nixos/tests/sourcehut/nodes/common.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / sourcehut / nodes / common.nix
at 24.11-pre 4.2 kB view raw
  1{ config, pkgs, nodes, ... }:
  2let
  3  domain = config.networking.domain;
  4
  5  # Note that wildcard certificates just under the TLD (eg. *.com)
  6  # would be rejected by clients like curl.
  7  tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
  8    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 36500 \
  9      -subj '/CN=${domain}' -extensions v3_req \
 10      -addext 'subjectAltName = DNS:*.${domain}'
 11    install -D -t $out key.pem cert.pem
 12  '';
 13in
 14{
 15  # buildsrht needs space
 16  virtualisation.diskSize = 4 * 1024;
 17  virtualisation.memorySize = 2 * 1024;
 18  networking.enableIPv6 = false;
 19
 20  services.sourcehut = {
 21    enable = true;
 22    nginx.enable = true;
 23    nginx.virtualHost = {
 24      forceSSL = true;
 25      sslCertificate = "${tls-cert}/cert.pem";
 26      sslCertificateKey = "${tls-cert}/key.pem";
 27    };
 28    postgresql.enable = true;
 29    redis.enable = true;
 30
 31    meta.enable = true;
 32
 33    settings."sr.ht" = {
 34      environment = "production";
 35      global-domain = config.networking.domain;
 36      service-key = pkgs.writeText "service-key" "8b327279b77e32a3620e2fc9aabce491cc46e7d821fd6713b2a2e650ce114d01";
 37      network-key = pkgs.writeText "network-key" "cEEmc30BRBGkgQZcHFksiG7hjc6_dK1XR2Oo5Jb9_nQ=";
 38    };
 39    settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA=";
 40    settings.mail = {
 41      smtp-from = "root+hut@${domain}";
 42      # WARNING: take care to keep pgp-privkey outside the Nix store in production,
 43      # or use LoadCredentialEncrypted=
 44      pgp-privkey = toString (pkgs.writeText "sourcehut.pgp-privkey" ''
 45        -----BEGIN PGP PRIVATE KEY BLOCK-----
 46
 47        lFgEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd
 48        Gk7hYQoAAP9X4oPmxxrHN8LewBpWITdBomNqlHoiP7mI0nz/BOPJHxEktDZuaXhv
 49        cy90ZXN0cy9zb3VyY2VodXQgPHJvb3QraHV0QHNvdXJjZWh1dC5sb2NhbGRvbWFp
 50        bj6IlwQTFgoAPxYhBPqjgjnL8RHN4JnADNicgXaYm0jJBQJioNE5AhsDBQkDwmcA
 51        BgsJCAcDCgUVCgkICwUWAwIBAAIeBQIXgAAKCRDYnIF2mJtIySVCAP9e2nHsVHSi
 52        2B1YGZpVG7Xf36vxljmMkbroQy+0gBPwRwEAq+jaiQqlbGhQ7R/HMFcAxBIVsq8h
 53        Aw1rngsUd0o3dAicXQRioNE5EgorBgEEAZdVAQUBAQdAXZV2Sd5ZNBVTBbTGavMv
 54        D6ORrUh8z7TI/3CsxCE7+yADAQgHAAD/c1RU9xH+V/uI1fE7HIn/zL0LUPpsuce2
 55        cH++g4u3kBgTOYh+BBgWCgAmFiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg0TkC
 56        GwwFCQPCZwAACgkQ2JyBdpibSMlKagD/cTre6p1m8QuJ7kwmCFRSz5tBzIuYMMgN
 57        xtT7dmS91csA/35fWsOykSiFRojQ7ccCSUTHL7ApF2EbL968tP/D2hIG
 58        =Hjoc
 59        -----END PGP PRIVATE KEY BLOCK-----
 60      '');
 61      pgp-pubkey = pkgs.writeText "sourcehut.pgp-pubkey" ''
 62        -----BEGIN PGP PUBLIC KEY BLOCK-----
 63
 64        mDMEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd
 65        Gk7hYQq0Nm5peG9zL3Rlc3RzL3NvdXJjZWh1dCA8cm9vdCtodXRAc291cmNlaHV0
 66        LmxvY2FsZG9tYWluPoiXBBMWCgA/FiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg
 67        0TkCGwMFCQPCZwAGCwkIBwMKBRUKCQgLBRYDAgEAAh4FAheAAAoJENicgXaYm0jJ
 68        JUIA/17acexUdKLYHVgZmlUbtd/fq/GWOYyRuuhDL7SAE/BHAQCr6NqJCqVsaFDt
 69        H8cwVwDEEhWyryEDDWueCxR3Sjd0CLg4BGKg0TkSCisGAQQBl1UBBQEBB0BdlXZJ
 70        3lk0FVMFtMZq8y8Po5GtSHzPtMj/cKzEITv7IAMBCAeIfgQYFgoAJhYhBPqjgjnL
 71        8RHN4JnADNicgXaYm0jJBQJioNE5AhsMBQkDwmcAAAoJENicgXaYm0jJSmoA/3E6
 72        3uqdZvELie5MJghUUs+bQcyLmDDIDcbU+3ZkvdXLAP9+X1rDspEohUaI0O3HAklE
 73        xy+wKRdhGy/evLT/w9oSBg==
 74        =pJD7
 75        -----END PGP PUBLIC KEY BLOCK-----
 76      '';
 77      pgp-key-id = "0xFAA38239CBF111CDE099C00CD89C8176989B48C9";
 78    };
 79  };
 80
 81  networking.firewall.allowedTCPPorts = [ 80 443 ];
 82  security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];
 83  services.nginx = {
 84    enable = true;
 85    recommendedGzipSettings = true;
 86    recommendedOptimisation = true;
 87    recommendedTlsSettings = true;
 88    recommendedProxySettings = true;
 89  };
 90
 91  services.postgresql = {
 92    enable = true;
 93    enableTCPIP = false;
 94    settings.unix_socket_permissions = "0770";
 95  };
 96
 97  services.openssh = {
 98    enable = true;
 99    settings.PasswordAuthentication = false;
100    settings.PermitRootLogin = "no";
101  };
102
103  environment.systemPackages = with pkgs; [
104    hut # For interacting with the Sourcehut APIs via CLI
105    srht-gen-oauth-tok # To automatically generate user OAuth tokens
106  ];
107}