135 lines
3.4 KiB
Nix
135 lines
3.4 KiB
Nix
{ config, my, pkgs, secrets, ... }:
|
|
|
|
let
|
|
inherit (my) domain;
|
|
fqdn = "srht.${domain}";
|
|
srhtServices = [
|
|
"metasrht"
|
|
"metasrht-api"
|
|
"metasrht-daily"
|
|
"metasrht-webhooks"
|
|
"gitsrht"
|
|
"gitsrht-api"
|
|
"gitsrht-periodic"
|
|
"gitsrht-webhooks"
|
|
];
|
|
secretNames = [
|
|
"network-key"
|
|
"service-key"
|
|
"oauth-client-secret"
|
|
"webhooks-privkey"
|
|
"pgp-pubkey"
|
|
"pgp-privkey"
|
|
];
|
|
in {
|
|
sops.secrets = builtins.listToAttrs (map (n: {
|
|
name = "sourcehut/${n}";
|
|
value = {
|
|
sopsFile = ../secrets/sops/sourcehut.yaml;
|
|
owner = "root";
|
|
group = "sourcehut";
|
|
mode = "0440";
|
|
restartUnits = map (srv: "${srv}.service") srhtServices;
|
|
};
|
|
}) secretNames);
|
|
|
|
services.sourcehut = {
|
|
enable = true;
|
|
redis.enable = true;
|
|
postgresql.enable = true;
|
|
|
|
listenAddress = "[::1]";
|
|
|
|
meta.enable = true;
|
|
|
|
git = {
|
|
enable = true;
|
|
user = "git";
|
|
};
|
|
|
|
nginx = {
|
|
enable = true;
|
|
virtualHost.useACMEHost = domain;
|
|
};
|
|
|
|
settings = {
|
|
"sr.ht" = {
|
|
environment = "production";
|
|
global-domain = fqdn;
|
|
owner-name = "Christoph Heiss";
|
|
owner-email = "christoph@c8h4.io";
|
|
network-key = secrets."sourcehut/network-key".path;
|
|
service-key = secrets."sourcehut/service-key".path;
|
|
};
|
|
|
|
"meta.sr.ht".origin = "https://meta.${fqdn}";
|
|
|
|
"meta.sr.ht::settings" = {
|
|
user-invites = 0;
|
|
registration = false;
|
|
};
|
|
|
|
"git.sr.ht" = {
|
|
oauth-client-id = fqdn;
|
|
oauth-client-secret = secrets."sourcehut/oauth-client-secret".path;
|
|
outgoing-domain = "https://git.${fqdn}";
|
|
origin = "https://git.${fqdn}";
|
|
};
|
|
|
|
mail = {
|
|
smtp-from = "srht@c8h4.io";
|
|
pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD";
|
|
pgp-pubkey = secrets."sourcehut/pgp-pubkey".path;
|
|
pgp-privkey = secrets."sourcehut/pgp-privkey".path;
|
|
};
|
|
|
|
webhooks.private-key = secrets."sourcehut/webhooks-privkey".path;
|
|
};
|
|
};
|
|
|
|
security.acme.certs."c8h4.io".extraDomainNames = [ "*.${fqdn}" ];
|
|
|
|
# Binds the sourcehut secrets path read-only into services that require them
|
|
systemd.services = builtins.listToAttrs (map (name: {
|
|
inherit name;
|
|
value.serviceConfig.BindReadOnlyPaths =
|
|
map (n: secrets."sourcehut/${n}".path) secretNames;
|
|
}) srhtServices);
|
|
|
|
services.openssh.settings.AllowUsers = [ "git" ];
|
|
|
|
users.groups.sourcehut = { };
|
|
|
|
users.users = {
|
|
git = {
|
|
# Disable login for `git` user
|
|
password = "*";
|
|
extraGroups = [ "restic-backup" "sourcehut" ];
|
|
};
|
|
metasrht.extraGroups = [ "sourcehut" ];
|
|
};
|
|
|
|
services.nginx.virtualHosts."git.${domain}" = {
|
|
forceSSL = true;
|
|
useACMEHost = my.domain;
|
|
kTLS = true;
|
|
# `globalRedirect` appends `$request_uri` to the target, which we do not want here
|
|
locations."/".return = "https://git.${fqdn}";
|
|
};
|
|
|
|
services.restic.backups.gitsrht = {
|
|
environmentFile = secrets."restic/rest-env".path;
|
|
initialize = true;
|
|
repository =
|
|
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
|
|
passwordFile = secrets."restic/repo-password".path;
|
|
user = "git";
|
|
paths = [ "/var/lib/sourcehut/gitsrht" ];
|
|
timerConfig.OnCalendar = "*-*-* 4:15:00"; # daily at 04:15
|
|
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
|
name = "gitsrht";
|
|
inherit pkgs secrets;
|
|
};
|
|
};
|
|
}
|