nixos-config/services/sourcehut.nix

{ config, my, pkgs, ... }:

let
  secretsPath = "/var/secrets/sourcehut";
  acmeHost = "c8h4.io";
  fqdn = "srht.${acmeHost}";
in {
  services.sourcehut = {
    enable = true;
    redis.enable = true;
    postgresql.enable = true;
    meta = {
      enable = true;
      gunicorn.extraArgs =
        [ "--bind [::1]:${toString config.services.sourcehut.meta.port}" ];
    };
    git = {
      enable = true;
      user = "git";
      gunicorn.extraArgs =
        [ "--bind [::1]:${toString config.services.sourcehut.git.port}" ];
    };

    nginx = {
      enable = true;
      virtualHost.useACMEHost = acmeHost;
    };

    settings = {
      "sr.ht" = {
        environment = "production";
        global-domain = fqdn;
        owner-name = "Christoph Heiss";
        owner-email = "christoph@c8h4.io";
        network-key = "${secretsPath}/network-key";
        service-key = "${secretsPath}/service-key";
      };

      "meta.sr.ht".origin = "https://meta.${fqdn}";

      "meta.sr.ht::settings" = {
        user-invites = 0;
        registration = false;
      };

      "git.sr.ht" = {
        oauth-client-id = fqdn;
        oauth-client-secret = "${secretsPath}/oauth-client-secret";
        outgoing-domain = "https://git.${fqdn}";
        origin = "https://git.${fqdn}";
      };

      mail = {
        smtp-from = "srht@c8h4.io";
        pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD";
        pgp-pubkey = "${secretsPath}/pgp-pubkey";
        pgp-privkey = "${secretsPath}/pgp-privkey";
      };

      webhooks.private-key = "${secretsPath}/webhooks-private-key";
    };
  };

  security.acme.certs."c8h4.io".extraDomainNames = [ "*.${fqdn}" ];

  # Binds the sourcehut secrets path read-only into services that require them
  systemd.services = let
    services = [
      "metasrht"
      "metasrht-api"
      "metasrht-daily"
      "metasrht-webhooks"
      "gitsrht"
      "gitsrht-api"
      "gitsrht-periodic"
      "gitsrht-webhooks"
    ];
  in builtins.listToAttrs (map (name: {
    inherit name;
    value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
  }) services);

  services.openssh.settings.AllowUsers = [ "git" ];

  users.users = {
    git = {
      # Disable login for `git` user
      password = "*";
      extraGroups = [ "restic-backup" ];
    };
  };

  services.restic.backups.gitsrht = let resticCfg = my.homelab.services.restic;
  in {
    inherit (resticCfg) environmentFile;
    initialize = true;
    repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
    passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
    user = "git";
    paths = [ "/var/lib/sourcehut/gitsrht" ];
    timerConfig.OnCalendar = "*-*-* 4:15:00"; # daily at 04:15
    backupCleanupCommand = my.mkResticBackupNotificationCmd {
      name = "gitsrht";
      inherit pkgs;
      inherit (my.notifications.backup-bot) environmentFile;
    };
  };
}
services: add restic backup job notifications Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-12-03 21:42:58 +01:00			`{ config, my, pkgs, ... }:`
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00
			`let`
			`secretsPath = "/var/secrets/sourcehut";`
secrets: shuffle them around a bit, enforce some better pratices Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2024-01-31 00:13:42 +01:00			`acmeHost = "c8h4.io";`
			`fqdn = "srht.${acmeHost}";`
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00			`in {`
			`services.sourcehut = {`
			`enable = true;`
			`redis.enable = true;`
			`postgresql.enable = true;`
			`meta = {`
			`enable = true;`
			`gunicorn.extraArgs =`
			`[ "--bind [::1]:${toString config.services.sourcehut.meta.port}" ];`
			`};`
			`git = {`
			`enable = true;`
			`user = "git";`
			`gunicorn.extraArgs =`
			`[ "--bind [::1]:${toString config.services.sourcehut.git.port}" ];`
			`};`

			`nginx = {`
			`enable = true;`
secrets: shuffle them around a bit, enforce some better pratices Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2024-01-31 00:13:42 +01:00			`virtualHost.useACMEHost = acmeHost;`
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00			`};`

			`settings = {`
			`"sr.ht" = {`
			`environment = "production";`
			`global-domain = fqdn;`
			`owner-name = "Christoph Heiss";`
			`owner-email = "christoph@c8h4.io";`
			`network-key = "${secretsPath}/network-key";`
			`service-key = "${secretsPath}/service-key";`
			`};`

			`"meta.sr.ht".origin = "https://meta.${fqdn}";`

			`"meta.sr.ht::settings" = {`
			`user-invites = 0;`
			`registration = false;`
			`};`

			`"git.sr.ht" = {`
			`oauth-client-id = fqdn;`
			`oauth-client-secret = "${secretsPath}/oauth-client-secret";`
			`outgoing-domain = "https://git.${fqdn}";`
			`origin = "https://git.${fqdn}";`
			`};`

			`mail = {`
			`smtp-from = "srht@c8h4.io";`
			`pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD";`
			`pgp-pubkey = "${secretsPath}/pgp-pubkey";`
			`pgp-privkey = "${secretsPath}/pgp-privkey";`
			`};`

			`webhooks.private-key = "${secretsPath}/webhooks-private-key";`
			`};`
			`};`

secrets: shuffle them around a bit, enforce some better pratices Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2024-01-31 00:13:42 +01:00			`security.acme.certs."c8h4.io".extraDomainNames = [ "*.${fqdn}" ];`
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00
services: sourcehut: Clean up a bit Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-05-02 22:56:16 +02:00			`# Binds the sourcehut secrets path read-only into services that require them`
			`systemd.services = let`
			`services = [`
			`"metasrht"`
			`"metasrht-api"`
services: sourcehut: Bind secrets path into `metasrht-daily` service too Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-05-08 16:43:44 +02:00			`"metasrht-daily"`
services: sourcehut: Clean up a bit Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-05-02 22:56:16 +02:00			`"metasrht-webhooks"`
			`"gitsrht"`
			`"gitsrht-api"`
			`"gitsrht-periodic"`
			`"gitsrht-webhooks"`
			`];`
			`in builtins.listToAttrs (map (name: {`
			`inherit name;`
			`value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];`
			`}) services);`
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00
flake, sources: update nixpkgs to 29-11-2023, home-manager to 30-11-2023 Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-12-02 19:39:28 +01:00			`services.openssh.settings.AllowUsers = [ "git" ];`
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00
services: sourcehut: add restic backup job for gitsrht Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-12-02 23:48:32 +01:00			`users.users = {`
			`git = {`
			# Disable login for `git` user
			`password = "*";`
			`extraGroups = [ "restic-backup" ];`
			`};`
			`};`

			`services.restic.backups.gitsrht = let resticCfg = my.homelab.services.restic;`
			`in {`
			`inherit (resticCfg) environmentFile;`
			`initialize = true;`
			`repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";`
			`passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";`
			`user = "git";`
			`paths = [ "/var/lib/sourcehut/gitsrht" ];`
services: spread out restic backups a bit to avoid server lock contention Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-12-03 21:41:32 +01:00			`timerConfig.OnCalendar = "--* 4:15:00"; # daily at 04:15`
services: add restic backup job notifications Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-12-03 21:42:58 +01:00			`backupCleanupCommand = my.mkResticBackupNotificationCmd {`
			`name = "gitsrht";`
			`inherit pkgs;`
			`inherit (my.notifications.backup-bot) environmentFile;`
			`};`
services: sourcehut: add restic backup job for gitsrht Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-12-02 23:48:32 +01:00			`};`
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00			`}`