fix(sourcehut): try using patched cacert using a module?

Let's see if this works
2024-08-12 13:07:43 +02:00 · 2024-08-12 13:07:43 +02:00 · 57dacc328b
commit 57dacc328b
parent 38b50dd127
3 changed files with 122 additions and 117 deletions
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -2,15 +2,12 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{ pkgs, ... }:
-
-let
-  sourcehut-fqdn = "sourcehut.nixos.local";
-in
+{ pkgs, nixpkgsWithPatchedCACert, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
+      (import ./sourcehut.nix { pkgs = nixpkgsWithPatchedCACert; })
    ];

  # Bootloader.
@ -127,10 +124,6 @@ in

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
-  # configure overlays
-  nixpkgs.overlays = [
-    #(import ./overlays/cacert.nix)
-  ];

  # List packages installed in system profile. To search, run:
  # $ nix search wget
@ -227,113 +220,6 @@ in
    wantedBy = [ "graphical-session.target" ];
  };

-  # enable selfhosted sourcehut instance
-  services.sourcehut = {
-    enable = true;
-    meta = {
-      enable = true;
-      gunicorn.extraArgs = [
-        "--timeout 120"
-        "--workers 1"
-        "--log-level=info"
-        "--bind [::1]:5000"
-      ];
-    };
-    git = {
-      enable = true;
-      gunicorn.extraArgs = [
-        "--timeout 120"
-        "--workers 1"
-        "--log-level=info"
-        "--bind [::1]:5001"
-      ];
-    };
-    man = {
-      enable = true;
-      gunicorn.extraArgs = [
-        "--timeout 120"
-        "--workers 1"
-        "--log-level=info"
-        "--bind [::1]:5004"
-      ];
-    };
-    nginx.enable = true;
-    postgresql.enable = true;
-    redis.enable = true;
-    settings = {
-      "sr.ht" = {
-        environment = "production";
-        global-domain = "${sourcehut-fqdn}";
-        origin = "http://${sourcehut-fqdn}";
-        network-key = "/etc/nixos/secrets/sourcehut/network.key";
-        service-key = "/etc/nixos/secrets/sourcehut/service.key";
-      };
-      "git.sr.ht" = {
-        oauth-client-id = "7f2819091157584f";
-        oauth-client-secret = "/etc/nixos/secrets/sourcehut/git.oauth";
-        origin = "http://git.${sourcehut-fqdn}";
-      };
-      "man.sr.ht" = {
-        oauth-client-id = "man.sr.ht";
-        oauth-client-secret = "/etc/nixos/secrets/sourcehut/man.oauth";
-        origin = "http://man.${sourcehut-fqdn}";
-      };
-      "meta.sr.ht" = {
-        origin = "http://meta.${sourcehut-fqdn}";
-        onboarding-redirect = "http://meta.${sourcehut-fqdn}";
-      };
-      mail = {
-        pgp-key-id = "/etc/nixos/secrets/sourcehut/mail.key.id";
-        pgp-privkey = "/etc/nixos/secrets/sourcehut/mail.key";
-        pgp-pubkey = "/etc/nixos/secrets/sourcehut/mail.key.pub";
-        smtp-from = "mail@${sourcehut-fqdn}";
-      };
-      webhooks.private-key = "/etc/nixos/secrets/sourcehut/webhook.key";
-    };
-  };
-
-  # security.acme = {
-  #   certs."${sourcehut-fqdn}".extraDomainNames = [
-  #     "meta.${sourcehut-fqdn}"
-  #     "man.${sourcehut-fqdn}"
-  #     "git.${sourcehut-fqdn}"
-  #   ];
-  #   acceptTerms = true;
-  #   defaults.email = "khais.colin+letsencrypt@gmail.com";
-  # };
-
-  security.pki.certificateFiles = [
-    /etc/nixos/secrets/certs/myCA.pem
-  ];
-
-  services.nginx = {
-    enable = true;
-    recommendedTlsSettings = false;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-    virtualHosts = {
-      "${sourcehut-fqdn}" = {
-        sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
-        sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
-      };
-      "meta.${sourcehut-fqdn}" = {
-        sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
-        sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
-      };
-      "man.${sourcehut-fqdn}" = {
-        sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
-        sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
-      };
-      "git.${sourcehut-fqdn}" = {
-        sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
-        sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
-      };
-    };
-  };
-
-  services.postgresql.enable = true;
-
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;