diff --git a/nixos/configuration.nix b/nixos/configuration.nix index e8d8a7a..9e799ce 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -2,15 +2,12 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ pkgs, ... }: - -let - sourcehut-fqdn = "sourcehut.nixos.local"; -in +{ pkgs, nixpkgsWithPatchedCACert, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + (import ./sourcehut.nix { pkgs = nixpkgsWithPatchedCACert; }) ]; # Bootloader. @@ -127,10 +124,6 @@ in # Allow unfree packages nixpkgs.config.allowUnfree = true; - # configure overlays - nixpkgs.overlays = [ - #(import ./overlays/cacert.nix) - ]; # List packages installed in system profile. To search, run: # $ nix search wget @@ -227,113 +220,6 @@ in wantedBy = [ "graphical-session.target" ]; }; - # enable selfhosted sourcehut instance - services.sourcehut = { - enable = true; - meta = { - enable = true; - gunicorn.extraArgs = [ - "--timeout 120" - "--workers 1" - "--log-level=info" - "--bind [::1]:5000" - ]; - }; - git = { - enable = true; - gunicorn.extraArgs = [ - "--timeout 120" - "--workers 1" - "--log-level=info" - "--bind [::1]:5001" - ]; - }; - man = { - enable = true; - gunicorn.extraArgs = [ - "--timeout 120" - "--workers 1" - "--log-level=info" - "--bind [::1]:5004" - ]; - }; - nginx.enable = true; - postgresql.enable = true; - redis.enable = true; - settings = { - "sr.ht" = { - environment = "production"; - global-domain = "${sourcehut-fqdn}"; - origin = "http://${sourcehut-fqdn}"; - network-key = "/etc/nixos/secrets/sourcehut/network.key"; - service-key = "/etc/nixos/secrets/sourcehut/service.key"; - }; - "git.sr.ht" = { - oauth-client-id = "7f2819091157584f"; - oauth-client-secret = "/etc/nixos/secrets/sourcehut/git.oauth"; - origin = "http://git.${sourcehut-fqdn}"; - }; - "man.sr.ht" = { - oauth-client-id = "man.sr.ht"; - oauth-client-secret = "/etc/nixos/secrets/sourcehut/man.oauth"; - origin = "http://man.${sourcehut-fqdn}"; - }; - "meta.sr.ht" = { - origin = "http://meta.${sourcehut-fqdn}"; - onboarding-redirect = "http://meta.${sourcehut-fqdn}"; - }; - mail = { - pgp-key-id = "/etc/nixos/secrets/sourcehut/mail.key.id"; - pgp-privkey = "/etc/nixos/secrets/sourcehut/mail.key"; - pgp-pubkey = "/etc/nixos/secrets/sourcehut/mail.key.pub"; - smtp-from = "mail@${sourcehut-fqdn}"; - }; - webhooks.private-key = "/etc/nixos/secrets/sourcehut/webhook.key"; - }; - }; - - # security.acme = { - # certs."${sourcehut-fqdn}".extraDomainNames = [ - # "meta.${sourcehut-fqdn}" - # "man.${sourcehut-fqdn}" - # "git.${sourcehut-fqdn}" - # ]; - # acceptTerms = true; - # defaults.email = "khais.colin+letsencrypt@gmail.com"; - # }; - - security.pki.certificateFiles = [ - /etc/nixos/secrets/certs/myCA.pem - ]; - - services.nginx = { - enable = true; - recommendedTlsSettings = false; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts = { - "${sourcehut-fqdn}" = { - sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt"; - sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key"; - }; - "meta.${sourcehut-fqdn}" = { - sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt"; - sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key"; - }; - "man.${sourcehut-fqdn}" = { - sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt"; - sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key"; - }; - "git.${sourcehut-fqdn}" = { - sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt"; - sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key"; - }; - }; - }; - - services.postgresql.enable = true; - programs.gnupg.agent = { enable = true; enableSSHSupport = true; diff --git a/nixos/flake.nix b/nixos/flake.nix index c54e3a9..fec1d3c 100644 --- a/nixos/flake.nix +++ b/nixos/flake.nix @@ -6,14 +6,21 @@ url = "github:ahbnr/nixos-06cb-009a-fingerprint-sensor"; }; }; - outputs = { nixpkgs, nixos-06cb-009a-fingerprint-sensor, ... }: { + outputs = { nixpkgs, nixos-06cb-009a-fingerprint-sensor, ... }: + let + nixpkgsWithPatchedCACert = nixpkgs.override (import ./overlays/cacert.nix); + in + { nixosConfigurations.nixos = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./configuration.nix + #(let nixpkgs = nixpkgsWithPatchedCACert; in ./sourcehut.nix) + #(import ./sourcehut.nix { nixpkgs = nixpkgsWithPatchedCACert; }) nixos-06cb-009a-fingerprint-sensor.nixosModules.open-fprintd nixos-06cb-009a-fingerprint-sensor.nixosModules.python-validity ]; + extraArgs = { inherit nixpkgsWithPatchedCACert; }; }; }; } diff --git a/nixos/sourcehut.nix b/nixos/sourcehut.nix new file mode 100644 index 0000000..ed28183 --- /dev/null +++ b/nixos/sourcehut.nix @@ -0,0 +1,112 @@ +{ pkgs, ... }: +let + sourcehut-fqdn = "sourcehut.nixos.local"; +in +{ + # enable selfhosted sourcehut instance + services.sourcehut = { + enable = true; + meta = { + enable = true; + gunicorn.extraArgs = [ + "--timeout 120" + "--workers 1" + "--log-level=info" + "--bind [::1]:5000" + ]; + }; + git = { + enable = true; + gunicorn.extraArgs = [ + "--timeout 120" + "--workers 1" + "--log-level=info" + "--bind [::1]:5001" + ]; + }; + man = { + enable = true; + gunicorn.extraArgs = [ + "--timeout 120" + "--workers 1" + "--log-level=info" + "--bind [::1]:5004" + ]; + }; + nginx.enable = true; + postgresql.enable = true; + redis.enable = true; + settings = { + "sr.ht" = { + environment = "production"; + global-domain = "${sourcehut-fqdn}"; + origin = "http://${sourcehut-fqdn}"; + network-key = "/etc/nixos/secrets/sourcehut/network.key"; + service-key = "/etc/nixos/secrets/sourcehut/service.key"; + }; + "git.sr.ht" = { + oauth-client-id = "7f2819091157584f"; + oauth-client-secret = "/etc/nixos/secrets/sourcehut/git.oauth"; + origin = "http://git.${sourcehut-fqdn}"; + }; + "man.sr.ht" = { + oauth-client-id = "man.sr.ht"; + oauth-client-secret = "/etc/nixos/secrets/sourcehut/man.oauth"; + origin = "http://man.${sourcehut-fqdn}"; + }; + "meta.sr.ht" = { + origin = "http://meta.${sourcehut-fqdn}"; + onboarding-redirect = "http://meta.${sourcehut-fqdn}"; + }; + mail = { + pgp-key-id = "/etc/nixos/secrets/sourcehut/mail.key.id"; + pgp-privkey = "/etc/nixos/secrets/sourcehut/mail.key"; + pgp-pubkey = "/etc/nixos/secrets/sourcehut/mail.key.pub"; + smtp-from = "mail@${sourcehut-fqdn}"; + }; + webhooks.private-key = "/etc/nixos/secrets/sourcehut/webhook.key"; + }; + }; + + # security.acme = { + # certs."${sourcehut-fqdn}".extraDomainNames = [ + # "meta.${sourcehut-fqdn}" + # "man.${sourcehut-fqdn}" + # "git.${sourcehut-fqdn}" + # ]; + # acceptTerms = true; + # defaults.email = "khais.colin+letsencrypt@gmail.com"; + # }; + + security.pki.certificateFiles = [ + /etc/nixos/secrets/certs/myCA.pem + ]; + + services.nginx = { + enable = true; + recommendedTlsSettings = false; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "${sourcehut-fqdn}" = { + sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt"; + sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key"; + }; + "meta.${sourcehut-fqdn}" = { + sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt"; + sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key"; + }; + "man.${sourcehut-fqdn}" = { + sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt"; + sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key"; + }; + "git.${sourcehut-fqdn}" = { + sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt"; + sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key"; + }; + }; + }; + + services.postgresql.enable = true; +}