2023-04-22 15:00:19 +02:00
|
|
|
{ config, lib, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
secretsPath = "/var/secrets/sourcehut";
|
|
|
|
fqdn = "srht.c8h4.io";
|
|
|
|
in {
|
|
|
|
services.sourcehut = {
|
|
|
|
enable = true;
|
|
|
|
redis.enable = true;
|
|
|
|
postgresql.enable = true;
|
|
|
|
meta = {
|
|
|
|
enable = true;
|
|
|
|
gunicorn.extraArgs =
|
|
|
|
[ "--bind [::1]:${toString config.services.sourcehut.meta.port}" ];
|
|
|
|
};
|
|
|
|
git = {
|
|
|
|
enable = true;
|
|
|
|
user = "git";
|
|
|
|
gunicorn.extraArgs =
|
|
|
|
[ "--bind [::1]:${toString config.services.sourcehut.git.port}" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
nginx = {
|
|
|
|
enable = true;
|
|
|
|
virtualHost.useACMEHost = fqdn;
|
|
|
|
};
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
"sr.ht" = {
|
|
|
|
environment = "production";
|
|
|
|
global-domain = fqdn;
|
|
|
|
owner-name = "Christoph Heiss";
|
|
|
|
owner-email = "christoph@c8h4.io";
|
|
|
|
network-key = "${secretsPath}/network-key";
|
|
|
|
service-key = "${secretsPath}/service-key";
|
|
|
|
};
|
|
|
|
|
|
|
|
"meta.sr.ht".origin = "https://meta.${fqdn}";
|
|
|
|
|
|
|
|
"meta.sr.ht::settings" = {
|
|
|
|
user-invites = 0;
|
|
|
|
registration = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
"git.sr.ht" = {
|
|
|
|
oauth-client-id = fqdn;
|
|
|
|
oauth-client-secret = "${secretsPath}/oauth-client-secret";
|
|
|
|
outgoing-domain = "https://git.${fqdn}";
|
|
|
|
origin = "https://git.${fqdn}";
|
|
|
|
};
|
|
|
|
|
|
|
|
mail = {
|
|
|
|
smtp-from = "srht@c8h4.io";
|
|
|
|
pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD";
|
|
|
|
pgp-pubkey = "${secretsPath}/pgp-pubkey";
|
|
|
|
pgp-privkey = "${secretsPath}/pgp-privkey";
|
|
|
|
};
|
|
|
|
|
|
|
|
webhooks.private-key = "${secretsPath}/webhooks-private-key";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
security.acme.certs.${fqdn} = {
|
|
|
|
extraDomainNames = [ "*.srht.c8h4.io" ];
|
|
|
|
group = "nginx";
|
|
|
|
};
|
|
|
|
|
2023-05-02 22:56:16 +02:00
|
|
|
# Binds the sourcehut secrets path read-only into services that require them
|
|
|
|
systemd.services = let
|
|
|
|
services = [
|
|
|
|
"metasrht"
|
|
|
|
"metasrht-api"
|
2023-05-08 16:43:44 +02:00
|
|
|
"metasrht-daily"
|
2023-05-02 22:56:16 +02:00
|
|
|
"metasrht-webhooks"
|
|
|
|
"gitsrht"
|
|
|
|
"gitsrht-api"
|
|
|
|
"gitsrht-periodic"
|
|
|
|
"gitsrht-webhooks"
|
|
|
|
];
|
|
|
|
in builtins.listToAttrs (map (name: {
|
|
|
|
inherit name;
|
|
|
|
value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
|
|
|
}) services);
|
2023-04-22 15:00:19 +02:00
|
|
|
|
2023-05-02 22:56:16 +02:00
|
|
|
# TODO: Do properly once https://github.com/NixOS/nixpkgs/pull/227442 is merged
|
|
|
|
services.openssh.settings.AllowUsers = lib.mkForce "christoph git";
|
2023-04-22 15:00:19 +02:00
|
|
|
|
2023-05-02 22:56:16 +02:00
|
|
|
# Disable login for `git` user
|
2023-04-22 15:00:19 +02:00
|
|
|
users.users.git.password = "*";
|
|
|
|
}
|