nixos-config/services/sourcehut.nix

{ config, lib, ... }:

let
  secretsPath = "/var/secrets/sourcehut";
  fqdn = "srht.c8h4.io";
in {
  services.sourcehut = {
    enable = true;
    redis.enable = true;
    postgresql.enable = true;
    meta = {
      enable = true;
      gunicorn.extraArgs =
        [ "--bind [::1]:${toString config.services.sourcehut.meta.port}" ];
    };
    git = {
      enable = true;
      user = "git";
      gunicorn.extraArgs =
        [ "--bind [::1]:${toString config.services.sourcehut.git.port}" ];
    };

    nginx = {
      enable = true;
      virtualHost.useACMEHost = fqdn;
    };

    settings = {
      "sr.ht" = {
        environment = "production";
        global-domain = fqdn;
        owner-name = "Christoph Heiss";
        owner-email = "christoph@c8h4.io";
        network-key = "${secretsPath}/network-key";
        service-key = "${secretsPath}/service-key";
      };

      "meta.sr.ht".origin = "https://meta.${fqdn}";

      "meta.sr.ht::settings" = {
        user-invites = 0;
        registration = false;
      };

      "git.sr.ht" = {
        oauth-client-id = fqdn;
        oauth-client-secret = "${secretsPath}/oauth-client-secret";
        outgoing-domain = "https://git.${fqdn}";
        origin = "https://git.${fqdn}";
      };

      mail = {
        smtp-from = "srht@c8h4.io";
        pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD";
        pgp-pubkey = "${secretsPath}/pgp-pubkey";
        pgp-privkey = "${secretsPath}/pgp-privkey";
      };

      webhooks.private-key = "${secretsPath}/webhooks-private-key";
    };
  };

  security.acme.certs.${fqdn} = {
    extraDomainNames = [ "*.srht.c8h4.io" ];
    group = "nginx";
  };

  # Binds the sourcehut secrets path read-only into services that require them
  systemd.services = let
    services = [
      "metasrht"
      "metasrht-api"
      "metasrht-daily"
      "metasrht-webhooks"
      "gitsrht"
      "gitsrht-api"
      "gitsrht-periodic"
      "gitsrht-webhooks"
    ];
  in builtins.listToAttrs (map (name: {
    inherit name;
    value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
  }) services);

  # TODO: Do properly once https://github.com/NixOS/nixpkgs/pull/227442 is merged
  services.openssh.settings.AllowUsers = lib.mkForce "christoph git";

  # Disable login for `git` user
  users.users.git.password = "*";
}
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00			`{ config, lib, ... }:`

			`let`
			`secretsPath = "/var/secrets/sourcehut";`
			`fqdn = "srht.c8h4.io";`
			`in {`
			`services.sourcehut = {`
			`enable = true;`
			`redis.enable = true;`
			`postgresql.enable = true;`
			`meta = {`
			`enable = true;`
			`gunicorn.extraArgs =`
			`[ "--bind [::1]:${toString config.services.sourcehut.meta.port}" ];`
			`};`
			`git = {`
			`enable = true;`
			`user = "git";`
			`gunicorn.extraArgs =`
			`[ "--bind [::1]:${toString config.services.sourcehut.git.port}" ];`
			`};`

			`nginx = {`
			`enable = true;`
			`virtualHost.useACMEHost = fqdn;`
			`};`

			`settings = {`
			`"sr.ht" = {`
			`environment = "production";`
			`global-domain = fqdn;`
			`owner-name = "Christoph Heiss";`
			`owner-email = "christoph@c8h4.io";`
			`network-key = "${secretsPath}/network-key";`
			`service-key = "${secretsPath}/service-key";`
			`};`

			`"meta.sr.ht".origin = "https://meta.${fqdn}";`

			`"meta.sr.ht::settings" = {`
			`user-invites = 0;`
			`registration = false;`
			`};`

			`"git.sr.ht" = {`
			`oauth-client-id = fqdn;`
			`oauth-client-secret = "${secretsPath}/oauth-client-secret";`
			`outgoing-domain = "https://git.${fqdn}";`
			`origin = "https://git.${fqdn}";`
			`};`

			`mail = {`
			`smtp-from = "srht@c8h4.io";`
			`pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD";`
			`pgp-pubkey = "${secretsPath}/pgp-pubkey";`
			`pgp-privkey = "${secretsPath}/pgp-privkey";`
			`};`

			`webhooks.private-key = "${secretsPath}/webhooks-private-key";`
			`};`
			`};`

			`security.acme.certs.${fqdn} = {`
			`extraDomainNames = [ "*.srht.c8h4.io" ];`
			`group = "nginx";`
			`};`

services: sourcehut: Clean up a bit Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-05-02 22:56:16 +02:00			`# Binds the sourcehut secrets path read-only into services that require them`
			`systemd.services = let`
			`services = [`
			`"metasrht"`
			`"metasrht-api"`
services: sourcehut: Bind secrets path into `metasrht-daily` service too Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-05-08 16:43:44 +02:00			`"metasrht-daily"`
services: sourcehut: Clean up a bit Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-05-02 22:56:16 +02:00			`"metasrht-webhooks"`
			`"gitsrht"`
			`"gitsrht-api"`
			`"gitsrht-periodic"`
			`"gitsrht-webhooks"`
			`];`
			`in builtins.listToAttrs (map (name: {`
			`inherit name;`
			`value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];`
			`}) services);`
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00
services: sourcehut: Clean up a bit Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-05-02 22:56:16 +02:00			`# TODO: Do properly once https://github.com/NixOS/nixpkgs/pull/227442 is merged`
			`services.openssh.settings.AllowUsers = lib.mkForce "christoph git";`
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00
services: sourcehut: Clean up a bit Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-05-02 22:56:16 +02:00			# Disable login for `git` user
machines: Add `srht` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-04-22 15:00:19 +02:00			`users.users.git.password = "*";`
			`}`