pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / misc / sourcehut / git.nix
at 22.05-pre 7.4 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4let 5 cfg = config.services.sourcehut; 6 scfg = cfg.git; 7 iniKey = "git.sr.ht"; 8 9 rcfg = config.services.redis; 10 drv = pkgs.sourcehut.gitsrht; 11in 12{ 13 options.services.sourcehut.git = { 14 user = mkOption { 15 type = types.str; 16 visible = false; 17 internal = true; 18 readOnly = true; 19 default = "git"; 20 description = '' 21 User for git.sr.ht. 22 ''; 23 }; 24 25 port = mkOption { 26 type = types.port; 27 default = 5001; 28 description = '' 29 Port on which the "git" module should listen. 30 ''; 31 }; 32 33 database = mkOption { 34 type = types.str; 35 default = "git.sr.ht"; 36 description = '' 37 PostgreSQL database name for git.sr.ht. 38 ''; 39 }; 40 41 statePath = mkOption { 42 type = types.path; 43 default = "${cfg.statePath}/gitsrht"; 44 description = '' 45 State path for git.sr.ht. 46 ''; 47 }; 48 49 package = mkOption { 50 type = types.package; 51 default = pkgs.git; 52 defaultText = literalExpression "pkgs.git"; 53 example = literalExpression "pkgs.gitFull"; 54 description = '' 55 Git package for git.sr.ht. This can help silence collisions. 56 ''; 57 }; 58 }; 59 60 config = with scfg; lib.mkIf (cfg.enable && elem "git" cfg.services) { 61 # sshd refuses to run with `Unsafe AuthorizedKeysCommand ... bad ownership or modes for directory /nix/store` 62 environment.etc."ssh/gitsrht-dispatch" = { 63 mode = "0755"; 64 text = '' 65 #! ${pkgs.stdenv.shell} 66 ${cfg.python}/bin/gitsrht-dispatch "$@" 67 ''; 68 }; 69 70 # Needs this in the $PATH when sshing into the server 71 environment.systemPackages = [ cfg.git.package ]; 72 73 users = { 74 users = { 75 "${user}" = { 76 isSystemUser = true; 77 group = user; 78 # https://stackoverflow.com/questions/22314298/git-push-results-in-fatal-protocol-error-bad-line-length-character-this 79 # Probably could use gitsrht-shell if output is restricted to just parameters... 80 shell = pkgs.bash; 81 description = "git.sr.ht user"; 82 }; 83 }; 84 85 groups = { 86 "${user}" = { }; 87 }; 88 }; 89 90 services = { 91 cron.systemCronJobs = [ "*/20 * * * * ${cfg.python}/bin/gitsrht-periodic" ]; 92 fcgiwrap.enable = true; 93 94 openssh.authorizedKeysCommand = ''/etc/ssh/gitsrht-dispatch "%u" "%h" "%t" "%k"''; 95 openssh.authorizedKeysCommandUser = "root"; 96 openssh.extraConfig = '' 97 PermitUserEnvironment SRHT_* 98 ''; 99 100 postgresql = { 101 authentication = '' 102 local ${database} ${user} trust 103 ''; 104 ensureDatabases = [ database ]; 105 ensureUsers = [ 106 { 107 name = user; 108 ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; }; 109 } 110 ]; 111 }; 112 }; 113 114 systemd = { 115 tmpfiles.rules = [ 116 # /var/log is owned by root 117 "f /var/log/git-srht-shell 0644 ${user} ${user} -" 118 119 "d ${statePath} 0750 ${user} ${user} -" 120 "d ${cfg.settings."${iniKey}".repos} 2755 ${user} ${user} -" 121 ]; 122 123 services = { 124 gitsrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey { 125 after = [ "redis.service" "postgresql.service" "network.target" ]; 126 requires = [ "redis.service" "postgresql.service" ]; 127 wantedBy = [ "multi-user.target" ]; 128 129 # Needs internally to create repos at the very least 130 path = [ pkgs.git ]; 131 description = "git.sr.ht website service"; 132 133 serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}"; 134 }; 135 136 gitsrht-webhooks = { 137 after = [ "postgresql.service" "network.target" ]; 138 requires = [ "postgresql.service" ]; 139 wantedBy = [ "multi-user.target" ]; 140 141 description = "git.sr.ht webhooks service"; 142 serviceConfig = { 143 Type = "simple"; 144 User = user; 145 Restart = "always"; 146 }; 147 148 serviceConfig.ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel=info"; 149 }; 150 }; 151 }; 152 153 services.sourcehut.settings = { 154 # URL git.sr.ht is being served at (protocol://domain) 155 "git.sr.ht".origin = mkDefault "http://git.${cfg.originBase}"; 156 # Address and port to bind the debug server to 157 "git.sr.ht".debug-host = mkDefault "0.0.0.0"; 158 "git.sr.ht".debug-port = mkDefault port; 159 # Configures the SQLAlchemy connection string for the database. 160 "git.sr.ht".connection-string = mkDefault "postgresql:///${database}?user=${user}&host=/var/run/postgresql"; 161 # Set to "yes" to automatically run migrations on package upgrade. 162 "git.sr.ht".migrate-on-upgrade = mkDefault "yes"; 163 # The redis connection used for the webhooks worker 164 "git.sr.ht".webhooks = mkDefault "redis://${rcfg.bind}:${toString rcfg.port}/1"; 165 166 # A post-update script which is installed in every git repo. 167 "git.sr.ht".post-update-script = mkDefault "${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook"; 168 169 # git.sr.ht's OAuth client ID and secret for meta.sr.ht 170 # Register your client at meta.example.org/oauth 171 "git.sr.ht".oauth-client-id = mkDefault null; 172 "git.sr.ht".oauth-client-secret = mkDefault null; 173 # Path to git repositories on disk 174 "git.sr.ht".repos = mkDefault "/var/lib/git"; 175 176 "git.sr.ht".outgoing-domain = mkDefault "http://git.${cfg.originBase}"; 177 178 # The authorized keys hook uses this to dispatch to various handlers 179 # The format is a program to exec into as the key, and the user to match as the 180 # value. When someone tries to log in as this user, this program is executed 181 # and is expected to omit an AuthorizedKeys file. 182 # 183 # Discard of the string context is in order to allow derivation-derived strings. 184 # This is safe if the relevant package is installed which will be the case if the setting is utilized. 185 "git.sr.ht::dispatch".${builtins.unsafeDiscardStringContext "${pkgs.sourcehut.gitsrht}/bin/gitsrht-keys"} = mkDefault "${user}:${user}"; 186 }; 187 188 services.nginx.virtualHosts."git.${cfg.originBase}" = { 189 forceSSL = true; 190 locations."/".proxyPass = "http://${cfg.address}:${toString port}"; 191 locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}"; 192 locations."/static".root = "${pkgs.sourcehut.gitsrht}/${pkgs.sourcehut.python.sitePackages}/gitsrht"; 193 extraConfig = '' 194 location = /authorize { 195 proxy_pass http://${cfg.address}:${toString port}; 196 proxy_pass_request_body off; 197 proxy_set_header Content-Length ""; 198 proxy_set_header X-Original-URI $request_uri; 199 } 200 location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ { 201 auth_request /authorize; 202 root /var/lib/git; 203 fastcgi_pass unix:/run/fcgiwrap.sock; 204 fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend; 205 fastcgi_param PATH_INFO $uri; 206 fastcgi_param GIT_PROJECT_ROOT $document_root; 207 fastcgi_read_timeout 500s; 208 include ${pkgs.nginx}/conf/fastcgi_params; 209 gzip off; 210 } 211 ''; 212 213 }; 214 }; 215}