nixos/tests/sourcehut/nodes/common.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / sourcehut / nodes / common.nix
at 25.11-pre 4.3 kB view raw
  1{
  2  config,
  3  pkgs,
  4  nodes,
  5  ...
  6}:
  7let
  8  domain = config.networking.domain;
  9
 10  # Note that wildcard certificates just under the TLD (eg. *.com)
 11  # would be rejected by clients like curl.
 12  tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
 13    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 36500 \
 14      -subj '/CN=${domain}' -extensions v3_req \
 15      -addext 'subjectAltName = DNS:*.${domain}'
 16    install -D -t $out key.pem cert.pem
 17  '';
 18in
 19{
 20  # buildsrht needs space
 21  virtualisation.diskSize = 4 * 1024;
 22  virtualisation.memorySize = 2 * 1024;
 23  networking.enableIPv6 = false;
 24
 25  services.sourcehut = {
 26    enable = true;
 27    nginx.enable = true;
 28    nginx.virtualHost = {
 29      forceSSL = true;
 30      sslCertificate = "${tls-cert}/cert.pem";
 31      sslCertificateKey = "${tls-cert}/key.pem";
 32    };
 33    postgresql.enable = true;
 34    redis.enable = true;
 35
 36    meta.enable = true;
 37
 38    settings."sr.ht" = {
 39      environment = "production";
 40      global-domain = config.networking.domain;
 41      service-key = pkgs.writeText "service-key" "8b327279b77e32a3620e2fc9aabce491cc46e7d821fd6713b2a2e650ce114d01";
 42      network-key = pkgs.writeText "network-key" "cEEmc30BRBGkgQZcHFksiG7hjc6_dK1XR2Oo5Jb9_nQ=";
 43    };
 44    settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA=";
 45    settings.mail = {
 46      smtp-from = "root+hut@${domain}";
 47      # WARNING: take care to keep pgp-privkey outside the Nix store in production,
 48      # or use LoadCredentialEncrypted=
 49      pgp-privkey = toString (
 50        pkgs.writeText "sourcehut.pgp-privkey" ''
 51          -----BEGIN PGP PRIVATE KEY BLOCK-----
 52
 53          lFgEZrFBKRYJKwYBBAHaRw8BAQdAS1Ffiytk0h0z0jfaT3qyiDUV/plVIUwOg1Yr
 54          AXP2YmsAAP0W6QMC3G2G41rzCGLeSHeGibor1+XuxvcwUpVdW7ge+BH/tDZuaXhv
 55          cy90ZXN0cy9zb3VyY2VodXQgPHJvb3QraHV0QHNvdXJjZWh1dC5sb2NhbGRvbWFp
 56          bj6IkwQTFgoAOxYhBMISh2Z08FCi969cq9R2wSP9QF2bBQJmsUEpAhsDBQsJCAcC
 57          AiICBhUKCQgLAgQWAgMBAh4HAheAAAoJENR2wSP9QF2b4JMA+wQLdxVcod/ppyvH
 58          QguGqqhkpk8KquCddOuFnQVAfHFWAQCK5putVk4mGzsoLTbOJCSGRC4pjEktZawQ
 59          MTqJmnOuC5xdBGaxQSkSCisGAQQBl1UBBQEBB0Aed6UYJyighTY+KuPNQ439st3x
 60          x04T1j58sx3AnKgYewMBCAcAAP9WLB79HO1zFRqTCnk7GIEWWogMFKVpazeBUNu9
 61          h9rzCA2+iHgEGBYKACAWIQTCEodmdPBQovevXKvUdsEj/UBdmwUCZrFBKQIbDAAK
 62          CRDUdsEj/UBdmwgJAQDVk/px/pSzqreSeDLzxlb6dOo+N1KcicsJ0akhSJUcvwD9
 63          EPhpEDZu/UBKchAutOhWwz+y6pyoF4Vt7XG+jbJQtA4=
 64          =KaQc
 65          -----END PGP PRIVATE KEY BLOCK-----
 66        ''
 67      );
 68      pgp-pubkey = pkgs.writeText "sourcehut.pgp-pubkey" ''
 69        -----BEGIN PGP PUBLIC KEY BLOCK-----
 70
 71        mDMEZrFBKRYJKwYBBAHaRw8BAQdAS1Ffiytk0h0z0jfaT3qyiDUV/plVIUwOg1Yr
 72        AXP2Ymu0Nm5peG9zL3Rlc3RzL3NvdXJjZWh1dCA8cm9vdCtodXRAc291cmNlaHV0
 73        LmxvY2FsZG9tYWluPoiTBBMWCgA7FiEEwhKHZnTwUKL3r1yr1HbBI/1AXZsFAmax
 74        QSkCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQ1HbBI/1AXZvgkwD7
 75        BAt3FVyh3+mnK8dCC4aqqGSmTwqq4J1064WdBUB8cVYBAIrmm61WTiYbOygtNs4k
 76        JIZELimMSS1lrBAxOomac64LuDgEZrFBKRIKKwYBBAGXVQEFAQEHQB53pRgnKKCF
 77        Nj4q481Djf2y3fHHThPWPnyzHcCcqBh7AwEIB4h4BBgWCgAgFiEEwhKHZnTwUKL3
 78        r1yr1HbBI/1AXZsFAmaxQSkCGwwACgkQ1HbBI/1AXZsICQEA1ZP6cf6Us6q3kngy
 79        88ZW+nTqPjdSnInLCdGpIUiVHL8A/RD4aRA2bv1ASnIQLrToVsM/suqcqBeFbe1x
 80        vo2yULQO
 81        =luxZ
 82        -----END PGP PUBLIC KEY BLOCK-----
 83      '';
 84      pgp-key-id = "0xC212876674F050A2F7AF5CABD476C123FD405D9B";
 85    };
 86  };
 87
 88  networking.firewall.allowedTCPPorts = [
 89    80
 90    443
 91  ];
 92  security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];
 93  services.nginx = {
 94    enable = true;
 95    recommendedGzipSettings = true;
 96    recommendedOptimisation = true;
 97    recommendedTlsSettings = true;
 98    recommendedProxySettings = true;
 99  };
100
101  services.postgresql = {
102    enable = true;
103    enableTCPIP = false;
104    settings.unix_socket_permissions = "0770";
105  };
106
107  services.openssh = {
108    enable = true;
109    settings.PasswordAuthentication = false;
110    settings.PermitRootLogin = "no";
111  };
112
113  environment.systemPackages = with pkgs; [
114    hut # For interacting with the Sourcehut APIs via CLI
115    srht-gen-oauth-tok # To automatically generate user OAuth tokens
116  ];
117}