commit 2382d423f427a2dc30ea6cee8b0b4c615c6f5cb3 · pyrox.dev/nixpkgs

+107

nixos/tests/sourcehut/nodes/common.nix

···

       1
       1
       +
       { config, pkgs, nodes, ... }:

     

       2
       2
       +
       let

     

       3
       3
       +
         domain = config.networking.domain;

     

       4
       4
       +
       

     

       5
       5
       +
         # Note that wildcard certificates just under the TLD (eg. *.com)

     

       6
       6
       +
         # would be rejected by clients like curl.

     

       7
       7
       +
         tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''

     

       8
       8
       +
           openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 36500 \

     

       9
       9
       +
             -subj '/CN=${domain}' -extensions v3_req \

     

       10
       10
       +
             -addext 'subjectAltName = DNS:*.${domain}'

     

       11
       11
       +
           install -D -t $out key.pem cert.pem

     

       12
       12
       +
         '';

     

       13
       13
       +
       in

     

       14
       14
       +
       {

     

       15
       15
       +
         # buildsrht needs space

     

       16
       16
       +
         virtualisation.diskSize = 4 * 1024;

     

       17
       17
       +
         virtualisation.memorySize = 2 * 1024;

     

       18
       18
       +
         networking.enableIPv6 = false;

     

       19
       19
       +
       

     

       20
       20
       +
         services.sourcehut = {

     

       21
       21
       +
           enable = true;

     

       22
       22
       +
           nginx.enable = true;

     

       23
       23
       +
           nginx.virtualHost = {

     

       24
       24
       +
             forceSSL = true;

     

       25
       25
       +
             sslCertificate = "${tls-cert}/cert.pem";

     

       26
       26
       +
             sslCertificateKey = "${tls-cert}/key.pem";

     

       27
       27
       +
           };

     

       28
       28
       +
           postgresql.enable = true;

     

       29
       29
       +
           redis.enable = true;

     

       30
       30
       +
       

     

       31
       31
       +
           meta.enable = true;

     

       32
       32
       +
       

     

       33
       33
       +
           settings."sr.ht" = {

     

       34
       34
       +
             environment = "production";

     

       35
       35
       +
             global-domain = config.networking.domain;

     

       36
       36
       +
             service-key = pkgs.writeText "service-key" "8b327279b77e32a3620e2fc9aabce491cc46e7d821fd6713b2a2e650ce114d01";

     

       37
       37
       +
             network-key = pkgs.writeText "network-key" "cEEmc30BRBGkgQZcHFksiG7hjc6_dK1XR2Oo5Jb9_nQ=";

     

       38
       38
       +
           };

     

       39
       39
       +
           settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA=";

     

       40
       40
       +
           settings.mail = {

     

       41
       41
       +
             smtp-from = "root+hut@${domain}";

     

       42
       42
       +
             # WARNING: take care to keep pgp-privkey outside the Nix store in production,

     

       43
       43
       +
             # or use LoadCredentialEncrypted=

     

       44
       44
       +
             pgp-privkey = toString (pkgs.writeText "sourcehut.pgp-privkey" ''

     

       45
       45
       +
               -----BEGIN PGP PRIVATE KEY BLOCK-----

     

       46
       46
       +
       

     

       47
       47
       +
               lFgEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd

     

       48
       48
       +
               Gk7hYQoAAP9X4oPmxxrHN8LewBpWITdBomNqlHoiP7mI0nz/BOPJHxEktDZuaXhv

     

       49
       49
       +
               cy90ZXN0cy9zb3VyY2VodXQgPHJvb3QraHV0QHNvdXJjZWh1dC5sb2NhbGRvbWFp

     

       50
       50
       +
               bj6IlwQTFgoAPxYhBPqjgjnL8RHN4JnADNicgXaYm0jJBQJioNE5AhsDBQkDwmcA

     

       51
       51
       +
               BgsJCAcDCgUVCgkICwUWAwIBAAIeBQIXgAAKCRDYnIF2mJtIySVCAP9e2nHsVHSi

     

       52
       52
       +
               2B1YGZpVG7Xf36vxljmMkbroQy+0gBPwRwEAq+jaiQqlbGhQ7R/HMFcAxBIVsq8h

     

       53
       53
       +
               Aw1rngsUd0o3dAicXQRioNE5EgorBgEEAZdVAQUBAQdAXZV2Sd5ZNBVTBbTGavMv

     

       54
       54
       +
               D6ORrUh8z7TI/3CsxCE7+yADAQgHAAD/c1RU9xH+V/uI1fE7HIn/zL0LUPpsuce2

     

       55
       55
       +
               cH++g4u3kBgTOYh+BBgWCgAmFiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg0TkC

     

       56
       56
       +
               GwwFCQPCZwAACgkQ2JyBdpibSMlKagD/cTre6p1m8QuJ7kwmCFRSz5tBzIuYMMgN

     

       57
       57
       +
               xtT7dmS91csA/35fWsOykSiFRojQ7ccCSUTHL7ApF2EbL968tP/D2hIG

     

       58
       58
       +
               =Hjoc

     

       59
       59
       +
               -----END PGP PRIVATE KEY BLOCK-----

     

       60
       60
       +
             '');

     

       61
       61
       +
             pgp-pubkey = pkgs.writeText "sourcehut.pgp-pubkey" ''

     

       62
       62
       +
               -----BEGIN PGP PUBLIC KEY BLOCK-----

     

       63
       63
       +
       

     

       64
       64
       +
               mDMEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd

     

       65
       65
       +
               Gk7hYQq0Nm5peG9zL3Rlc3RzL3NvdXJjZWh1dCA8cm9vdCtodXRAc291cmNlaHV0

     

       66
       66
       +
               LmxvY2FsZG9tYWluPoiXBBMWCgA/FiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg

     

       67
       67
       +
               0TkCGwMFCQPCZwAGCwkIBwMKBRUKCQgLBRYDAgEAAh4FAheAAAoJENicgXaYm0jJ

     

       68
       68
       +
               JUIA/17acexUdKLYHVgZmlUbtd/fq/GWOYyRuuhDL7SAE/BHAQCr6NqJCqVsaFDt

     

       69
       69
       +
               H8cwVwDEEhWyryEDDWueCxR3Sjd0CLg4BGKg0TkSCisGAQQBl1UBBQEBB0BdlXZJ

     

       70
       70
       +
               3lk0FVMFtMZq8y8Po5GtSHzPtMj/cKzEITv7IAMBCAeIfgQYFgoAJhYhBPqjgjnL

     

       71
       71
       +
               8RHN4JnADNicgXaYm0jJBQJioNE5AhsMBQkDwmcAAAoJENicgXaYm0jJSmoA/3E6

     

       72
       72
       +
               3uqdZvELie5MJghUUs+bQcyLmDDIDcbU+3ZkvdXLAP9+X1rDspEohUaI0O3HAklE

     

       73
       73
       +
               xy+wKRdhGy/evLT/w9oSBg==

     

       74
       74
       +
               =pJD7

     

       75
       75
       +
               -----END PGP PUBLIC KEY BLOCK-----

     

       76
       76
       +
             '';

     

       77
       77
       +
             pgp-key-id = "0xFAA38239CBF111CDE099C00CD89C8176989B48C9";

     

       78
       78
       +
           };

     

       79
       79
       +
         };

     

       80
       80
       +
       

     

       81
       81
       +
         networking.firewall.allowedTCPPorts = [ 80 443 ];

     

       82
       82
       +
         security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];

     

       83
       83
       +
         services.nginx = {

     

       84
       84
       +
           enable = true;

     

       85
       85
       +
           recommendedGzipSettings = true;

     

       86
       86
       +
           recommendedOptimisation = true;

     

       87
       87
       +
           recommendedTlsSettings = true;

     

       88
       88
       +
           recommendedProxySettings = true;

     

       89
       89
       +
         };

     

       90
       90
       +
       

     

       91
       91
       +
         services.postgresql = {

     

       92
       92
       +
           enable = true;

     

       93
       93
       +
           enableTCPIP = false;

     

       94
       94
       +
           settings.unix_socket_permissions = "0770";

     

       95
       95
       +
         };

     

       96
       96
       +
       

     

       97
       97
       +
         services.openssh = {

     

       98
       98
       +
           enable = true;

     

       99
       99
       +
           settings.PasswordAuthentication = false;

     

       100
       100
       +
           settings.PermitRootLogin = "no";

     

       101
       101
       +
         };

     

       102
       102
       +
       

     

       103
       103
       +
         environment.systemPackages = with pkgs; [

     

       104
       104
       +
           hut # For interacting with the Sourcehut APIs via CLI

     

       105
       105
       +
           (callPackage ../srht-gen-oauth-tok.nix { }) # To automatically generate OAuth tokens

     

       106
       106
       +
         ];

     

       107
       107
       +
       }

+4 -94

nixos/tests/sourcehut/sourcehut.nix

···

       1
       1
        
       import ../make-test-python.nix ({ pkgs, lib, ... }:

     

       2
       2
        
       let

     

       3
       3
        
         domain = "sourcehut.localdomain";

     

       4
       4
       -
       

     

       5
       5
       -
         # Note that wildcard certificates just under the TLD (eg. *.com)

     

       6
       6
       -
         # would be rejected by clients like curl.

     

       7
       7
       -
         tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''

     

       8
       8
       -
           openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 36500 \

     

       9
       9
       -
             -subj '/CN=${domain}' -extensions v3_req \

     

       10
       10
       -
             -addext 'subjectAltName = DNS:*.${domain}'

     

       11
       11
       -
           install -D -t $out key.pem cert.pem

     

       12
       12
       -
         '';

     

       13
       4
        
       in

     

       14
       5
        
       {

     

       15
       6
        
         name = "sourcehut";

     
···

       17
       8
        
         meta.maintainers = with pkgs.lib.maintainers; [ tomberek nessdoor ];

     

       18
       9
        
       

     

       19
       10
        
         nodes.machine = { config, pkgs, nodes, ... }: {

     

       20
       20
       -
           # buildsrht needs space

     

       21
       21
       -
           virtualisation.diskSize = 4 * 1024;

     

       22
       22
       -
           virtualisation.memorySize = 2 * 1024;

     

       11
       11
       +
           imports = [

     

       12
       12
       +
             ./nodes/common.nix

     

       13
       13
       +
           ];

     

       14
       14
       +
       

     

       23
       15
        
           networking.domain = domain;

     

       24
       24
       -
           networking.enableIPv6 = false;

     

       25
       16
        
           networking.extraHosts = ''

     

       26
       17
        
             ${config.networking.primaryIPAddress} builds.${domain}

     

       27
       18
        
             ${config.networking.primaryIPAddress} git.${domain}

     
···

       29
       20
        
           '';

     

       30
       21
        
       

     

       31
       22
        
           services.sourcehut = {

     

       32
       32
       -
             enable = true;

     

       33
       33
       -
             nginx.enable = true;

     

       34
       34
       -
             nginx.virtualHost = {

     

       35
       35
       -
               forceSSL = true;

     

       36
       36
       -
               sslCertificate = "${tls-cert}/cert.pem";

     

       37
       37
       -
               sslCertificateKey = "${tls-cert}/key.pem";

     

       38
       38
       -
             };

     

       39
       39
       -
             postgresql.enable = true;

     

       40
       40
       -
             redis.enable = true;

     

       41
       41
       -
       

     

       42
       42
       -
             meta.enable = true;

     

       43
       23
        
             builds = {

     

       44
       24
        
               enable = true;

     

       45
       25
        
               # FIXME: see why it does not seem to activate fully.

     
···

       48
       28
        
             };

     

       49
       29
        
             git.enable = true;

     

       50
       30
        
       

     

       51
       51
       -
             settings."sr.ht" = {

     

       52
       52
       -
               environment = "production";

     

       53
       53
       -
               global-domain = config.networking.domain;

     

       54
       54
       -
               service-key = pkgs.writeText "service-key" "8b327279b77e32a3620e2fc9aabce491cc46e7d821fd6713b2a2e650ce114d01";

     

       55
       55
       -
               network-key = pkgs.writeText "network-key" "cEEmc30BRBGkgQZcHFksiG7hjc6_dK1XR2Oo5Jb9_nQ=";

     

       56
       56
       -
             };

     

       57
       31
        
             settings."builds.sr.ht" = {

     

       58
       32
        
               oauth-client-secret = pkgs.writeText "buildsrht-oauth-client-secret" "2260e9c4d9b8dcedcef642860e0504bc";

     

       59
       33
        
               oauth-client-id = "299db9f9c2013170";

     
···

       62
       36
        
               oauth-client-secret = pkgs.writeText "gitsrht-oauth-client-secret" "3597288dc2c716e567db5384f493b09d";

     

       63
       37
        
               oauth-client-id = "d07cb713d920702e";

     

       64
       38
        
             };

     

       65
       65
       -
             settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA=";

     

       66
       66
       -
             settings.mail = {

     

       67
       67
       -
               smtp-from = "root+hut@${domain}";

     

       68
       68
       -
               # WARNING: take care to keep pgp-privkey outside the Nix store in production,

     

       69
       69
       -
               # or use LoadCredentialEncrypted=

     

       70
       70
       -
               pgp-privkey = toString (pkgs.writeText "sourcehut.pgp-privkey" ''

     

       71
       71
       -
                 -----BEGIN PGP PRIVATE KEY BLOCK-----

     

       72
       72
       -
       

     

       73
       73
       -
                 lFgEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd

     

       74
       74
       -
                 Gk7hYQoAAP9X4oPmxxrHN8LewBpWITdBomNqlHoiP7mI0nz/BOPJHxEktDZuaXhv

     

       75
       75
       -
                 cy90ZXN0cy9zb3VyY2VodXQgPHJvb3QraHV0QHNvdXJjZWh1dC5sb2NhbGRvbWFp

     

       76
       76
       -
                 bj6IlwQTFgoAPxYhBPqjgjnL8RHN4JnADNicgXaYm0jJBQJioNE5AhsDBQkDwmcA

     

       77
       77
       -
                 BgsJCAcDCgUVCgkICwUWAwIBAAIeBQIXgAAKCRDYnIF2mJtIySVCAP9e2nHsVHSi

     

       78
       78
       -
                 2B1YGZpVG7Xf36vxljmMkbroQy+0gBPwRwEAq+jaiQqlbGhQ7R/HMFcAxBIVsq8h

     

       79
       79
       -
                 Aw1rngsUd0o3dAicXQRioNE5EgorBgEEAZdVAQUBAQdAXZV2Sd5ZNBVTBbTGavMv

     

       80
       80
       -
                 D6ORrUh8z7TI/3CsxCE7+yADAQgHAAD/c1RU9xH+V/uI1fE7HIn/zL0LUPpsuce2

     

       81
       81
       -
                 cH++g4u3kBgTOYh+BBgWCgAmFiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg0TkC

     

       82
       82
       -
                 GwwFCQPCZwAACgkQ2JyBdpibSMlKagD/cTre6p1m8QuJ7kwmCFRSz5tBzIuYMMgN

     

       83
       83
       -
                 xtT7dmS91csA/35fWsOykSiFRojQ7ccCSUTHL7ApF2EbL968tP/D2hIG

     

       84
       84
       -
                 =Hjoc

     

       85
       85
       -
                 -----END PGP PRIVATE KEY BLOCK-----

     

       86
       86
       -
               '');

     

       87
       87
       -
               pgp-pubkey = pkgs.writeText "sourcehut.pgp-pubkey" ''

     

       88
       88
       -
                 -----BEGIN PGP PUBLIC KEY BLOCK-----

     

       89
       89
       -
       

     

       90
       90
       -
                 mDMEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd

     

       91
       91
       -
                 Gk7hYQq0Nm5peG9zL3Rlc3RzL3NvdXJjZWh1dCA8cm9vdCtodXRAc291cmNlaHV0

     

       92
       92
       -
                 LmxvY2FsZG9tYWluPoiXBBMWCgA/FiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg

     

       93
       93
       -
                 0TkCGwMFCQPCZwAGCwkIBwMKBRUKCQgLBRYDAgEAAh4FAheAAAoJENicgXaYm0jJ

     

       94
       94
       -
                 JUIA/17acexUdKLYHVgZmlUbtd/fq/GWOYyRuuhDL7SAE/BHAQCr6NqJCqVsaFDt

     

       95
       95
       -
                 H8cwVwDEEhWyryEDDWueCxR3Sjd0CLg4BGKg0TkSCisGAQQBl1UBBQEBB0BdlXZJ

     

       96
       96
       -
                 3lk0FVMFtMZq8y8Po5GtSHzPtMj/cKzEITv7IAMBCAeIfgQYFgoAJhYhBPqjgjnL

     

       97
       97
       -
                 8RHN4JnADNicgXaYm0jJBQJioNE5AhsMBQkDwmcAAAoJENicgXaYm0jJSmoA/3E6

     

       98
       98
       -
                 3uqdZvELie5MJghUUs+bQcyLmDDIDcbU+3ZkvdXLAP9+X1rDspEohUaI0O3HAklE

     

       99
       99
       -
                 xy+wKRdhGy/evLT/w9oSBg==

     

       100
       100
       -
                 =pJD7

     

       101
       101
       -
                 -----END PGP PUBLIC KEY BLOCK-----

     

       102
       102
       -
               '';

     

       103
       103
       -
               pgp-key-id = "0xFAA38239CBF111CDE099C00CD89C8176989B48C9";

     

       104
       104
       -
             };

     

       105
       105
       -
           };

     

       106
       106
       -
       

     

       107
       107
       -
           networking.firewall.allowedTCPPorts = [ 80 443 ];

     

       108
       108
       -
           security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];

     

       109
       109
       -
           services.nginx = {

     

       110
       110
       -
             enable = true;

     

       111
       111
       -
             recommendedGzipSettings = true;

     

       112
       112
       -
             recommendedOptimisation = true;

     

       113
       113
       -
             recommendedTlsSettings = true;

     

       114
       114
       -
             recommendedProxySettings = true;

     

       115
       115
       -
           };

     

       116
       116
       -
       

     

       117
       117
       -
           services.postgresql = {

     

       118
       118
       -
             enable = true;

     

       119
       119
       -
             enableTCPIP = false;

     

       120
       120
       -
             settings.unix_socket_permissions = "0770";

     

       121
       121
       -
           };

     

       122
       122
       -
       

     

       123
       123
       -
           services.openssh = {

     

       124
       124
       -
             enable = true;

     

       125
       125
       -
             settings.PasswordAuthentication = false;

     

       126
       126
       -
             settings.PermitRootLogin = "no";

     

       127
       39
        
           };

     

       128
       40
        
       

     

       129
       41
        
           environment.systemPackages = with pkgs; [

     

       130
       42
        
             git

     

       131
       131
       -
             hut # For interacting with the Sourcehut APIs via CLI

     

       132
       132
       -
             (callPackage ./srht-gen-oauth-tok.nix { }) # To automatically generate OAuth tokens

     

       133
       43
        
           ];

     

       134
       44
        
         };

     

       135
       45