{ config, ... }: let secretsPath = "/var/secrets/sourcehut"; fqdn = "srht.c8h4.io"; in { services.sourcehut = { enable = true; redis.enable = true; postgresql.enable = true; meta = { enable = true; gunicorn.extraArgs = [ "--bind [::1]:${toString config.services.sourcehut.meta.port}" ]; }; git = { enable = true; user = "git"; gunicorn.extraArgs = [ "--bind [::1]:${toString config.services.sourcehut.git.port}" ]; }; nginx = { enable = true; virtualHost.useACMEHost = fqdn; }; settings = { "sr.ht" = { environment = "production"; global-domain = fqdn; owner-name = "Christoph Heiss"; owner-email = "christoph@c8h4.io"; network-key = "${secretsPath}/network-key"; service-key = "${secretsPath}/service-key"; }; "meta.sr.ht".origin = "https://meta.${fqdn}"; "meta.sr.ht::settings" = { user-invites = 0; registration = false; }; "git.sr.ht" = { oauth-client-id = fqdn; oauth-client-secret = "${secretsPath}/oauth-client-secret"; outgoing-domain = "https://git.${fqdn}"; origin = "https://git.${fqdn}"; }; mail = { smtp-from = "srht@c8h4.io"; pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD"; pgp-pubkey = "${secretsPath}/pgp-pubkey"; pgp-privkey = "${secretsPath}/pgp-privkey"; }; webhooks.private-key = "${secretsPath}/webhooks-private-key"; }; }; security.acme.certs.${fqdn} = { extraDomainNames = [ "*.srht.c8h4.io" ]; group = "nginx"; }; # Binds the sourcehut secrets path read-only into services that require them systemd.services = let services = [ "metasrht" "metasrht-api" "metasrht-daily" "metasrht-webhooks" "gitsrht" "gitsrht-api" "gitsrht-periodic" "gitsrht-webhooks" ]; in builtins.listToAttrs (map (name: { inherit name; value.serviceConfig.BindReadOnlyPaths = [ secretsPath ]; }) services); services.openssh.settings.AllowUsers = [ "git" ]; # Disable login for `git` user users.users.git.password = "*"; }