Addtional path in which to look find plugins/modules"; + }; + + uploadHttp = mkOption { + description = '' + Configures the old Prosody builtin HTTP server to handle user uploads. + ''; + type = types.nullOr (types.submodule uploadHttpOpts); + default = null; + example = { + domain = "uploads.my-xmpp-example-host.org"; + }; + }; + + httpFileShare = mkOption { + description = '' + Configures the http_file_share module to handle user uploads. + ''; + type = types.nullOr (types.submodule httpFileShareOpts); + default = null; + example = { + domain = "uploads.my-xmpp-example-host.org"; + }; + }; + + muc = mkOption { + type = types.listOf (types.submodule mucOpts); + default = [ ]; + example = [ { + domain = "conference.my-xmpp-example-host.org"; + } ]; + description = "Multi User Chat (MUC) configuration"; + }; + + virtualHosts = mkOption { + + description = "Define the virtual hosts"; + + type = with types; attrsOf (submodule vHostOpts); + + example = { + myhost = { + domain = "my-xmpp-example-host.org"; + enabled = true; + }; + }; + + default = { + localhost = { + domain = "localhost"; + enabled = true; + }; + }; + + }; + + ssl = mkOption { + type = types.nullOr (types.submodule sslOpts); + default = null; + description = "Paths to SSL files"; + }; + + admins = mkOption { + type = types.listOf types.str; + default = []; + example = [ "admin1@example.com" "admin2@example.com" ]; + description = "List of administrators of the current host"; + }; + + authentication = mkOption { + type = types.enum [ "internal_plain" "internal_hashed" "cyrus" "anonymous" ]; + default = "internal_hashed"; + example = "internal_plain"; + description = "Authentication mechanism used for logins."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional prosody configuration"; + }; + + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + assertions = let + genericErrMsg = '' + + Having a server not XEP-0423-compliant might make your XMPP + experience terrible. See the NixOS manual for further + informations. + + If you know what you're doing, you can disable this warning by + setting config.services.prosody.xmppComplianceSuite to false. + ''; + errors = [ + { assertion = (builtins.length cfg.muc > 0) || !cfg.xmppComplianceSuite; + message = '' + You need to setup at least a MUC domain to comply with + XEP-0423. + '' + genericErrMsg;} + { assertion = cfg.uploadHttp != null || cfg.httpFileShare != null || !cfg.xmppComplianceSuite; + message = '' + You need to setup the http_upload or http_file_share modules through + config.services.prosody.uploadHttp + or config.services.prosody.httpFileShare + to comply with XEP-0423. + '' + genericErrMsg;} + ]; + in errors; + + environment.systemPackages = [ cfg.package ]; + + environment.etc."prosody/prosody.cfg.lua".text = + let + httpDiscoItems = + optional (cfg.uploadHttp != null) + { url = cfg.uploadHttp.domain; description = "HTTP upload endpoint";} ++ + optional (cfg.httpFileShare != null) + { url = cfg.httpFileShare.domain; description = "HTTP file share endpoint";}; + mucDiscoItems = builtins.foldl' + (acc: muc: [{ url = muc.domain; description = "${muc.domain} MUC endpoint";}] ++ acc) + [] + cfg.muc; + discoItems = cfg.disco_items ++ httpDiscoItems ++ mucDiscoItems; + in '' + + pidfile = "/run/prosody/prosody.pid" + + log = "*syslog" + + data_path = "${cfg.dataDir}" + plugin_paths = { + ${lib.concatStringsSep ", " (map (n: "\"${n}\"") cfg.extraPluginPaths) } + } + + ${ optionalString (cfg.ssl != null) (createSSLOptsStr cfg.ssl) } + + admins = ${toLua cfg.admins} + + -- we already build with libevent, so we can just enable it for a more performant server + use_libevent = true + + modules_enabled = { + + ${ lib.concatStringsSep "\n " (lib.mapAttrsToList + (name: val: optionalString val "${toLua name};") + cfg.modules) } + ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.package.communityModules)} + ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.extraModules)} + }; + + disco_items = { + ${ lib.concatStringsSep "\n" (builtins.map (x: ''{ "${x.url}", "${x.description}"};'') discoItems)} + }; + + allow_registration = ${toLua cfg.allowRegistration} + + c2s_require_encryption = ${toLua cfg.c2sRequireEncryption} + + s2s_require_encryption = ${toLua cfg.s2sRequireEncryption} + + s2s_secure_auth = ${toLua cfg.s2sSecureAuth} + + s2s_insecure_domains = ${toLua cfg.s2sInsecureDomains} + + s2s_secure_domains = ${toLua cfg.s2sSecureDomains} + + authentication = ${toLua cfg.authentication} + + http_interfaces = ${toLua cfg.httpInterfaces} + + https_interfaces = ${toLua cfg.httpsInterfaces} + + http_ports = ${toLua cfg.httpPorts} + + https_ports = ${toLua cfg.httpsPorts} + + ${ cfg.extraConfig } + + ${lib.concatMapStrings (muc: '' + Component ${toLua muc.domain} "muc" + modules_enabled = { "muc_mam"; ${optionalString muc.vcard_muc ''"vcard_muc";'' } } + name = ${toLua muc.name} + restrict_room_creation = ${toLua muc.restrictRoomCreation} + max_history_messages = ${toLua muc.maxHistoryMessages} + muc_room_locking = ${toLua muc.roomLocking} + muc_room_lock_timeout = ${toLua muc.roomLockTimeout} + muc_tombstones = ${toLua muc.tombstones} + muc_tombstone_expiry = ${toLua muc.tombstoneExpiry} + muc_room_default_public = ${toLua muc.roomDefaultPublic} + muc_room_default_members_only = ${toLua muc.roomDefaultMembersOnly} + muc_room_default_moderated = ${toLua muc.roomDefaultModerated} + muc_room_default_public_jids = ${toLua muc.roomDefaultPublicJids} + muc_room_default_change_subject = ${toLua muc.roomDefaultChangeSubject} + muc_room_default_history_length = ${toLua muc.roomDefaultHistoryLength} + muc_room_default_language = ${toLua muc.roomDefaultLanguage} + ${ muc.extraConfig } + '') cfg.muc} + + ${ lib.optionalString (cfg.uploadHttp != null) '' + Component ${toLua cfg.uploadHttp.domain} "http_upload" + http_upload_file_size_limit = ${cfg.uploadHttp.uploadFileSizeLimit} + http_upload_expire_after = ${cfg.uploadHttp.uploadExpireAfter} + ${lib.optionalString (cfg.uploadHttp.userQuota != null) "http_upload_quota = ${toLua cfg.uploadHttp.userQuota}"} + http_upload_path = ${toLua cfg.uploadHttp.httpUploadPath} + ''} + + ${ lib.optionalString (cfg.httpFileShare != null) '' + Component ${toLua cfg.httpFileShare.domain} "http_file_share" + ${settingsToLua " http_file_share_" (cfg.httpFileShare // { domain = null; })} + ''} + + ${ lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' + VirtualHost "${v.domain}" + enabled = ${boolToString v.enabled}; + ${ optionalString (v.ssl != null) (createSSLOptsStr v.ssl) } + ${ v.extraConfig } + '') cfg.virtualHosts) } + ''; + + users.users.prosody = mkIf (cfg.user == "prosody") { + uid = config.ids.uids.prosody; + description = "Prosody user"; + createHome = true; + inherit (cfg) group; + home = "${cfg.dataDir}"; + }; + + users.groups.prosody = mkIf (cfg.group == "prosody") { + gid = config.ids.gids.prosody; + }; + + systemd.services.prosody = { + description = "Prosody XMPP server"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."prosody/prosody.cfg.lua".source ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "forking"; + RuntimeDirectory = [ "prosody" ]; + PIDFile = "/run/prosody/prosody.pid"; + ExecStart = "${cfg.package}/bin/prosodyctl start"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + + }; + meta.doc = ./prosody.xml; +} -- 2.47.0 From 7a56eed99e42a30acecbf61537b4166c1c59a85d Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 5 May 2022 23:05:41 +0200 Subject: [PATCH 13/16] nixos: move profile builder --- flake.lock | 8 ++++---- hosts/losurdo.nix | 3 +-- nixos/defaults.nix | 2 +- nixos/profiles/systems/builder.nix | 33 ------------------------------ 4 files changed, 6 insertions(+), 40 deletions(-) delete mode 100644 nixos/profiles/systems/builder.nix diff --git a/flake.lock b/flake.lock index 025557b..ee4a711 100644 --- a/flake.lock +++ b/flake.lock @@ -195,11 +195,11 @@ ] }, "locked": { - "lastModified": 1650231401, - "narHash": "sha256-I69JoSaTxQqDn78andUGwObM0xuQoA0NzXIwukdum3Q=", + "lastModified": 1651784645, + "narHash": "sha256-vaDZnj8FeqCvVq1YoGhH+QgsHiY7XFFdQ2XmM93j0jM=", "ref": "main", - "rev": "5916c378e9bef85adccc08a803dab072a8bb69ea", - "revCount": 437, + "rev": "2fc753ae8a3b893114b34396a2adf67e125a6501", + "revCount": 446, "type": "git", "url": "file:///home/julm/work/sourcephile/nix/julm-nix" }, diff --git a/hosts/losurdo.nix b/hosts/losurdo.nix index e4b6a55..b4e696a 100644 --- a/hosts/losurdo.nix +++ b/hosts/losurdo.nix @@ -12,7 +12,6 @@ pkgs = import nixpkgsPath { import ../nixpkgs/overlays.nix ++ import (inputs.julm-nix + "/nixpkgs/overlays.nix"); }; -#config.allowUnfree = true; modules = [ { config._module.args = { @@ -20,7 +19,7 @@ modules = [ }; } ../nixos/defaults.nix - ../nixos/profiles/systems/builder.nix + (inputs.julm-nix + "/nixos/profiles/builder.nix") ../nixos/profiles/systems/debug.nix losurdo/acme.nix losurdo/apc.nix diff --git a/nixos/defaults.nix b/nixos/defaults.nix index bfa23fe..db52e5b 100644 --- a/nixos/defaults.nix +++ b/nixos/defaults.nix @@ -19,7 +19,7 @@ nix = { gc.dates = lib.mkDefault "weekly"; gc.options = lib.mkDefault "--delete-older-than 30d"; # Setting NIX_PATH is useless now that flake.nix are used. - nixPath = lib.mkForce []; + nixPath = []; }; environment.variables.NIXPKGS_CONFIG = lib.mkForce ""; diff --git a/nixos/profiles/systems/builder.nix b/nixos/profiles/systems/builder.nix deleted file mode 100644 index 8862a1b..0000000 --- a/nixos/profiles/systems/builder.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ inputs, pkgs, lib, config, ... }: -{ -nix.extraOptions = '' - experimental-features = nix-command flakes -''; -#nix.registry.self.flake = inputs.self; -# Pin the rev to the revision of the public Nixpkgs that the system was built from. -# This is the version which will be locked by flakes using flake:nixpkgs -nix.registry.nixpkgs = { - from = { id = "nixpkgs"; type = "indirect"; }; - to = { - owner = "NixOS"; - repo = "nixpkgs"; - rev = inputs.nixpkgs.rev; - type = "github"; - }; -}; -/* -# WARNING: this is a hack to avoid copying Nixpkgs -# a second time into the Nix store. -# It makes only sense when Nixpkgs is already in the Nix store, -# and is registered. -environment.etc."nixpkgs".source = pkgs.path; -environment.etc."nixpkgs-overlays".source = - pkgs.writeTextDir "overlays.nix" '' - import ${inputs.self + "/nixpkgs/overlays.nix"} ++ - import ${inputs.julm-nix + "/nixpkgs/overlays.nix"} - ''; -nix.nixPath = [ - "nixpkgs=/etc/nixpkgs:nixpkgs-overlays=/etc/nixpkgs-overlays/overlays.nix" -]; -*/ -} -- 2.47.0 From 34c30d495e44fc38b6a9960fda8dae5de5180167 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 19 May 2022 11:23:28 +0200 Subject: [PATCH 14/16] sourcehut: update --- flake.nix | 2 +- nixpkgs/patches/sourcehut.diff | 2884 ++++++++++++++++++++++++++++++++ 2 files changed, 2885 insertions(+), 1 deletion(-) create mode 100644 nixpkgs/patches/sourcehut.diff diff --git a/flake.nix b/flake.nix index 79b3a78..ff01b04 100644 --- a/flake.nix +++ b/flake.nix @@ -29,7 +29,7 @@ inputs.pass.flake = false; outputs = inputs: let remoteNixpkgsPatches = import nixpkgs/patches.nix; localNixpkgsPatches = [ - #nixpkgs/patches/sourcehut.diff + nixpkgs/patches/sourcehut.diff #nixpkgs/patches/bitmask.diff #nixpkgs/patches/systemd-coredump.diff ]; diff --git a/nixpkgs/patches/sourcehut.diff b/nixpkgs/patches/sourcehut.diff new file mode 100644 index 0000000..4e38456 --- /dev/null +++ b/nixpkgs/patches/sourcehut.diff @@ -0,0 +1,2884 @@ +diff --git a/nixos/modules/services/misc/sourcehut/builds.nix b/nixos/modules/services/misc/sourcehut/builds.nix +deleted file mode 100644 +index 685a132d350..00000000000 +--- a/nixos/modules/services/misc/sourcehut/builds.nix ++++ /dev/null +@@ -1,236 +0,0 @@ +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- scfg = cfg.builds; +- rcfg = config.services.redis; +- iniKey = "builds.sr.ht"; +- +- drv = pkgs.sourcehut.buildsrht; +-in +-{ +- options.services.sourcehut.builds = { +- user = mkOption { +- type = types.str; +- default = "buildsrht"; +- description = '' +- User for builds.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5002; +- description = '' +- Port on which the "builds" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "builds.sr.ht"; +- description = '' +- PostgreSQL database name for builds.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/buildsrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/buildsrht"''; +- description = '' +- State path for builds.sr.ht. +- ''; +- }; +- +- enableWorker = mkOption { +- type = types.bool; +- default = false; +- description = '' +- Run workers for builds.sr.ht. +- ''; +- }; +- +- images = mkOption { +- type = types.attrsOf (types.attrsOf (types.attrsOf types.package)); +- default = { }; +- example = lib.literalExpression ''(let +- # Pinning unstable to allow usage with flakes and limit rebuilds. +- pkgs_unstable = builtins.fetchGit { +- url = "https://github.com/NixOS/nixpkgs"; +- rev = "ff96a0fa5635770390b184ae74debea75c3fd534"; +- ref = "nixos-unstable"; +- }; +- image_from_nixpkgs = pkgs_unstable: (import ("''${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix") { +- pkgs = (import pkgs_unstable {}); +- }); +- in +- { +- nixos.unstable.x86_64 = image_from_nixpkgs pkgs_unstable; +- } +- )''; +- description = '' +- Images for builds.sr.ht. Each package should be distro.release.arch and point to a /nix/store/package/root.img.qcow2. +- ''; +- }; +- +- }; +- +- config = with scfg; let +- image_dirs = lib.lists.flatten ( +- lib.attrsets.mapAttrsToList +- (distro: revs: +- lib.attrsets.mapAttrsToList +- (rev: archs: +- lib.attrsets.mapAttrsToList +- (arch: image: +- pkgs.runCommand "buildsrht-images" { } '' +- mkdir -p $out/${distro}/${rev}/${arch} +- ln -s ${image}/*.qcow2 $out/${distro}/${rev}/${arch}/root.img.qcow2 +- '') +- archs) +- revs) +- scfg.images); +- image_dir_pre = pkgs.symlinkJoin { +- name = "builds.sr.ht-worker-images-pre"; +- paths = image_dirs ++ [ +- "${pkgs.sourcehut.buildsrht}/lib/images" +- ]; +- }; +- image_dir = pkgs.runCommand "builds.sr.ht-worker-images" { } '' +- mkdir -p $out/images +- cp -Lr ${image_dir_pre}/* $out/images +- ''; +- in +- lib.mkIf (cfg.enable && elem "builds" cfg.services) { +- users = { +- users = { +- "${user}" = { +- isSystemUser = true; +- group = user; +- extraGroups = lib.optionals cfg.builds.enableWorker [ "docker" ]; +- description = "builds.sr.ht user"; +- }; +- }; +- +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services.postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- "d ${statePath} 0755 ${user} ${user} -" +- ] ++ (lib.optionals cfg.builds.enableWorker +- [ "d ${statePath}/logs 0775 ${user} ${user} - -" ] +- ); +- +- services = { +- buildsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey +- { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "builds.sr.ht website service"; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- +- # Hack to bypass this hack: https://git.sr.ht/~sircmpwn/core.sr.ht/tree/master/item/srht-update-profiles#L6 +- } // { preStart = " "; }; +- +- buildsrht-worker = { +- enable = scfg.enableWorker; +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- partOf = [ "buildsrht.service" ]; +- description = "builds.sr.ht worker service"; +- path = [ pkgs.openssh pkgs.docker ]; +- preStart = let qemuPackage = pkgs.qemu_kvm; +- in '' +- if [[ "$(docker images -q qemu:latest 2> /dev/null)" == "" || "$(cat ${statePath}/docker-image-qemu 2> /dev/null || true)" != "${qemuPackage.version}" ]]; then +- # Create and import qemu:latest image for docker +- ${ +- pkgs.dockerTools.streamLayeredImage { +- name = "qemu"; +- tag = "latest"; +- contents = [ qemuPackage ]; +- } +- } | docker load +- # Mark down current package version +- printf "%s" "${qemuPackage.version}" > ${statePath}/docker-image-qemu +- fi +- ''; +- serviceConfig = { +- Type = "simple"; +- User = user; +- Group = "nginx"; +- Restart = "always"; +- }; +- serviceConfig.ExecStart = "${pkgs.sourcehut.buildsrht}/bin/builds.sr.ht-worker"; +- }; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL builds.sr.ht is being served at (protocol://domain) +- "builds.sr.ht".origin = mkDefault "http://builds.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "builds.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "builds.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "builds.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # Set to "yes" to automatically run migrations on package upgrade. +- "builds.sr.ht".migrate-on-upgrade = mkDefault "yes"; +- # builds.sr.ht's OAuth client ID and secret for meta.sr.ht +- # Register your client at meta.example.org/oauth +- "builds.sr.ht".oauth-client-id = mkDefault null; +- "builds.sr.ht".oauth-client-secret = mkDefault null; +- # The redis connection used for the celery worker +- "builds.sr.ht".redis = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/3"; +- # The shell used for ssh +- "builds.sr.ht".shell = mkDefault "runner-shell"; +- # Register the builds.sr.ht dispatcher +- "git.sr.ht::dispatch".${builtins.unsafeDiscardStringContext "${pkgs.sourcehut.buildsrht}/bin/buildsrht-keys"} = mkDefault "${user}:${user}"; +- +- # Location for build logs, images, and control command +- } // lib.attrsets.optionalAttrs scfg.enableWorker { +- # Default worker stores logs that are accessible via this address:port +- "builds.sr.ht::worker".name = mkDefault "127.0.0.1:5020"; +- "builds.sr.ht::worker".buildlogs = mkDefault "${scfg.statePath}/logs"; +- "builds.sr.ht::worker".images = mkDefault "${image_dir}/images"; +- "builds.sr.ht::worker".controlcmd = mkDefault "${image_dir}/images/control"; +- "builds.sr.ht::worker".timeout = mkDefault "3m"; +- }; +- +- services.nginx.virtualHosts."logs.${cfg.originBase}" = +- if scfg.enableWorker then { +- listen = with builtins; let address = split ":" cfg.settings."builds.sr.ht::worker".name; +- in [{ addr = elemAt address 0; port = lib.toInt (elemAt address 2); }]; +- locations."/logs".root = "${scfg.statePath}"; +- } else { }; +- +- services.nginx.virtualHosts."builds.${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.buildsrht}/${pkgs.sourcehut.python.sitePackages}/buildsrht"; +- }; +- }; +-} +diff --git a/nixos/modules/services/misc/sourcehut/default.nix b/nixos/modules/services/misc/sourcehut/default.nix +index 5a6d011a729..f5e4742d902 100644 +--- a/nixos/modules/services/misc/sourcehut/default.nix ++++ b/nixos/modules/services/misc/sourcehut/default.nix +@@ -83,7 +83,7 @@ let + python = pkgs.sourcehut.python.withPackages (ps: with ps; [ + gunicorn + eventlet +- # For monitoring Celery: sudo -u listssrht celery --app listssrht.process -b redis+socket:///run/redis-sourcehut/redis.sock?virtual_host=5 flower ++ # For monitoring Celery: sudo -u listssrht celery --app listssrht.process -b redis+socket:///run/redis-sourcehut/redis.sock?virtual_host=1 flower + flower + # Sourcehut services + srht +@@ -905,6 +905,11 @@ in + inherit configIniOfService; + srvsrht = "buildsrht"; + port = 5002; ++ extraServices.buildsrht-api = { ++ serviceConfig.Restart = "always"; ++ serviceConfig.RestartSec = "2s"; ++ serviceConfig.ExecStart = "${pkgs.sourcehut.buildsrht}/bin/buildsrht-api -b ${cfg.listenAddress}:${toString (cfg.builds.port + 100)}"; ++ }; + # TODO: a celery worker on the master and worker are apparently needed + extraServices.buildsrht-worker = let + qemuPackage = pkgs.qemu_kvm; +@@ -928,13 +933,13 @@ in + fi + ''; + serviceConfig = { +- ExecStart = "${pkgs.sourcehut.buildsrht}/bin/builds.sr.ht-worker"; ++ ExecStart = "${pkgs.sourcehut.buildsrht}/bin/buildsrht-worker"; + BindPaths = [ cfg.settings."builds.sr.ht::worker".buildlogs ]; + LogsDirectory = [ "sourcehut/${serviceName}" ]; + RuntimeDirectory = [ "sourcehut/${serviceName}/subdir" ]; + StateDirectory = [ "sourcehut/${serviceName}" ]; + TimeoutStartSec = "1800s"; +- # builds.sr.ht-worker looks up ../config.ini ++ # buildsrht-worker looks up ../config.ini + WorkingDirectory = "-"+"/run/sourcehut/${serviceName}/subdir"; + }; + }; +@@ -952,12 +957,12 @@ in + ) cfg.builds.images + ); + image_dir_pre = pkgs.symlinkJoin { +- name = "builds.sr.ht-worker-images-pre"; ++ name = "buildsrht-worker-images-pre"; + paths = image_dirs; + # FIXME: not working, apparently because ubuntu/latest is a broken link + # ++ [ "${pkgs.sourcehut.buildsrht}/lib/images" ]; + }; +- image_dir = pkgs.runCommand "builds.sr.ht-worker-images" { } '' ++ image_dir = pkgs.runCommand "buildsrht-worker-images" { } '' + mkdir -p $out/images + cp -Lr ${image_dir_pre}/* $out/images + ''; +@@ -1081,6 +1086,11 @@ in + }; + }) + ]; ++ extraServices.gitsrht-api = { ++ serviceConfig.Restart = "always"; ++ serviceConfig.RestartSec = "2s"; ++ serviceConfig.ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}"; ++ }; + extraServices.gitsrht-fcgiwrap = mkIf cfg.nginx.enable { + serviceConfig = { + # Socket is passed by gitsrht-fcgiwrap.socket +@@ -1124,6 +1134,11 @@ in + timerConfig.OnCalendar = ["daily"]; + timerConfig.AccuracySec = "1h"; + }; ++ extraServices.hgsrht-api = { ++ serviceConfig.Restart = "always"; ++ serviceConfig.RestartSec = "2s"; ++ serviceConfig.ExecStart = "${pkgs.sourcehut.hgsrht}/bin/hgsrht-api -b ${cfg.listenAddress}:${toString (cfg.hg.port + 100)}"; ++ }; + extraConfig = mkMerge [ + { + users.users.${cfg.hg.user}.shell = pkgs.bash; +@@ -1184,6 +1199,11 @@ in + inherit configIniOfService; + port = 5006; + webhooks = true; ++ extraServices.listssrht-api = { ++ serviceConfig.Restart = "always"; ++ serviceConfig.RestartSec = "2s"; ++ serviceConfig.ExecStart = "${pkgs.sourcehut.listssrht}/bin/listssrht-api -b ${cfg.listenAddress}:${toString (cfg.lists.port + 100)}"; ++ }; + # Receive the mail from Postfix and enqueue them into Redis and PostgreSQL + extraServices.listssrht-lmtp = { + wants = [ "postfix.service" ]; +@@ -1232,6 +1252,10 @@ in + inherit configIniOfService; + port = 5000; + webhooks = true; ++ extraTimers.metasrht-daily.timerConfig = { ++ OnCalendar = ["daily"]; ++ AccuracySec = "1h"; ++ }; + extraServices.metasrht-api = { + serviceConfig.Restart = "always"; + serviceConfig.RestartSec = "2s"; +@@ -1248,10 +1272,6 @@ in + ) cfg.settings)); + serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b ${cfg.listenAddress}:${toString (cfg.meta.port + 100)}"; + }; +- extraTimers.metasrht-daily.timerConfig = { +- OnCalendar = ["daily"]; +- AccuracySec = "1h"; +- }; + extraConfig = mkMerge [ + { + assertions = [ +@@ -1348,6 +1368,11 @@ in + inherit configIniOfService; + port = 5003; + webhooks = true; ++ extraServices.todosrht-api = { ++ serviceConfig.Restart = "always"; ++ serviceConfig.RestartSec = "2s"; ++ serviceConfig.ExecStart = "${pkgs.sourcehut.todosrht}/bin/todosrht-api -b ${cfg.listenAddress}:${toString (cfg.todo.port + 100)}"; ++ }; + extraServices.todosrht-lmtp = { + wants = [ "postfix.service" ]; + unitConfig.JoinsNamespaceOf = optional cfg.postfix.enable "postfix.service"; +diff --git a/nixos/modules/services/misc/sourcehut/dispatch.nix b/nixos/modules/services/misc/sourcehut/dispatch.nix +deleted file mode 100644 +index 292a51d3e1c..00000000000 +--- a/nixos/modules/services/misc/sourcehut/dispatch.nix ++++ /dev/null +@@ -1,127 +0,0 @@ +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- cfgIni = cfg.settings; +- scfg = cfg.dispatch; +- iniKey = "dispatch.sr.ht"; +- +- drv = pkgs.sourcehut.dispatchsrht; +-in +-{ +- options.services.sourcehut.dispatch = { +- user = mkOption { +- type = types.str; +- default = "dispatchsrht"; +- description = '' +- User for dispatch.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5005; +- description = '' +- Port on which the "dispatch" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "dispatch.sr.ht"; +- description = '' +- PostgreSQL database name for dispatch.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/dispatchsrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/dispatchsrht"''; +- description = '' +- State path for dispatch.sr.ht. +- ''; +- }; +- }; +- +- config = with scfg; lib.mkIf (cfg.enable && elem "dispatch" cfg.services) { +- +- users = { +- users = { +- "${user}" = { +- isSystemUser = true; +- group = user; +- description = "dispatch.sr.ht user"; +- }; +- }; +- +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services.postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- "d ${statePath} 0750 ${user} ${user} -" +- ]; +- +- services.dispatchsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "dispatch.sr.ht website service"; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL dispatch.sr.ht is being served at (protocol://domain) +- "dispatch.sr.ht".origin = mkDefault "http://dispatch.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "dispatch.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "dispatch.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "dispatch.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # Set to "yes" to automatically run migrations on package upgrade. +- "dispatch.sr.ht".migrate-on-upgrade = mkDefault "yes"; +- # dispatch.sr.ht's OAuth client ID and secret for meta.sr.ht +- # Register your client at meta.example.org/oauth +- "dispatch.sr.ht".oauth-client-id = mkDefault null; +- "dispatch.sr.ht".oauth-client-secret = mkDefault null; +- +- # Github Integration +- "dispatch.sr.ht::github".oauth-client-id = mkDefault null; +- "dispatch.sr.ht::github".oauth-client-secret = mkDefault null; +- +- # Gitlab Integration +- "dispatch.sr.ht::gitlab".enabled = mkDefault null; +- "dispatch.sr.ht::gitlab".canonical-upstream = mkDefault "gitlab.com"; +- "dispatch.sr.ht::gitlab".repo-cache = mkDefault "./repo-cache"; +- # "dispatch.sr.ht::gitlab"."gitlab.com" = mkDefault "GitLab:application id:secret"; +- }; +- +- services.nginx.virtualHosts."dispatch.${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.dispatchsrht}/${pkgs.sourcehut.python.sitePackages}/dispatchsrht"; +- }; +- }; +-} +diff --git a/nixos/modules/services/misc/sourcehut/git.nix b/nixos/modules/services/misc/sourcehut/git.nix +deleted file mode 100644 +index ff110905d18..00000000000 +--- a/nixos/modules/services/misc/sourcehut/git.nix ++++ /dev/null +@@ -1,217 +0,0 @@ +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- scfg = cfg.git; +- iniKey = "git.sr.ht"; +- +- rcfg = config.services.redis; +- drv = pkgs.sourcehut.gitsrht; +-in +-{ +- options.services.sourcehut.git = { +- user = mkOption { +- type = types.str; +- visible = false; +- internal = true; +- readOnly = true; +- default = "git"; +- description = '' +- User for git.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5001; +- description = '' +- Port on which the "git" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "git.sr.ht"; +- description = '' +- PostgreSQL database name for git.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/gitsrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/gitsrht"''; +- description = '' +- State path for git.sr.ht. +- ''; +- }; +- +- package = mkOption { +- type = types.package; +- default = pkgs.git; +- defaultText = literalExpression "pkgs.git"; +- example = literalExpression "pkgs.gitFull"; +- description = '' +- Git package for git.sr.ht. This can help silence collisions. +- ''; +- }; +- }; +- +- config = with scfg; lib.mkIf (cfg.enable && elem "git" cfg.services) { +- # sshd refuses to run with `Unsafe AuthorizedKeysCommand ... bad ownership or modes for directory /nix/store` +- environment.etc."ssh/gitsrht-dispatch" = { +- mode = "0755"; +- text = '' +- #! ${pkgs.stdenv.shell} +- ${cfg.python}/bin/gitsrht-dispatch "$@" +- ''; +- }; +- +- # Needs this in the $PATH when sshing into the server +- environment.systemPackages = [ cfg.git.package ]; +- +- users = { +- users = { +- "${user}" = { +- isSystemUser = true; +- group = user; +- # https://stackoverflow.com/questions/22314298/git-push-results-in-fatal-protocol-error-bad-line-length-character-this +- # Probably could use gitsrht-shell if output is restricted to just parameters... +- shell = pkgs.bash; +- description = "git.sr.ht user"; +- }; +- }; +- +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services = { +- cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/gitsrht-periodic" ]; +- fcgiwrap.enable = true; +- +- openssh.authorizedKeysCommand = ''/etc/ssh/gitsrht-dispatch "%u" "%h" "%t" "%k"''; +- openssh.authorizedKeysCommandUser = "root"; +- openssh.extraConfig = '' +- PermitUserEnvironment SRHT_* +- ''; +- +- postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- # /var/log is owned by root +- "f /var/log/git-srht-shell 0644 ${user} ${user} -" +- +- "d ${statePath} 0750 ${user} ${user} -" +- "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -" +- ]; +- +- services = { +- gitsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "redis.service" "postgresql.service" "network.target" ]; +- requires = [ "redis.service" "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- # Needs internally to create repos at the very least +- path = [ pkgs.git ]; +- description = "git.sr.ht website service"; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- }; +- +- gitsrht-webhooks = { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "git.sr.ht webhooks service"; +- serviceConfig = { +- Type = "simple"; +- User = user; +- Restart = "always"; +- }; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; +- }; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL git.sr.ht is being served at (protocol://domain) +- "git.sr.ht".origin = mkDefault "http://git.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "git.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "git.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "git.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # Set to "yes" to automatically run migrations on package upgrade. +- "git.sr.ht".migrate-on-upgrade = mkDefault "yes"; +- # The redis connection used for the webhooks worker +- "git.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/1"; +- +- # A post-update script which is installed in every git repo. +- "git.sr.ht".post-update-script = mkDefault "${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook"; +- +- # git.sr.ht's OAuth client ID and secret for meta.sr.ht +- # Register your client at meta.example.org/oauth +- "git.sr.ht".oauth-client-id = mkDefault null; +- "git.sr.ht".oauth-client-secret = mkDefault null; +- # Path to git repositories on disk +- "git.sr.ht".repos = mkDefault "/var/lib/git"; +- +- "git.sr.ht".outgoing-domain = mkDefault "http://git.${cfg.originBase}"; +- +- # The authorized keys hook uses this to dispatch to various handlers +- # The format is a program to exec into as the key, and the user to match as the +- # value. When someone tries to log in as this user, this program is executed +- # and is expected to omit an AuthorizedKeys file. +- # +- # Discard of the string context is in order to allow derivation-derived strings. +- # This is safe if the relevant package is installed which will be the case if the setting is utilized. +- "git.sr.ht::dispatch".${builtins.unsafeDiscardStringContext "${pkgs.sourcehut.gitsrht}/bin/gitsrht-keys"} = mkDefault "${user}:${user}"; +- }; +- +- services.nginx.virtualHosts."git.${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.gitsrht}/${pkgs.sourcehut.python.sitePackages}/gitsrht"; +- extraConfig = '' +- location = /authorize { +- proxy_pass http://${cfg.address}:${toString port}; +- proxy_pass_request_body off; +- proxy_set_header Content-Length ""; +- proxy_set_header X-Original-URI $request_uri; +- } +- location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ { +- auth_request /authorize; +- root /var/lib/git; +- fastcgi_pass unix:/run/fcgiwrap.sock; +- fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend; +- fastcgi_param PATH_INFO $uri; +- fastcgi_param GIT_PROJECT_ROOT $document_root; +- fastcgi_read_timeout 500s; +- include ${config.services.nginx.package}/conf/fastcgi_params; +- gzip off; +- } +- ''; +- +- }; +- }; +-} +diff --git a/nixos/modules/services/misc/sourcehut/hg.nix b/nixos/modules/services/misc/sourcehut/hg.nix +deleted file mode 100644 +index 6ba1df8b6dd..00000000000 +--- a/nixos/modules/services/misc/sourcehut/hg.nix ++++ /dev/null +@@ -1,175 +0,0 @@ +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- scfg = cfg.hg; +- iniKey = "hg.sr.ht"; +- +- rcfg = config.services.redis; +- drv = pkgs.sourcehut.hgsrht; +-in +-{ +- options.services.sourcehut.hg = { +- user = mkOption { +- type = types.str; +- internal = true; +- readOnly = true; +- default = "hg"; +- description = '' +- User for hg.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5010; +- description = '' +- Port on which the "hg" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "hg.sr.ht"; +- description = '' +- PostgreSQL database name for hg.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/hgsrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/hgsrht"''; +- description = '' +- State path for hg.sr.ht. +- ''; +- }; +- +- cloneBundles = mkOption { +- type = types.bool; +- default = false; +- description = '' +- Generate clonebundles (which require more disk space but dramatically speed up cloning large repositories). +- ''; +- }; +- }; +- +- config = with scfg; lib.mkIf (cfg.enable && elem "hg" cfg.services) { +- # In case it ever comes into being +- environment.etc."ssh/hgsrht-dispatch" = { +- mode = "0755"; +- text = '' +- #! ${pkgs.stdenv.shell} +- ${cfg.python}/bin/gitsrht-dispatch $@ +- ''; +- }; +- +- environment.systemPackages = [ pkgs.mercurial ]; +- +- users = { +- users = { +- "${user}" = { +- isSystemUser = true; +- group = user; +- # Assuming hg.sr.ht needs this too +- shell = pkgs.bash; +- description = "hg.sr.ht user"; +- }; +- }; +- +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services = { +- cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/hgsrht-periodic" ] +- ++ optional cloneBundles "0 * * * * ${cfg.python}/bin/hgsrht-clonebundles"; +- +- openssh.authorizedKeysCommand = ''/etc/ssh/hgsrht-dispatch "%u" "%h" "%t" "%k"''; +- openssh.authorizedKeysCommandUser = "root"; +- openssh.extraConfig = '' +- PermitUserEnvironment SRHT_* +- ''; +- +- postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- # /var/log is owned by root +- "f /var/log/hg-srht-shell 0644 ${user} ${user} -" +- +- "d ${statePath} 0750 ${user} ${user} -" +- "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -" +- ]; +- +- services.hgsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "redis.service" "postgresql.service" "network.target" ]; +- requires = [ "redis.service" "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- path = [ pkgs.mercurial ]; +- description = "hg.sr.ht website service"; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL hg.sr.ht is being served at (protocol://domain) +- "hg.sr.ht".origin = mkDefault "http://hg.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "hg.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "hg.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "hg.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # The redis connection used for the webhooks worker +- "hg.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/1"; +- # A post-update script which is installed in every mercurial repo. +- "hg.sr.ht".changegroup-script = mkDefault "${cfg.python}/bin/hgsrht-hook-changegroup"; +- # hg.sr.ht's OAuth client ID and secret for meta.sr.ht +- # Register your client at meta.example.org/oauth +- "hg.sr.ht".oauth-client-id = mkDefault null; +- "hg.sr.ht".oauth-client-secret = mkDefault null; +- # Path to mercurial repositories on disk +- "hg.sr.ht".repos = mkDefault "/var/lib/hg"; +- # Path to the srht mercurial extension +- # (defaults to where the hgsrht code is) +- # "hg.sr.ht".srhtext = mkDefault null; +- # .hg/store size (in MB) past which the nightly job generates clone bundles. +- # "hg.sr.ht".clone_bundle_threshold = mkDefault 50; +- # Path to hg-ssh (if not in $PATH) +- # "hg.sr.ht".hg_ssh = mkDefault /path/to/hg-ssh; +- +- # The authorized keys hook uses this to dispatch to various handlers +- # The format is a program to exec into as the key, and the user to match as the +- # value. When someone tries to log in as this user, this program is executed +- # and is expected to omit an AuthorizedKeys file. +- # +- # Uncomment the relevant lines to enable the various sr.ht dispatchers. +- "hg.sr.ht::dispatch"."/run/current-system/sw/bin/hgsrht-keys" = mkDefault "${user}:${user}"; +- }; +- +- # TODO: requires testing and addition of hg-specific requirements +- services.nginx.virtualHosts."hg.${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.hgsrht}/${pkgs.sourcehut.python.sitePackages}/hgsrht"; +- }; +- }; +-} +diff --git a/nixos/modules/services/misc/sourcehut/hub.nix b/nixos/modules/services/misc/sourcehut/hub.nix +deleted file mode 100644 +index 7d137a76505..00000000000 +--- a/nixos/modules/services/misc/sourcehut/hub.nix ++++ /dev/null +@@ -1,120 +0,0 @@ +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- cfgIni = cfg.settings; +- scfg = cfg.hub; +- iniKey = "hub.sr.ht"; +- +- drv = pkgs.sourcehut.hubsrht; +-in +-{ +- options.services.sourcehut.hub = { +- user = mkOption { +- type = types.str; +- default = "hubsrht"; +- description = '' +- User for hub.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5014; +- description = '' +- Port on which the "hub" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "hub.sr.ht"; +- description = '' +- PostgreSQL database name for hub.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/hubsrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/hubsrht"''; +- description = '' +- State path for hub.sr.ht. +- ''; +- }; +- }; +- +- config = with scfg; lib.mkIf (cfg.enable && elem "hub" cfg.services) { +- users = { +- users = { +- "${user}" = { +- isSystemUser = true; +- group = user; +- description = "hub.sr.ht user"; +- }; +- }; +- +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services.postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- "d ${statePath} 0750 ${user} ${user} -" +- ]; +- +- services.hubsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "hub.sr.ht website service"; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL hub.sr.ht is being served at (protocol://domain) +- "hub.sr.ht".origin = mkDefault "http://hub.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "hub.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "hub.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "hub.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # Set to "yes" to automatically run migrations on package upgrade. +- "hub.sr.ht".migrate-on-upgrade = mkDefault "yes"; +- # hub.sr.ht's OAuth client ID and secret for meta.sr.ht +- # Register your client at meta.example.org/oauth +- "hub.sr.ht".oauth-client-id = mkDefault null; +- "hub.sr.ht".oauth-client-secret = mkDefault null; +- }; +- +- services.nginx.virtualHosts."${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.hubsrht}/${pkgs.sourcehut.python.sitePackages}/hubsrht"; +- }; +- services.nginx.virtualHosts."hub.${cfg.originBase}" = { +- globalRedirect = "${cfg.originBase}"; +- forceSSL = true; +- }; +- }; +-} +diff --git a/nixos/modules/services/misc/sourcehut/lists.nix b/nixos/modules/services/misc/sourcehut/lists.nix +deleted file mode 100644 +index 76f155caa05..00000000000 +--- a/nixos/modules/services/misc/sourcehut/lists.nix ++++ /dev/null +@@ -1,187 +0,0 @@ +-# Email setup is fairly involved, useful references: +-# https://drewdevault.com/2018/08/05/Local-mail-server.html +- +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- cfgIni = cfg.settings; +- scfg = cfg.lists; +- iniKey = "lists.sr.ht"; +- +- rcfg = config.services.redis; +- drv = pkgs.sourcehut.listssrht; +-in +-{ +- options.services.sourcehut.lists = { +- user = mkOption { +- type = types.str; +- default = "listssrht"; +- description = '' +- User for lists.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5006; +- description = '' +- Port on which the "lists" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "lists.sr.ht"; +- description = '' +- PostgreSQL database name for lists.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/listssrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/listssrht"''; +- description = '' +- State path for lists.sr.ht. +- ''; +- }; +- }; +- +- config = with scfg; lib.mkIf (cfg.enable && elem "lists" cfg.services) { +- users = { +- users = { +- "${user}" = { +- isSystemUser = true; +- group = user; +- extraGroups = [ "postfix" ]; +- description = "lists.sr.ht user"; +- }; +- }; +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services.postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- "d ${statePath} 0750 ${user} ${user} -" +- ]; +- +- services = { +- listssrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "lists.sr.ht website service"; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- }; +- +- listssrht-process = { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "lists.sr.ht process service"; +- serviceConfig = { +- Type = "simple"; +- User = user; +- Restart = "always"; +- ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.process worker --loglevel=info"; +- }; +- }; +- +- listssrht-lmtp = { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "lists.sr.ht process service"; +- serviceConfig = { +- Type = "simple"; +- User = user; +- Restart = "always"; +- ExecStart = "${cfg.python}/bin/listssrht-lmtp"; +- }; +- }; +- +- +- listssrht-webhooks = { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "lists.sr.ht webhooks service"; +- serviceConfig = { +- Type = "simple"; +- User = user; +- Restart = "always"; +- ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; +- }; +- }; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL lists.sr.ht is being served at (protocol://domain) +- "lists.sr.ht".origin = mkDefault "http://lists.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "lists.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "lists.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "lists.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # Set to "yes" to automatically run migrations on package upgrade. +- "lists.sr.ht".migrate-on-upgrade = mkDefault "yes"; +- # lists.sr.ht's OAuth client ID and secret for meta.sr.ht +- # Register your client at meta.example.org/oauth +- "lists.sr.ht".oauth-client-id = mkDefault null; +- "lists.sr.ht".oauth-client-secret = mkDefault null; +- # Outgoing email for notifications generated by users +- "lists.sr.ht".notify-from = mkDefault "CHANGEME@example.org"; +- # The redis connection used for the webhooks worker +- "lists.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/2"; +- # The redis connection used for the celery worker +- "lists.sr.ht".redis = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/4"; +- # Network-key +- "lists.sr.ht".network-key = mkDefault null; +- # Allow creation +- "lists.sr.ht".allow-new-lists = mkDefault "no"; +- # Posting Domain +- "lists.sr.ht".posting-domain = mkDefault "lists.${cfg.originBase}"; +- +- # Path for the lmtp daemon's unix socket. Direct incoming mail to this socket. +- # Alternatively, specify IP:PORT and an SMTP server will be run instead. +- "lists.sr.ht::worker".sock = mkDefault "/tmp/lists.sr.ht-lmtp.sock"; +- # The lmtp daemon will make the unix socket group-read/write for users in this +- # group. +- "lists.sr.ht::worker".sock-group = mkDefault "postfix"; +- "lists.sr.ht::worker".reject-url = mkDefault "https://man.sr.ht/lists.sr.ht/etiquette.md"; +- "lists.sr.ht::worker".reject-mimetypes = mkDefault "text/html"; +- +- }; +- +- services.nginx.virtualHosts."lists.${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.listssrht}/${pkgs.sourcehut.python.sitePackages}/listssrht"; +- }; +- }; +-} +diff --git a/nixos/modules/services/misc/sourcehut/man.nix b/nixos/modules/services/misc/sourcehut/man.nix +deleted file mode 100644 +index 8ca271c32ee..00000000000 +--- a/nixos/modules/services/misc/sourcehut/man.nix ++++ /dev/null +@@ -1,124 +0,0 @@ +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- cfgIni = cfg.settings; +- scfg = cfg.man; +- iniKey = "man.sr.ht"; +- +- drv = pkgs.sourcehut.mansrht; +-in +-{ +- options.services.sourcehut.man = { +- user = mkOption { +- type = types.str; +- default = "mansrht"; +- description = '' +- User for man.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5004; +- description = '' +- Port on which the "man" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "man.sr.ht"; +- description = '' +- PostgreSQL database name for man.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/mansrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/mansrht"''; +- description = '' +- State path for man.sr.ht. +- ''; +- }; +- }; +- +- config = with scfg; lib.mkIf (cfg.enable && elem "man" cfg.services) { +- assertions = +- [ +- { +- assertion = hasAttrByPath [ "git.sr.ht" "oauth-client-id" ] cfgIni; +- message = "man.sr.ht needs access to git.sr.ht."; +- } +- ]; +- +- users = { +- users = { +- "${user}" = { +- isSystemUser = true; +- group = user; +- description = "man.sr.ht user"; +- }; +- }; +- +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services.postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- "d ${statePath} 0750 ${user} ${user} -" +- ]; +- +- services.mansrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "man.sr.ht website service"; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL man.sr.ht is being served at (protocol://domain) +- "man.sr.ht".origin = mkDefault "http://man.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "man.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "man.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "man.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # Set to "yes" to automatically run migrations on package upgrade. +- "man.sr.ht".migrate-on-upgrade = mkDefault "yes"; +- # man.sr.ht's OAuth client ID and secret for meta.sr.ht +- # Register your client at meta.example.org/oauth +- "man.sr.ht".oauth-client-id = mkDefault null; +- "man.sr.ht".oauth-client-secret = mkDefault null; +- }; +- +- services.nginx.virtualHosts."man.${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.mansrht}/${pkgs.sourcehut.python.sitePackages}/mansrht"; +- }; +- }; +-} +diff --git a/nixos/modules/services/misc/sourcehut/meta.nix b/nixos/modules/services/misc/sourcehut/meta.nix +deleted file mode 100644 +index 33e4f2332b5..00000000000 +--- a/nixos/modules/services/misc/sourcehut/meta.nix ++++ /dev/null +@@ -1,213 +0,0 @@ +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- cfgIni = cfg.settings; +- scfg = cfg.meta; +- iniKey = "meta.sr.ht"; +- +- rcfg = config.services.redis; +- drv = pkgs.sourcehut.metasrht; +-in +-{ +- options.services.sourcehut.meta = { +- user = mkOption { +- type = types.str; +- default = "metasrht"; +- description = '' +- User for meta.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5000; +- description = '' +- Port on which the "meta" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "meta.sr.ht"; +- description = '' +- PostgreSQL database name for meta.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/metasrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/metasrht"''; +- description = '' +- State path for meta.sr.ht. +- ''; +- }; +- }; +- +- config = with scfg; lib.mkIf (cfg.enable && elem "meta" cfg.services) { +- assertions = +- [ +- { +- assertion = with cfgIni."meta.sr.ht::billing"; enabled == "yes" -> (stripe-public-key != null && stripe-secret-key != null); +- message = "If meta.sr.ht::billing is enabled, the keys should be defined."; +- } +- ]; +- +- users = { +- users = { +- ${user} = { +- isSystemUser = true; +- group = user; +- description = "meta.sr.ht user"; +- }; +- }; +- +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services.cron.systemCronJobs = [ "0 0 * * * ${cfg.python}/bin/metasrht-daily" ]; +- services.postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- "d ${statePath} 0750 ${user} ${user} -" +- ]; +- +- services = { +- metasrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "meta.sr.ht website service"; +- +- preStart = '' +- # Configure client(s) as "preauthorized" +- ${concatMapStringsSep "\n\n" +- (attr: '' +- if ! test -e "${statePath}/${attr}.oauth" || [ "$(cat ${statePath}/${attr}.oauth)" != "${cfgIni."${attr}".oauth-client-id}" ]; then +- # Configure ${attr}'s OAuth client as "preauthorized" +- psql ${database} \ +- -c "UPDATE oauthclient SET preauthorized = true WHERE client_id = '${cfgIni."${attr}".oauth-client-id}'" +- +- printf "%s" "${cfgIni."${attr}".oauth-client-id}" > "${statePath}/${attr}.oauth" +- fi +- '') +- (builtins.attrNames (filterAttrs +- (k: v: !(hasInfix "::" k) && builtins.hasAttr "oauth-client-id" v && v.oauth-client-id != null) +- cfg.settings))} +- ''; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- }; +- +- metasrht-api = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "meta.sr.ht api service"; +- +- preStart = '' +- # Configure client(s) as "preauthorized" +- ${concatMapStringsSep "\n\n" +- (attr: '' +- if ! test -e "${statePath}/${attr}.oauth" || [ "$(cat ${statePath}/${attr}.oauth)" != "${cfgIni."${attr}".oauth-client-id}" ]; then +- # Configure ${attr}'s OAuth client as "preauthorized" +- psql ${database} \ +- -c "UPDATE oauthclient SET preauthorized = true WHERE client_id = '${cfgIni."${attr}".oauth-client-id}'" +- +- printf "%s" "${cfgIni."${attr}".oauth-client-id}" > "${statePath}/${attr}.oauth" +- fi +- '') +- (builtins.attrNames (filterAttrs +- (k: v: !(hasInfix "::" k) && builtins.hasAttr "oauth-client-id" v && v.oauth-client-id != null) +- cfg.settings))} +- ''; +- +- serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b :${toString (port + 100)}"; +- }; +- +- metasrht-webhooks = { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "meta.sr.ht webhooks service"; +- serviceConfig = { +- Type = "simple"; +- User = user; +- Restart = "always"; +- ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; +- }; +- +- }; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL meta.sr.ht is being served at (protocol://domain) +- "meta.sr.ht".origin = mkDefault "https://meta.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "meta.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "meta.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "meta.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # Set to "yes" to automatically run migrations on package upgrade. +- "meta.sr.ht".migrate-on-upgrade = mkDefault "yes"; +- # If "yes", the user will be sent the stock sourcehut welcome emails after +- # signup (requires cron to be configured properly). These are specific to the +- # sr.ht instance so you probably want to patch these before enabling this. +- "meta.sr.ht".welcome-emails = mkDefault "no"; +- +- # The redis connection used for the webhooks worker +- "meta.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/6"; +- +- # If "no", public registration will not be permitted. +- "meta.sr.ht::settings".registration = mkDefault "no"; +- # Where to redirect new users upon registration +- "meta.sr.ht::settings".onboarding-redirect = mkDefault "https://meta.${cfg.originBase}"; +- # How many invites each user is issued upon registration (only applicable if +- # open registration is disabled) +- "meta.sr.ht::settings".user-invites = mkDefault 5; +- +- # Origin URL for API, 100 more than web +- "meta.sr.ht".api-origin = mkDefault "http://localhost:5100"; +- +- # You can add aliases for the client IDs of commonly used OAuth clients here. +- # +- # Example: +- "meta.sr.ht::aliases" = mkDefault { }; +- # "meta.sr.ht::aliases"."git.sr.ht" = 12345; +- +- # "yes" to enable the billing system +- "meta.sr.ht::billing".enabled = mkDefault "no"; +- # Get your keys at https://dashboard.stripe.com/account/apikeys +- "meta.sr.ht::billing".stripe-public-key = mkDefault null; +- "meta.sr.ht::billing".stripe-secret-key = mkDefault null; +- }; +- +- services.nginx.virtualHosts."meta.${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.metasrht}/${pkgs.sourcehut.python.sitePackages}/metasrht"; +- }; +- }; +-} +diff --git a/nixos/modules/services/misc/sourcehut/paste.nix b/nixos/modules/services/misc/sourcehut/paste.nix +deleted file mode 100644 +index b481ebaf891..00000000000 +--- a/nixos/modules/services/misc/sourcehut/paste.nix ++++ /dev/null +@@ -1,135 +0,0 @@ +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- cfgIni = cfg.settings; +- scfg = cfg.paste; +- iniKey = "paste.sr.ht"; +- +- rcfg = config.services.redis; +- drv = pkgs.sourcehut.pastesrht; +-in +-{ +- options.services.sourcehut.paste = { +- user = mkOption { +- type = types.str; +- default = "pastesrht"; +- description = '' +- User for paste.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5011; +- description = '' +- Port on which the "paste" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "paste.sr.ht"; +- description = '' +- PostgreSQL database name for paste.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/pastesrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/pastesrht"''; +- description = '' +- State path for pastesrht.sr.ht. +- ''; +- }; +- }; +- +- config = with scfg; lib.mkIf (cfg.enable && elem "paste" cfg.services) { +- users = { +- users = { +- "${user}" = { +- isSystemUser = true; +- group = user; +- description = "paste.sr.ht user"; +- }; +- }; +- +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services.postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- "d ${statePath} 0750 ${user} ${user} -" +- ]; +- +- services = { +- pastesrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "paste.sr.ht website service"; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- }; +- +- pastesrht-webhooks = { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "paste.sr.ht webhooks service"; +- serviceConfig = { +- Type = "simple"; +- User = user; +- Restart = "always"; +- ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; +- }; +- +- }; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL paste.sr.ht is being served at (protocol://domain) +- "paste.sr.ht".origin = mkDefault "http://paste.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "paste.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "paste.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "paste.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # Set to "yes" to automatically run migrations on package upgrade. +- "paste.sr.ht".migrate-on-upgrade = mkDefault "yes"; +- # paste.sr.ht's OAuth client ID and secret for meta.sr.ht +- # Register your client at meta.example.org/oauth +- "paste.sr.ht".oauth-client-id = mkDefault null; +- "paste.sr.ht".oauth-client-secret = mkDefault null; +- "paste.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/5"; +- }; +- +- services.nginx.virtualHosts."paste.${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.pastesrht}/${pkgs.sourcehut.python.sitePackages}/pastesrht"; +- }; +- }; +-} +diff --git a/nixos/modules/services/misc/sourcehut/service.nix b/nixos/modules/services/misc/sourcehut/service.nix +index f1706ad0a6a..4ecc7a72669 100644 +--- a/nixos/modules/services/misc/sourcehut/service.nix ++++ b/nixos/modules/services/misc/sourcehut/service.nix +@@ -148,7 +148,7 @@ in + redis = { + host = mkOption { + type = types.str; +- default = "unix:/run/redis-sourcehut-${srvsrht}/redis.sock?db=0"; ++ default = "unix:///run/redis-sourcehut-${srvsrht}/redis.sock?db=0"; + example = "redis://shared.wireguard:6379/0"; + description = '' + The redis host URL. This is used for caching and temporary storage, and must +diff --git a/nixos/modules/services/misc/sourcehut/todo.nix b/nixos/modules/services/misc/sourcehut/todo.nix +deleted file mode 100644 +index 262fa48f59d..00000000000 +--- a/nixos/modules/services/misc/sourcehut/todo.nix ++++ /dev/null +@@ -1,163 +0,0 @@ +-{ config, lib, options, pkgs, ... }: +- +-with lib; +-let +- cfg = config.services.sourcehut; +- opt = options.services.sourcehut; +- cfgIni = cfg.settings; +- scfg = cfg.todo; +- iniKey = "todo.sr.ht"; +- +- rcfg = config.services.redis; +- drv = pkgs.sourcehut.todosrht; +-in +-{ +- options.services.sourcehut.todo = { +- user = mkOption { +- type = types.str; +- default = "todosrht"; +- description = '' +- User for todo.sr.ht. +- ''; +- }; +- +- port = mkOption { +- type = types.port; +- default = 5003; +- description = '' +- Port on which the "todo" module should listen. +- ''; +- }; +- +- database = mkOption { +- type = types.str; +- default = "todo.sr.ht"; +- description = '' +- PostgreSQL database name for todo.sr.ht. +- ''; +- }; +- +- statePath = mkOption { +- type = types.path; +- default = "${cfg.statePath}/todosrht"; +- defaultText = literalExpression ''"''${config.${opt.statePath}}/todosrht"''; +- description = '' +- State path for todo.sr.ht. +- ''; +- }; +- }; +- +- config = with scfg; lib.mkIf (cfg.enable && elem "todo" cfg.services) { +- users = { +- users = { +- "${user}" = { +- isSystemUser = true; +- group = user; +- extraGroups = [ "postfix" ]; +- description = "todo.sr.ht user"; +- }; +- }; +- groups = { +- "${user}" = { }; +- }; +- }; +- +- services.postgresql = { +- authentication = '' +- local ${database} ${user} trust +- ''; +- ensureDatabases = [ database ]; +- ensureUsers = [ +- { +- name = user; +- ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; +- } +- ]; +- }; +- +- systemd = { +- tmpfiles.rules = [ +- "d ${statePath} 0750 ${user} ${user} -" +- ]; +- +- services = { +- todosrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "todo.sr.ht website service"; +- +- serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; +- }; +- +- todosrht-lmtp = { +- after = [ "postgresql.service" "network.target" ]; +- bindsTo = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "todo.sr.ht process service"; +- serviceConfig = { +- Type = "simple"; +- User = user; +- Restart = "always"; +- ExecStart = "${cfg.python}/bin/todosrht-lmtp"; +- }; +- }; +- +- todosrht-webhooks = { +- after = [ "postgresql.service" "network.target" ]; +- requires = [ "postgresql.service" ]; +- wantedBy = [ "multi-user.target" ]; +- +- description = "todo.sr.ht webhooks service"; +- serviceConfig = { +- Type = "simple"; +- User = user; +- Restart = "always"; +- ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; +- }; +- +- }; +- }; +- }; +- +- services.sourcehut.settings = { +- # URL todo.sr.ht is being served at (protocol://domain) +- "todo.sr.ht".origin = mkDefault "http://todo.${cfg.originBase}"; +- # Address and port to bind the debug server to +- "todo.sr.ht".debug-host = mkDefault "0.0.0.0"; +- "todo.sr.ht".debug-port = mkDefault port; +- # Configures the SQLAlchemy connection string for the database. +- "todo.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; +- # Set to "yes" to automatically run migrations on package upgrade. +- "todo.sr.ht".migrate-on-upgrade = mkDefault "yes"; +- # todo.sr.ht's OAuth client ID and secret for meta.sr.ht +- # Register your client at meta.example.org/oauth +- "todo.sr.ht".oauth-client-id = mkDefault null; +- "todo.sr.ht".oauth-client-secret = mkDefault null; +- # Outgoing email for notifications generated by users +- "todo.sr.ht".notify-from = mkDefault "CHANGEME@example.org"; +- # The redis connection used for the webhooks worker +- "todo.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/1"; +- # Network-key +- "todo.sr.ht".network-key = mkDefault null; +- +- # Path for the lmtp daemon's unix socket. Direct incoming mail to this socket. +- # Alternatively, specify IP:PORT and an SMTP server will be run instead. +- "todo.sr.ht::mail".sock = mkDefault "/tmp/todo.sr.ht-lmtp.sock"; +- # The lmtp daemon will make the unix socket group-read/write for users in this +- # group. +- "todo.sr.ht::mail".sock-group = mkDefault "postfix"; +- +- "todo.sr.ht::mail".posting-domain = mkDefault "todo.${cfg.originBase}"; +- }; +- +- services.nginx.virtualHosts."todo.${cfg.originBase}" = { +- forceSSL = true; +- locations."/".proxyPass = "http://${cfg.address}:${toString port}"; +- locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; +- locations."/static".root = "${pkgs.sourcehut.todosrht}/${pkgs.sourcehut.python.sitePackages}/todosrht"; +- }; +- }; +-} +diff --git a/nixos/tests/sourcehut.nix b/nixos/tests/sourcehut.nix +index 34a60247e00..6998f4f0c10 100644 +--- a/nixos/tests/sourcehut.nix ++++ b/nixos/tests/sourcehut.nix +@@ -195,6 +195,7 @@ in + # Testing metasrht + machine.wait_for_unit("metasrht-api.service") + machine.wait_for_unit("metasrht.service") ++ machine.wait_for_unit("metasrht-webhooks.service") + machine.wait_for_open_port(5000) + machine.succeed("curl -sL http://localhost:5000 | grep meta.${domain}") + machine.succeed("curl -sL http://meta.${domain} | grep meta.${domain}") +diff --git a/pkgs/applications/version-management/sourcehut/builds.nix b/pkgs/applications/version-management/sourcehut/builds.nix +index 350afd07fe1..99d6a05c4eb 100644 +--- a/pkgs/applications/version-management/sourcehut/builds.nix ++++ b/pkgs/applications/version-management/sourcehut/builds.nix +@@ -1,7 +1,7 @@ + { lib + , fetchFromSourcehut +-, buildPythonPackage + , buildGoModule ++, buildPythonPackage + , srht + , redis + , celery +@@ -9,21 +9,29 @@ + , markdown + , ansi2html + , python ++, unzip + }: + let +- version = "0.75.2"; ++ version = "0.80.0"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "builds.sr.ht"; + rev = version; +- sha256 = "sha256-SwyxMzmp9baRQ0vceuEn/OpfIv7z7jwq/l67hdOHXjM="; ++ sha256 = "sha256-SzA9bOXiXULRD4Eq9xBbbmMUpXT8egOtooZFF4p79ms="; + }; + +- buildWorker = src: buildGoModule { ++ buildsrht-api = buildGoModule ({ + inherit src version; +- pname = "builds-sr-ht-worker"; ++ pname = "buildsrht-api"; ++ modRoot = "api"; ++ vendorSha256 = "sha256-roTwqtg4Y846PNtLdRN/LV3Jd0LVElqjFy3DJcrwoaI="; ++ } // import ./fix-gqlgen-trimpath.nix {inherit unzip;}); + ++ buildsrht-worker = buildGoModule { ++ inherit src version; ++ sourceRoot = "source/worker"; ++ pname = "buildsrht-worker"; + vendorSha256 = "sha256-Pf1M9a43eK4jr6QMi6kRHA8DodXQU0pqq9ua5VC3ER0="; + }; + in +@@ -31,10 +39,10 @@ buildPythonPackage rec { + inherit src version; + pname = "buildsrht"; + +- patches = [ +- # Revert change breaking Unix socket support for Redis +- patches/redis-socket/build/0001-Revert-Add-build-submission-and-queue-monitoring.patch +- ]; ++ postPatch = '' ++ substituteInPlace Makefile \ ++ --replace "all: api worker" "" ++ ''; + + nativeBuildInputs = srht.nativeBuildInputs; + +@@ -58,7 +66,8 @@ buildPythonPackage rec { + + cp -r images $out/lib + cp contrib/submit_image_build $out/bin/builds.sr.ht +- cp ${buildWorker "${src}/worker"}/bin/worker $out/bin/builds.sr.ht-worker ++ ln -s ${buildsrht-api}/bin/api $out/bin/buildsrht-api ++ ln -s ${buildsrht-worker}/bin/worker $out/bin/buildsrht-worker + ''; + + pythonImportsCheck = [ "buildsrht" ]; +diff --git a/pkgs/applications/version-management/sourcehut/core.nix b/pkgs/applications/version-management/sourcehut/core.nix +index 805da8c3282..0648f21910f 100644 +--- a/pkgs/applications/version-management/sourcehut/core.nix ++++ b/pkgs/applications/version-management/sourcehut/core.nix +@@ -1,5 +1,5 @@ + { lib +-, fetchgit ++, fetchFromSourcehut + , fetchNodeModules + , buildPythonPackage + , pgpy +@@ -29,12 +29,13 @@ + + buildPythonPackage rec { + pname = "srht"; +- version = "0.68.14"; ++ version = "0.68.24"; + +- src = fetchgit { +- url = "https://git.sr.ht/~sircmpwn/core.sr.ht"; ++ src = fetchFromSourcehut { ++ owner = "~sircmpwn"; ++ repo = "core.sr.ht"; + rev = version; +- sha256 = "sha256-BY3W2rwrg0mhH3CltgUqg6Xv8Ve5VZNY/lI1cfbAjYM="; ++ sha256 = "sha256-ipukga6vfBgDIXOQCejCkU/iTmBt5egIjB+NlJyL2yo="; + fetchSubmodules = true; + }; + +@@ -47,6 +48,8 @@ buildPythonPackage rec { + patches = [ + # Disable check for npm + ./disable-npm-install.patch ++ # Fix Unix socket support in RedisQueueCollector ++ patches/redis-socket/core/0001-Fix-Unix-socket-support-in-RedisQueueCollector.patch + ]; + + nativeBuildInputs = [ +diff --git a/pkgs/applications/version-management/sourcehut/default.nix b/pkgs/applications/version-management/sourcehut/default.nix +index 00810f208cc..aee65dee3bb 100644 +--- a/pkgs/applications/version-management/sourcehut/default.nix ++++ b/pkgs/applications/version-management/sourcehut/default.nix +@@ -2,6 +2,7 @@ + , openssl + , callPackage + , recurseIntoAttrs ++, nixosTests + }: + + # To expose the *srht modules, they have to be a python module so we use `buildPythonModule` +@@ -44,4 +45,7 @@ with python.pkgs; recurseIntoAttrs { + pagessrht = pagessrht; + pastesrht = toPythonApplication pastesrht; + todosrht = toPythonApplication todosrht; ++ passthru.tests = { ++ nixos-sourcehut = nixosTests.sourcehut; ++ }; + } +diff --git a/pkgs/applications/version-management/sourcehut/fix-gqlgen-trimpath.nix b/pkgs/applications/version-management/sourcehut/fix-gqlgen-trimpath.nix +new file mode 100644 +index 00000000000..1f94913292e +--- /dev/null ++++ b/pkgs/applications/version-management/sourcehut/fix-gqlgen-trimpath.nix +@@ -0,0 +1,32 @@ ++{ unzip }: ++{ ++ overrideModAttrs = (_: { ++ # No need to workaround -trimpath: it's not used in go-modules, ++ # but do download `go generate`'s dependencies nonetheless. ++ preBuild = '' ++ set -x ++ go generate ./loaders ++ go generate ./graph ++ set +x ++ ''; ++ }); ++ ++ # Workaround: ++ # go: git.sr.ht/~emersion/go-emailthreads@v0.0.0-20220412093310-4fd792e343ba: module lookup disabled by GOPROXY=off ++ # tidy failed: go mod tidy failed: exit status 1 ++ # graph/generate.go:10: running "go": exit status 1 ++ proxyVendor = true; ++ ++ # Workaround -trimpath in the package derivation: ++ # https://github.com/99designs/gqlgen/issues/1537 ++ # This is to give `go generate ./graph` access to gqlgen's *.gotpl files ++ # If it fails, the gqlgenVersion may have to be updated. ++ preBuild = let gqlgenVersion = "0.17.2"; in '' ++ set -x ++ ${unzip}/bin/unzip ''${GOPROXY#"file://"}/github.com/99designs/gqlgen/@v/v${gqlgenVersion}.zip ++ go generate ./loaders ++ go generate ./graph ++ rm -rf github.com ++ set +x ++ ''; ++} +diff --git a/pkgs/applications/version-management/sourcehut/git.nix b/pkgs/applications/version-management/sourcehut/git.nix +index 318bee4cf51..a721da0ecd3 100644 +--- a/pkgs/applications/version-management/sourcehut/git.nix ++++ b/pkgs/applications/version-management/sourcehut/git.nix +@@ -1,57 +1,67 @@ + { lib + , fetchFromSourcehut +-, buildPythonPackage + , buildGoModule ++, buildPythonPackage + , python + , srht + , pygit2 + , scmsrht ++, unzip + }: + let +- version = "0.77.3"; ++ version = "0.78.18"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "git.sr.ht"; + rev = version; +- sha256 = "sha256-eJvXCcmdiUzTK0EqNJkLEZsAfr6toD/378HObnMbOWM="; ++ sha256 = "sha256-pGWphdFKaOIBIKWMxfNAFqXZQx/qHcrwb5Ylj9uag7s="; + }; + +- buildShell = src: buildGoModule { ++ gitApi = buildGoModule ({ + inherit src version; +- pname = "gitsrht-shell"; +- vendorSha256 = "sha256-aqUFICp0C2reqb2p6JCPAUIRsxzSv0t9BHoNWrTYfqk="; +- }; ++ pname = "gitsrht-api"; ++ modRoot = "api"; ++ vendorSha256 = "sha256-0YI20liP0X1McfiSUy29zJk2UqqAPBIfIfPLoJOE1uI="; ++ } // import ./fix-gqlgen-trimpath.nix {inherit unzip;}); + +- buildDispatcher = src: buildGoModule { ++ gitDispatch = buildGoModule { + inherit src version; +- pname = "gitsrht-dispatcher"; ++ pname = "gitsrht-dispatch"; ++ modRoot = "gitsrht-dispatch"; + vendorSha256 = "sha256-qWXPHo86s6iuRBhRMtmD5jxnAWKdrWHtA/iSUkdw89M="; + }; + +- buildKeys = src: buildGoModule { ++ gitKeys = buildGoModule { + inherit src version; + pname = "gitsrht-keys"; ++ modRoot = "gitsrht-keys"; + vendorSha256 = "sha256-9pojS69HCKVHUceyOpGtv9ewcxFD4WsOVsEzkmWJkF4="; + }; + +- buildUpdateHook = src: buildGoModule { ++ gitShell = buildGoModule { + inherit src version; +- pname = "gitsrht-update-hook"; +- vendorSha256 = "sha256-sBlG7EFqdDm7CkAHVX50Mf4N3sl1rPNmWExG/bfbfGA="; ++ pname = "gitsrht-shell"; ++ modRoot = "gitsrht-shell"; ++ vendorSha256 = "sha256-WqfvSPuVsOHA//86u33atMfeA11+DJhjLmWy8Ivq0NI="; + }; + +- updateHook = buildUpdateHook "${src}/gitsrht-update-hook"; ++ gitUpdateHook = buildGoModule { ++ inherit src version; ++ pname = "gitsrht-update-hook"; ++ modRoot = "gitsrht-update-hook"; ++ vendorSha256 = "sha256-Bc3yPabS2S+qiroHFKrtkII/CfzBDYQ6xWxKHAME+Tc="; ++ }; + + in + buildPythonPackage rec { + inherit src version; + pname = "gitsrht"; + +- patches = [ +- # Revert change breaking Unix socket support for Redis +- patches/redis-socket/git/0001-Revert-Add-webhook-queue-monitoring.patch +- ]; ++ postPatch = '' ++ substituteInPlace Makefile \ ++ --replace "all: api gitsrht-dispatch gitsrht-keys gitsrht-shell gitsrht-update-hook" "" ++ ''; + + nativeBuildInputs = srht.nativeBuildInputs; + +@@ -68,14 +78,12 @@ buildPythonPackage rec { + + postInstall = '' + mkdir -p $out/bin +- cp ${buildShell "${src}/gitsrht-shell"}/bin/gitsrht-shell $out/bin/gitsrht-shell +- cp ${buildDispatcher "${src}/gitsrht-dispatch"}/bin/gitsrht-dispatch $out/bin/gitsrht-dispatch +- cp ${buildKeys "${src}/gitsrht-keys"}/bin/gitsrht-keys $out/bin/gitsrht-keys +- cp ${updateHook}/bin/gitsrht-update-hook $out/bin/gitsrht-update-hook ++ ln -s ${gitApi}/bin/api $out/bin/gitsrht-api ++ ln -s ${gitDispatch}/bin/gitsrht-dispatch $out/bin/gitsrht-dispatch ++ ln -s ${gitKeys}/bin/gitsrht-keys $out/bin/gitsrht-keys ++ ln -s ${gitShell}/bin/gitsrht-shell $out/bin/gitsrht-shell ++ ln -s ${gitUpdateHook}/bin/gitsrht-update-hook $out/bin/gitsrht-update-hook + ''; +- passthru = { +- inherit updateHook; +- }; + + pythonImportsCheck = [ "gitsrht" ]; + +diff --git a/pkgs/applications/version-management/sourcehut/hg.nix b/pkgs/applications/version-management/sourcehut/hg.nix +index f3e778b2f31..2aa4cc2c505 100644 +--- a/pkgs/applications/version-management/sourcehut/hg.nix ++++ b/pkgs/applications/version-management/sourcehut/hg.nix +@@ -1,21 +1,41 @@ + { lib + , fetchhg ++, buildGoModule + , buildPythonPackage + , srht + , hglib + , scmsrht + , unidiff + , python ++, unzip + }: + + buildPythonPackage rec { + pname = "hgsrht"; +- version = "0.29.4"; ++ version = "0.31.2"; + + src = fetchhg { + url = "https://hg.sr.ht/~sircmpwn/hg.sr.ht"; + rev = version; +- sha256 = "Jn9M/R5tJK/GeJDWGo3LWCK2nwsfI9zh+/yo2M+X6Sk="; ++ sha256 = "F0dBykSSrlis+mumULLxvKNxD75DWR9+IDTYbmhkMDI="; ++ }; ++ postPatch = '' ++ substituteInPlace Makefile \ ++ --replace "all: api hgsrht-keys" "" ++ ''; ++ ++ hgsrht-api = buildGoModule ({ ++ inherit src version; ++ pname = "hgsrht-api"; ++ modRoot = "api"; ++ vendorSha256 = "sha256-W7A22qSIgJgcfS7xYNrmbYKaZBXbDtPilM9I6DxmTeU="; ++ } // import ./fix-gqlgen-trimpath.nix {inherit unzip;}); ++ ++ hgsrht-keys = buildGoModule { ++ inherit src version; ++ pname = "hgsrht-keys"; ++ modRoot = "hgsrht-keys"; ++ vendorSha256 = "sha256-7ti8xCjSrxsslF7/1X/GY4FDl+69hPL4UwCDfjxmJLU="; + }; + + nativeBuildInputs = srht.nativeBuildInputs; +@@ -32,6 +52,11 @@ buildPythonPackage rec { + export SRHT_PATH=${srht}/${python.sitePackages}/srht + ''; + ++ postInstall = '' ++ ln -s ${hgsrht-api}/bin/api $out/bin/hgsrht-api ++ ln -s ${hgsrht-keys}/bin/hgsrht-keys $out/bin/hgsrht-keys ++ ''; ++ + pythonImportsCheck = [ "hgsrht" ]; + + meta = with lib; { +diff --git a/pkgs/applications/version-management/sourcehut/hub.nix b/pkgs/applications/version-management/sourcehut/hub.nix +index 511ec359fc4..75d9efe5bd9 100644 +--- a/pkgs/applications/version-management/sourcehut/hub.nix ++++ b/pkgs/applications/version-management/sourcehut/hub.nix +@@ -6,13 +6,13 @@ + + buildPythonPackage rec { + pname = "hubsrht"; +- version = "0.14.4"; ++ version = "0.14.14"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "hub.sr.ht"; + rev = version; +- sha256 = "sha256-7HF+jykWGqzPWA0YtJZQZU7pnID1yexcqLkEf2HpnSs="; ++ sha256 = "sha256-4n6oQ+AAvdJY/5KflxAp62chjyrlSUkmt319DKZk33w="; + }; + + nativeBuildInputs = srht.nativeBuildInputs; +diff --git a/pkgs/applications/version-management/sourcehut/lists.nix b/pkgs/applications/version-management/sourcehut/lists.nix +index 3ba6375a913..b9a00ffd213 100644 +--- a/pkgs/applications/version-management/sourcehut/lists.nix ++++ b/pkgs/applications/version-management/sourcehut/lists.nix +@@ -1,5 +1,6 @@ + { lib + , fetchFromSourcehut ++, buildGoModule + , buildPythonPackage + , srht + , asyncpg +@@ -8,23 +9,31 @@ + , emailthreads + , redis + , python ++, unzip + }: + + buildPythonPackage rec { + pname = "listssrht"; +- version = "0.51.7"; ++ version = "0.51.10"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "lists.sr.ht"; + rev = version; +- sha256 = "sha256-oNY5A98oVoL2JKO0fU/8YVl8u7ywmHb/RHD8A6z9yIM="; ++ sha256 = "sha256-f8KvMctDva31W5c6uAIDDZ0eUrRL5ha10ew2pLEnJtw="; + }; + +- patches = [ +- # Revert change breaking Unix socket support for Redis +- patches/redis-socket/lists/0001-Revert-Add-webhook-queue-monitoring.patch +- ]; ++ listssrht-api = buildGoModule ({ ++ inherit src version; ++ pname = "listssrht-api"; ++ modRoot = "api"; ++ vendorSha256 = "sha256-xnmMkRSokbhWD+kz0XQ9AinYdm6/50FRBISURPvlzD0="; ++ } // import ./fix-gqlgen-trimpath.nix {inherit unzip;}); ++ ++ postPatch = '' ++ substituteInPlace Makefile \ ++ --replace "all: api" "" ++ ''; + + nativeBuildInputs = srht.nativeBuildInputs; + +@@ -42,6 +51,10 @@ buildPythonPackage rec { + export SRHT_PATH=${srht}/${python.sitePackages}/srht + ''; + ++ postInstall = '' ++ ln -s ${listssrht-api}/bin/api $out/bin/listssrht-api ++ ''; ++ + pythonImportsCheck = [ "listssrht" ]; + + meta = with lib; { +diff --git a/pkgs/applications/version-management/sourcehut/man.nix b/pkgs/applications/version-management/sourcehut/man.nix +index 8d43f297a4f..ccee76defde 100644 +--- a/pkgs/applications/version-management/sourcehut/man.nix ++++ b/pkgs/applications/version-management/sourcehut/man.nix +@@ -8,13 +8,13 @@ + + buildPythonPackage rec { + pname = "mansrht"; +- version = "0.15.23"; ++ version = "0.15.25"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "man.sr.ht"; + rev = version; +- sha256 = "sha256-xrBptXdwMee+YkPup/BYL/iXBhCzSUQ5htSHIw/1Ncc="; ++ sha256 = "sha256-Mq3IHsqSkFHVdmy3g0E+9oLnKORthgv3lqvWyrKMIuU="; + }; + + nativeBuildInputs = srht.nativeBuildInputs; +diff --git a/pkgs/applications/version-management/sourcehut/meta.nix b/pkgs/applications/version-management/sourcehut/meta.nix +index ab19cc88d25..896279addd3 100644 +--- a/pkgs/applications/version-management/sourcehut/meta.nix ++++ b/pkgs/applications/version-management/sourcehut/meta.nix +@@ -16,32 +16,34 @@ + , weasyprint + , prometheus-client + , python ++, unzip + }: + let +- version = "0.57.5"; ++ version = "0.58.8"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "meta.sr.ht"; + rev = version; +- sha256 = "sha256-qsCwZaCiqvY445U053OCWD98jlIUi9NB2jWVP2oW3Vk="; ++ sha256 = "sha256-lnEt5UoQBd5qlkD+nE6KL5DP4jf1FrAjgA06/mgRxTs="; + }; + +- buildApi = src: buildGoModule { ++ metasrht-api = buildGoModule ({ + inherit src version; + pname = "metasrht-api"; +- vendorSha256 = "sha256-8Ubrr9qRlgW2wsLHrPHwulSWLz+gp4VPcTvOZpg8TYM="; +- }; ++ modRoot = "api"; ++ vendorSha256 = "sha256-3s9PYUy4qS06zyTIRDvnAmhfrjVLBa/03Nu3tMcIReI="; ++ } // import ./fix-gqlgen-trimpath.nix {inherit unzip;}); + + in + buildPythonPackage rec { + pname = "metasrht"; + inherit version src; + +- patches = [ +- # Revert change breaking Unix socket support for Redis +- patches/redis-socket/meta/0001-Revert-Add-webhook-queue-monitoring.patch +- ]; ++ postPatch = '' ++ substituteInPlace Makefile \ ++ --replace "all: api" "" ++ ''; + + nativeBuildInputs = srht.nativeBuildInputs; + +@@ -68,7 +70,7 @@ buildPythonPackage rec { + + postInstall = '' + mkdir -p $out/bin +- cp ${buildApi "${src}/api/"}/bin/api $out/bin/metasrht-api ++ ln -s ${metasrht-api}/bin/api $out/bin/metasrht-api + ''; + + pythonImportsCheck = [ "metasrht" ]; +diff --git a/pkgs/applications/version-management/sourcehut/pages.nix b/pkgs/applications/version-management/sourcehut/pages.nix +index b6a18b5bda7..faa6dbb4d49 100644 +--- a/pkgs/applications/version-management/sourcehut/pages.nix ++++ b/pkgs/applications/version-management/sourcehut/pages.nix +@@ -1,20 +1,21 @@ + { lib + , fetchFromSourcehut + , buildGoModule ++, unzip + }: + +-buildGoModule rec { ++buildGoModule (rec { + pname = "pagessrht"; +- version = "0.6.2"; ++ version = "0.7.3"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "pages.sr.ht"; + rev = version; +- sha256 = "sha256-ob0+t9V2o8lhVC6fXbi1rNm0Mnbs+GoyAmhBqVZ13PA="; ++ sha256 = "sha256-fHhf4VQ82/k4g8pzyuN9Pr2f8mxT8zw+2Nq0nw1Msks="; + }; + +- vendorSha256 = "sha256-b0sHSH0jkKoIVq045N96wszuLJDegkkj0v50nuDFleU="; ++ vendorSha256 = "sha256-/+XVl6PZUMOZIiuO6vEu0dacefz2hDSObaP8JsItSTw="; + + postInstall = '' + mkdir -p $out/share/sql/ +@@ -27,4 +28,6 @@ buildGoModule rec { + license = licenses.agpl3Only; + maintainers = with maintainers; [ eadwu ]; + }; +-} ++ # There is no ./loaders but this does not cause troubles ++ # to go generate ++} // import ./fix-gqlgen-trimpath.nix {inherit unzip;}) +diff --git a/pkgs/applications/version-management/sourcehut/paste.nix b/pkgs/applications/version-management/sourcehut/paste.nix +index c411f8e8c95..fbbc5fcd6a9 100644 +--- a/pkgs/applications/version-management/sourcehut/paste.nix ++++ b/pkgs/applications/version-management/sourcehut/paste.nix +@@ -8,13 +8,13 @@ + + buildPythonPackage rec { + pname = "pastesrht"; +- version = "0.13.6"; ++ version = "0.13.7"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "paste.sr.ht"; + rev = version; +- sha256 = "sha256-Khcqk86iD9nxiKXN3+8mSLNoDau2qXNFOrLdkVu+rH8="; ++ sha256 = "sha256-EzcS6Zbh+wJinC/GKJOSWUPORODpKEA3tLpLGqoVGBU="; + }; + + nativeBuildInputs = srht.nativeBuildInputs; +diff --git a/pkgs/applications/version-management/sourcehut/patches/redis-socket/build/0001-Revert-Add-build-submission-and-queue-monitoring.patch b/pkgs/applications/version-management/sourcehut/patches/redis-socket/build/0001-Revert-Add-build-submission-and-queue-monitoring.patch +deleted file mode 100644 +index ae8e95ddc0c..00000000000 +--- a/pkgs/applications/version-management/sourcehut/patches/redis-socket/build/0001-Revert-Add-build-submission-and-queue-monitoring.patch ++++ /dev/null +@@ -1,69 +0,0 @@ +-From 069b03f85847ed4a9223183b62ee53f420838911 Mon Sep 17 00:00:00 2001 +-From: Julien Moutinho +-Date: Thu, 16 Dec 2021 04:54:24 +0100 +-Subject: [PATCH builds.sr.ht] Revert "Add build submission and queue +- monitoring" +- +-This reverts commit 690f1aa16c77e418dc40109cd5e8fdf4a7ed947a. +- +-This has broken Unix socket support for Redis +-See https://lists.sr.ht/~sircmpwn/sr.ht-dev/%3C20211208082636.65665-1-me%40ignaskiela.eu%3E#%3C20211216033723.wefibfulfjhqnhem@sourcephile.fr%3E +---- +- buildsrht/app.py | 3 --- +- buildsrht/runner.py | 9 +-------- +- 2 files changed, 1 insertion(+), 11 deletions(-) +- +-diff --git a/buildsrht/app.py b/buildsrht/app.py +-index e5321a2..7c9977c 100644 +---- a/buildsrht/app.py +-+++ b/buildsrht/app.py +-@@ -36,9 +36,6 @@ class BuildApp(SrhtFlask): +- self.register_blueprint(secrets) +- self.register_blueprint(gql_blueprint) +- +-- from buildsrht.runner import builds_queue_metrics_collector +-- self.metrics_registry.register(builds_queue_metrics_collector) +-- +- @self.context_processor +- def inject(): +- return { +-diff --git a/buildsrht/runner.py b/buildsrht/runner.py +-index 7773452..0389c8e 100644 +---- a/buildsrht/runner.py +-+++ b/buildsrht/runner.py +-@@ -5,13 +5,10 @@ from srht.config import cfg +- from srht.database import db +- from srht.email import send_email +- from srht.oauth import UserType +--from srht.metrics import RedisQueueCollector +--from prometheus_client import Counter +- +- allow_free = cfg("builds.sr.ht", "allow-free", default="no") == "yes" +- +--builds_broker = cfg("builds.sr.ht", "redis") +--runner = Celery('builds', broker=builds_broker, config_source={ +-+runner = Celery('builds', broker=cfg("builds.sr.ht", "redis"), config_source={ +- "CELERY_TASK_SERIALIZER": "json", +- "CELERY_ACCEPT_CONTENT": ["json"], +- "CELERY_RESULT_SERIALIZER": "json", +-@@ -19,9 +16,6 @@ runner = Celery('builds', broker=builds_broker, config_source={ +- "CELERY_TASK_PROTOCOL": 1 +- }) +- +--builds_queue_metrics_collector = RedisQueueCollector(builds_broker, "buildsrht_builds", "Number of builds currently in queue") +--builds_submitted = Counter("buildsrht_builds_submited", "Number of builds submitted") +-- +- def queue_build(job, manifest): +- from buildsrht.types import JobStatus +- job.status = JobStatus.queued +-@@ -34,7 +28,6 @@ def queue_build(job, manifest): +- cfg("sr.ht", "owner-email"), +- "Cryptocurrency mining attempt on builds.sr.ht") +- else: +-- builds_submitted.inc() +- run_build.delay(job.id, manifest.to_dict()) +- +- def requires_payment(user): +--- +-2.34.0 +- +diff --git a/pkgs/applications/version-management/sourcehut/patches/redis-socket/core/0001-Fix-Unix-socket-support-in-RedisQueueCollector.patch b/pkgs/applications/version-management/sourcehut/patches/redis-socket/core/0001-Fix-Unix-socket-support-in-RedisQueueCollector.patch +new file mode 100644 +index 00000000000..889331f3e07 +--- /dev/null ++++ b/pkgs/applications/version-management/sourcehut/patches/redis-socket/core/0001-Fix-Unix-socket-support-in-RedisQueueCollector.patch +@@ -0,0 +1,42 @@ ++From 76dd636151735671be74ba9d55f773e190e22827 Mon Sep 17 00:00:00 2001 ++From: Julien Moutinho ++Date: Fri, 13 May 2022 22:40:46 +0200 ++Subject: [PATCH core.sr.ht] Fix Unix socket support in RedisQueueCollector ++ ++The broker URL is not necessarily in the format expected by Redis.from_url ++ ++Especially, Redis.from_url supports this format for Unix sockets: ++ unix:///run/redis-sourcehut-metasrht/redis.sock?db=0 ++See https://redis-py.readthedocs.io/en/stable/#redis.ConnectionPool.from_url ++ ++Whereas Celery+Kombu support Redis but also other transports ++and thus expect another scheme: ++ redis+socket:///run/redis-sourcehut-metasrht/redis.sock?virtual_host=1 ++See https://docs.celeryproject.org/en/stable/userguide/configuration.html#redis-backend-settings ++and https://github.com/celery/celery/blob/e5d99801e4b56a02af4a2e183879c767228d2817/celery/backends/redis.py#L299-L352 ++and https://github.com/celery/kombu/blob/master/kombu/utils/url.py ++--- ++ srht/metrics.py | 3 ++- ++ 1 file changed, 2 insertions(+), 1 deletion(-) ++ ++diff --git a/srht/metrics.py b/srht/metrics.py ++index 68caf8e..2df5777 100644 ++--- a/srht/metrics.py +++++ b/srht/metrics.py ++@@ -1,11 +1,12 @@ ++ import time +++from celery import Celery ++ from prometheus_client.metrics_core import GaugeMetricFamily ++ from redis import Redis, ResponseError ++ ++ ++ class RedisQueueCollector: ++ def __init__(self, broker, name, documentation, queue_name="celery"): ++- self.redis = Redis.from_url(broker) +++ self.redis = Celery("collector", broker=broker).connection_for_read().channel().client ++ self.queue_name = queue_name ++ self.name = name ++ self.documentation = documentation ++-- ++2.35.1 ++ +diff --git a/pkgs/applications/version-management/sourcehut/patches/redis-socket/git/0001-Revert-Add-webhook-queue-monitoring.patch b/pkgs/applications/version-management/sourcehut/patches/redis-socket/git/0001-Revert-Add-webhook-queue-monitoring.patch +deleted file mode 100644 +index 4c526dd23e1..00000000000 +--- a/pkgs/applications/version-management/sourcehut/patches/redis-socket/git/0001-Revert-Add-webhook-queue-monitoring.patch ++++ /dev/null +@@ -1,50 +0,0 @@ +-From 5ccb5386304c26f25b0a9eb10ce9edb6da32f91a Mon Sep 17 00:00:00 2001 +-From: Julien Moutinho +-Date: Sat, 12 Feb 2022 00:11:59 +0100 +-Subject: [PATCH git.sr.ht] Revert "Add webhook queue monitoring" +- +-This reverts commit 7ea630b776947ab82438d0ffa263b0f9d33ebff3. +- +-Which has broken Unix socket support for Redis. +-See https://lists.sr.ht/~sircmpwn/sr.ht-dev/%3C20211208082636.65665-1-me%40ignaskiela.eu%3E#%3C20211216033723.wefibfulfjhqnhem@sourcephile.fr%3E +---- +- gitsrht/app.py | 3 --- +- gitsrht/webhooks.py | 5 +---- +- 2 files changed, 1 insertion(+), 7 deletions(-) +- +-diff --git a/gitsrht/app.py b/gitsrht/app.py +-index e9ccb56..4928851 100644 +---- a/gitsrht/app.py +-+++ b/gitsrht/app.py +-@@ -48,9 +48,6 @@ class GitApp(ScmSrhtFlask): +- self.add_template_filter(url_quote) +- self.add_template_filter(commit_links) +- +-- from gitsrht.webhooks import webhook_metrics_collector +-- self.metrics_registry.register(webhook_metrics_collector) +-- +- @self.context_processor +- def inject(): +- notice = session.get("notice") +-diff --git a/gitsrht/webhooks.py b/gitsrht/webhooks.py +-index 8a203fe..6240d50 100644 +---- a/gitsrht/webhooks.py +-+++ b/gitsrht/webhooks.py +-@@ -7,13 +7,10 @@ if not hasattr(db, "session"): +- db.init() +- from srht.webhook import Event +- from srht.webhook.celery import CeleryWebhook, make_worker +--from srht.metrics import RedisQueueCollector +- from scmsrht.webhooks import UserWebhook +- import sqlalchemy as sa +- +--webhook_broker = cfg("git.sr.ht", "webhooks") +--worker = make_worker(broker=webhook_broker) +--webhook_metrics_collector = RedisQueueCollector(webhook_broker, "srht_webhooks", "Webhook queue length") +-+worker = make_worker(broker=cfg("git.sr.ht", "webhooks")) +- +- class RepoWebhook(CeleryWebhook): +- events = [ +--- +-2.34.1 +- +diff --git a/pkgs/applications/version-management/sourcehut/patches/redis-socket/lists/0001-Revert-Add-webhook-queue-monitoring.patch b/pkgs/applications/version-management/sourcehut/patches/redis-socket/lists/0001-Revert-Add-webhook-queue-monitoring.patch +deleted file mode 100644 +index 872d285b9bb..00000000000 +--- a/pkgs/applications/version-management/sourcehut/patches/redis-socket/lists/0001-Revert-Add-webhook-queue-monitoring.patch ++++ /dev/null +@@ -1,48 +0,0 @@ +-From 730e090f31b150d42be4b4722751f8e4610835b0 Mon Sep 17 00:00:00 2001 +-From: Julien Moutinho +-Date: Sat, 12 Feb 2022 00:38:12 +0100 +-Subject: [PATCH lists.sr.ht] Revert "Add webhook queue monitoring" +- +-This reverts commit e74e344808e8d523a9786cefcbf64c9a247d7a0e. +- +-Which has broken Unix socket support for Redis. +-See https://lists.sr.ht/~sircmpwn/sr.ht-dev/%3C20211208082636.65665-1-me%40ignaskiela.eu%3E#%3C20211216033723.wefibfulfjhqnhem@sourcephile.fr%3E +---- +- listssrht/app.py | 3 --- +- listssrht/webhooks.py | 5 +---- +- 2 files changed, 1 insertion(+), 7 deletions(-) +- +-diff --git a/listssrht/app.py b/listssrht/app.py +-index aec59f3..83a355d 100644 +---- a/listssrht/app.py +-+++ b/listssrht/app.py +-@@ -29,9 +29,6 @@ class ListsApp(SrhtFlask): +- self.register_blueprint(user) +- self.register_blueprint(gql_blueprint) +- +-- from listssrht.webhooks import webhook_metrics_collector +-- self.metrics_registry.register(webhook_metrics_collector) +-- +- @self.context_processor +- def inject(): +- from listssrht.types import ListAccess +-diff --git a/listssrht/webhooks.py b/listssrht/webhooks.py +-index ae5b1cb..86421ba 100644 +---- a/listssrht/webhooks.py +-+++ b/listssrht/webhooks.py +-@@ -8,11 +8,8 @@ if not hasattr(db, "session"): +- db.init() +- from srht.webhook import Event +- from srht.webhook.celery import CeleryWebhook, make_worker +--from srht.metrics import RedisQueueCollector +- +--webhook_broker = cfg("lists.sr.ht", "webhooks") +--worker = make_worker(broker=webhook_broker) +--webhook_metrics_collector = RedisQueueCollector(webhook_broker, "srht_webhooks", "Webhook queue length") +-+worker = make_worker(broker=cfg("lists.sr.ht", "webhooks")) +- +- class ListWebhook(CeleryWebhook): +- events = [ +--- +-2.34.1 +- +diff --git a/pkgs/applications/version-management/sourcehut/patches/redis-socket/meta/0001-Revert-Add-webhook-queue-monitoring.patch b/pkgs/applications/version-management/sourcehut/patches/redis-socket/meta/0001-Revert-Add-webhook-queue-monitoring.patch +deleted file mode 100644 +index 9ec37670b06..00000000000 +--- a/pkgs/applications/version-management/sourcehut/patches/redis-socket/meta/0001-Revert-Add-webhook-queue-monitoring.patch ++++ /dev/null +@@ -1,48 +0,0 @@ +-From d88bee195797c6c294320617ff14798da94cd0f3 Mon Sep 17 00:00:00 2001 +-From: Julien Moutinho +-Date: Thu, 16 Dec 2021 04:52:08 +0100 +-Subject: [PATCH meta.sr.ht] Revert "Add webhook queue monitoring" +- +-This reverts commit 9931df3c23094af5179df9ef019ca732b8125dac. +- +-This has broken Unix socket support for Redis. +-See https://lists.sr.ht/~sircmpwn/sr.ht-dev/%3C20211208082636.65665-1-me%40ignaskiela.eu%3E#%3C20211216033723.wefibfulfjhqnhem@sourcephile.fr%3E +---- +- metasrht/app.py | 3 --- +- metasrht/webhooks.py | 5 +---- +- 2 files changed, 1 insertion(+), 7 deletions(-) +- +-diff --git a/metasrht/app.py b/metasrht/app.py +-index b190875..89c59bc 100644 +---- a/metasrht/app.py +-+++ b/metasrht/app.py +-@@ -49,9 +49,6 @@ class MetaApp(SrhtFlask): +- from metasrht.blueprints.billing import billing +- self.register_blueprint(billing) +- +-- from metasrht.webhooks import webhook_metrics_collector +-- self.metrics_registry.register(webhook_metrics_collector) +-- +- @self.context_processor +- def inject(): +- return { +-diff --git a/metasrht/webhooks.py b/metasrht/webhooks.py +-index 3e1149e..3f0ba01 100644 +---- a/metasrht/webhooks.py +-+++ b/metasrht/webhooks.py +-@@ -7,11 +7,8 @@ if not hasattr(db, "session"): +- db.init() +- from srht.webhook import Event +- from srht.webhook.celery import CeleryWebhook, make_worker +--from srht.metrics import RedisQueueCollector +- +--webhook_broker = cfg("meta.sr.ht", "webhooks", "redis://") +--worker = make_worker(broker=webhook_broker) +--webhook_metrics_collector = RedisQueueCollector(webhook_broker, "srht_webhooks", "Webhook queue length") +-+worker = make_worker(broker=cfg("meta.sr.ht", "webhooks", "redis://")) +- +- class UserWebhook(CeleryWebhook): +- events = [ +--- +-2.34.0 +- +diff --git a/pkgs/applications/version-management/sourcehut/patches/redis-socket/todo/0001-Revert-Add-webhook-queue-monitoring.patch b/pkgs/applications/version-management/sourcehut/patches/redis-socket/todo/0001-Revert-Add-webhook-queue-monitoring.patch +deleted file mode 100644 +index 861608c1184..00000000000 +--- a/pkgs/applications/version-management/sourcehut/patches/redis-socket/todo/0001-Revert-Add-webhook-queue-monitoring.patch ++++ /dev/null +@@ -1,50 +0,0 @@ +-From 42a27ea60d8454552d54e1f51f1b976d1067fc32 Mon Sep 17 00:00:00 2001 +-From: Julien Moutinho +-Date: Sat, 12 Feb 2022 00:30:29 +0100 +-Subject: [PATCH todo.sr.ht] Revert "Add webhook queue monitoring" +- +-This reverts commit 320a5e8f7cd16ca43928c36f0320593f84d986fa. +- +-Which has broken Unix socket support for Redis. +-See https://lists.sr.ht/~sircmpwn/sr.ht-dev/%3C20211208082636.65665-1-me%40ignaskiela.eu%3E#%3C20211216033723.wefibfulfjhqnhem@sourcephile.fr%3E +---- +- todosrht/flask.py | 3 --- +- todosrht/webhooks.py | 6 +----- +- 2 files changed, 1 insertion(+), 8 deletions(-) +- +-diff --git a/todosrht/flask.py b/todosrht/flask.py +-index 5e8ac66..9d0fd27 100644 +---- a/todosrht/flask.py +-+++ b/todosrht/flask.py +-@@ -43,9 +43,6 @@ class TodoApp(SrhtFlask): +- self.add_template_filter(urls.tracker_url) +- self.add_template_filter(urls.user_url) +- +-- from todosrht.webhooks import webhook_metrics_collector +-- self.metrics_registry.register(webhook_metrics_collector) +-- +- @self.context_processor +- def inject(): +- return { +-diff --git a/todosrht/webhooks.py b/todosrht/webhooks.py +-index eb8e08a..950047f 100644 +---- a/todosrht/webhooks.py +-+++ b/todosrht/webhooks.py +-@@ -7,13 +7,9 @@ if not hasattr(db, "session"): +- db.init() +- from srht.webhook import Event +- from srht.webhook.celery import CeleryWebhook, make_worker +--from srht.metrics import RedisQueueCollector +- import sqlalchemy as sa +- +-- +--webhooks_broker = cfg("todo.sr.ht", "webhooks") +--worker = make_worker(broker=webhooks_broker) +--webhook_metrics_collector = RedisQueueCollector(webhooks_broker, "srht_webhooks", "Webhook queue length") +-+worker = make_worker(broker=cfg("todo.sr.ht", "webhooks")) +- +- import todosrht.tracker_import +- +--- +-2.34.1 +- +diff --git a/pkgs/applications/version-management/sourcehut/scm.nix b/pkgs/applications/version-management/sourcehut/scm.nix +index 10da3018843..49eea05a7a7 100644 +--- a/pkgs/applications/version-management/sourcehut/scm.nix ++++ b/pkgs/applications/version-management/sourcehut/scm.nix +@@ -9,13 +9,13 @@ + + buildPythonPackage rec { + pname = "scmsrht"; +- version = "0.22.19"; # Untagged version ++ version = "0.22.22"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "scm.sr.ht"; + rev = version; +- sha256 = "sha256-/QryPjWJ2S0Ov9DTdrwbM81HYucHiYcLh0oKacflywI="; ++ sha256 = "sha256-iSzzyI8HZOpOb4dyt520MV/wds14fNag2+UOF09KS7w="; + }; + + nativeBuildInputs = srht.nativeBuildInputs; +diff --git a/pkgs/applications/version-management/sourcehut/todo.nix b/pkgs/applications/version-management/sourcehut/todo.nix +index 1446e68fa69..67367b71ff9 100644 +--- a/pkgs/applications/version-management/sourcehut/todo.nix ++++ b/pkgs/applications/version-management/sourcehut/todo.nix +@@ -1,5 +1,6 @@ + { lib + , fetchFromSourcehut ++, buildGoModule + , buildPythonPackage + , srht + , redis +@@ -8,23 +9,31 @@ + , pytest + , factory_boy + , python ++, unzip + }: + + buildPythonPackage rec { + pname = "todosrht"; +- version = "0.67.2"; ++ version = "0.71.2"; + + src = fetchFromSourcehut { + owner = "~sircmpwn"; + repo = "todo.sr.ht"; + rev = version; +- sha256 = "sha256-/QHsMlhzyah85ubZyx8j4GDUoITuWcLDJKosbZGeOZU="; ++ sha256 = "sha256-m7FY+jXpwPnK1+b1iQiDGe8JPfAFQp65BzGH6WvNwhM="; + }; + +- patches = [ +- # Revert change breaking Unix socket support for Redis +- patches/redis-socket/todo/0001-Revert-Add-webhook-queue-monitoring.patch +- ]; ++ postPatch = '' ++ substituteInPlace Makefile \ ++ --replace "all: api" "" ++ ''; ++ ++ todosrht-api = buildGoModule ({ ++ inherit src version; ++ pname = "todosrht-api"; ++ modRoot = "api"; ++ vendorSha256 = "sha256-ttGT7lUh8O+9KvbaEGWUsthefXQ2ATeli0tnlXCjZFk="; ++ } // import ./fix-gqlgen-trimpath.nix {inherit unzip;}); + + nativeBuildInputs = srht.nativeBuildInputs; + +@@ -40,6 +49,10 @@ buildPythonPackage rec { + export SRHT_PATH=${srht}/${python.sitePackages}/srht + ''; + ++ postInstall = '' ++ ln -s ${todosrht-api}/bin/api $out/bin/todosrht-api ++ ''; ++ + # pytest tests fail + checkInputs = [ + pytest -- 2.47.0 From b71f19df668dbcebe5796cfc6ae52f44fb1206c0 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 19 May 2022 11:23:50 +0200 Subject: [PATCH 15/16] openvpn: fix tls-cipher --- hosts/losurdo/networking/openvpn/calyx.nix | 2 +- hosts/losurdo/networking/openvpn/riseup.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/losurdo/networking/openvpn/calyx.nix b/hosts/losurdo/networking/openvpn/calyx.nix index 7b34b59..efa58f7 100644 --- a/hosts/losurdo/networking/openvpn/calyx.nix +++ b/hosts/losurdo/networking/openvpn/calyx.nix @@ -36,7 +36,7 @@ services.openvpn.servers.${netns} = { remote-cert-tls = "server"; reneg-sec = 0; script-security = 2; - tls-cipher = "DHE-RSA-AES128-SHA"; + tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"; tls-client = true; tun-ipv6 = true; up-restart = true; diff --git a/hosts/losurdo/networking/openvpn/riseup.nix b/hosts/losurdo/networking/openvpn/riseup.nix index 13d024e..7e7e6ca 100644 --- a/hosts/losurdo/networking/openvpn/riseup.nix +++ b/hosts/losurdo/networking/openvpn/riseup.nix @@ -46,7 +46,7 @@ services.openvpn.servers.${netns} = { remote-cert-tls = "server"; reneg-sec = 0; script-security = 2; - tls-cipher = "DHE-RSA-AES128-SHA"; + tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"; tls-client = true; tun-ipv6 = true; up-restart = true; -- 2.47.0 From 28deb9c5c901478a26687bbd3cc2f9bc84ca264b Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 19 May 2022 11:25:59 +0200 Subject: [PATCH 16/16] public-inbox: update --- hosts/mermet/public-inbox.nix | 8 +++++++- nixpkgs/patches.nix | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/hosts/mermet/public-inbox.nix b/hosts/mermet/public-inbox.nix index 20625b3..d167489 100644 --- a/hosts/mermet/public-inbox.nix +++ b/hosts/mermet/public-inbox.nix @@ -36,12 +36,14 @@ fileSystems."/var/lib/public-inbox" = { }; systemd.services = { public-inbox-httpd = { + confinement.enable = true; serviceConfig = { SupplementaryGroups = [ groups."git-daemon".name ]; - BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ]; + #BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ]; }; }; public-inbox-imapd = { + confinement.enable = true; wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; after = [ "acme-selfsigned-${domain}.service" ]; serviceConfig = { @@ -49,7 +51,11 @@ systemd.services = { BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ]; }; }; + public-inbox-init = { + confinement.enable = true; + }; public-inbox-nntpd = { + confinement.enable = true; wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; after = [ "acme-selfsigned-${domain}.service" ]; serviceConfig = { diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix index 4232c4e..10d80e5 100644 --- a/nixpkgs/patches.nix +++ b/nixpkgs/patches.nix @@ -12,9 +12,9 @@ sha256 = "sha256-rHf6TRd2O6SBdk7B4FGUm3upFJavrRSxko0iQti+xzs="; } { - meta.description = "Update public-inbox to 1.7.0 and add systemd services"; + meta.description = "Update public-inbox to 1.8.0 and add systemd services"; url = "https://github.com/NixOS/nixpkgs/pull/104457.diff"; - sha256 = "sha256-vkWhVVJDaw2nVSELl0+SEald1k9gEn+My4hJ7WxZDIs="; + sha256 = "sha256-5XXYy62Wm0zubl42axLJ5mPwBgMs5g50lOvAfCCrqHc="; } { meta.description = "nixos/openvpn: add network namespace support"; -- 2.47.0