logistic-bot/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(sourcehut): try using patched cacert using a module?

Browse source 
Let's see if this works
This commit is contained in:
Khaïs COLIN 2024-08-12 13:07:43 +02:00
parent 38b50dd127
commit 57dacc328b
3 changed files with 122 additions and 117 deletions
Download patch file Download diff file Expand all files Collapse all files

118
nixos/configuration.nix
View file

@ -2,15 +2,12 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ pkgs, ... }: { pkgs, nixpkgsWithPatchedCACert, ... }:
let
sourcehut-fqdn = "sourcehut.nixos.local";
in
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(import ./sourcehut.nix { pkgs = nixpkgsWithPatchedCACert; })
]; ];
# Bootloader. # Bootloader.
@ -127,10 +124,6 @@ in
# Allow unfree packages # Allow unfree packages
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# configure overlays
nixpkgs.overlays = [
#(import ./overlays/cacert.nix)
];
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
@ -227,113 +220,6 @@ in
wantedBy = [ "graphical-session.target" ]; wantedBy = [ "graphical-session.target" ];
}; };
# enable selfhosted sourcehut instance
services.sourcehut = {
enable = true;
meta = {
enable = true;
gunicorn.extraArgs = [
"--timeout 120"
"--workers 1"
"--log-level=info"
"--bind [::1]:5000"
];
};
git = {
enable = true;
gunicorn.extraArgs = [
"--timeout 120"
"--workers 1"
"--log-level=info"
"--bind [::1]:5001"
];
};
man = {
enable = true;
gunicorn.extraArgs = [
"--timeout 120"
"--workers 1"
"--log-level=info"
"--bind [::1]:5004"
];
};
nginx.enable = true;
postgresql.enable = true;
redis.enable = true;
settings = {
"sr.ht" = {
environment = "production";
global-domain = "${sourcehut-fqdn}";
origin = "http://${sourcehut-fqdn}";
network-key = "/etc/nixos/secrets/sourcehut/network.key";
service-key = "/etc/nixos/secrets/sourcehut/service.key";
};
"git.sr.ht" = {
oauth-client-id = "7f2819091157584f";
oauth-client-secret = "/etc/nixos/secrets/sourcehut/git.oauth";
origin = "http://git.${sourcehut-fqdn}";
};
"man.sr.ht" = {
oauth-client-id = "man.sr.ht";
oauth-client-secret = "/etc/nixos/secrets/sourcehut/man.oauth";
origin = "http://man.${sourcehut-fqdn}";
};
"meta.sr.ht" = {
origin = "http://meta.${sourcehut-fqdn}";
onboarding-redirect = "http://meta.${sourcehut-fqdn}";
};
mail = {
pgp-key-id = "/etc/nixos/secrets/sourcehut/mail.key.id";
pgp-privkey = "/etc/nixos/secrets/sourcehut/mail.key";
pgp-pubkey = "/etc/nixos/secrets/sourcehut/mail.key.pub";
smtp-from = "mail@${sourcehut-fqdn}";
};
webhooks.private-key = "/etc/nixos/secrets/sourcehut/webhook.key";
};
};
# security.acme = {
# certs."${sourcehut-fqdn}".extraDomainNames = [
# "meta.${sourcehut-fqdn}"
# "man.${sourcehut-fqdn}"
# "git.${sourcehut-fqdn}"
# ];
# acceptTerms = true;
# defaults.email = "khais.colin+letsencrypt@gmail.com";
# };
security.pki.certificateFiles = [
/etc/nixos/secrets/certs/myCA.pem
];
services.nginx = {
enable = true;
recommendedTlsSettings = false;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"${sourcehut-fqdn}" = {
sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
};
"meta.${sourcehut-fqdn}" = {
sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
};
"man.${sourcehut-fqdn}" = {
sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
};
"git.${sourcehut-fqdn}" = {
sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
};
};
};
services.postgresql.enable = true;
programs.gnupg.agent = { programs.gnupg.agent = {
enable = true; enable = true;
enableSSHSupport = true; enableSSHSupport = true;

9
nixos/flake.nix
View file

@ -6,14 +6,21 @@
url = "github:ahbnr/nixos-06cb-009a-fingerprint-sensor"; url = "github:ahbnr/nixos-06cb-009a-fingerprint-sensor";
}; };
}; };
outputs = { nixpkgs, nixos-06cb-009a-fingerprint-sensor, ... }: { outputs = { nixpkgs, nixos-06cb-009a-fingerprint-sensor, ... }:
let
nixpkgsWithPatchedCACert = nixpkgs.override (import ./overlays/cacert.nix);
in
{
nixosConfigurations.nixos = nixpkgs.lib.nixosSystem { nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./configuration.nix ./configuration.nix
#(let nixpkgs = nixpkgsWithPatchedCACert; in ./sourcehut.nix)
#(import ./sourcehut.nix { nixpkgs = nixpkgsWithPatchedCACert; })
nixos-06cb-009a-fingerprint-sensor.nixosModules.open-fprintd nixos-06cb-009a-fingerprint-sensor.nixosModules.open-fprintd
nixos-06cb-009a-fingerprint-sensor.nixosModules.python-validity nixos-06cb-009a-fingerprint-sensor.nixosModules.python-validity
]; ];
extraArgs = { inherit nixpkgsWithPatchedCACert; };
}; };
}; };
} }

112
nixos/sourcehut.nix Normal file
View file

@ -0,0 +1,112 @@
{ pkgs, ... }:
let
sourcehut-fqdn = "sourcehut.nixos.local";
in
{
# enable selfhosted sourcehut instance
services.sourcehut = {
enable = true;
meta = {
enable = true;
gunicorn.extraArgs = [
"--timeout 120"
"--workers 1"
"--log-level=info"
"--bind [::1]:5000"
];
};
git = {
enable = true;
gunicorn.extraArgs = [
"--timeout 120"
"--workers 1"
"--log-level=info"
"--bind [::1]:5001"
];
};
man = {
enable = true;
gunicorn.extraArgs = [
"--timeout 120"
"--workers 1"
"--log-level=info"
"--bind [::1]:5004"
];
};
nginx.enable = true;
postgresql.enable = true;
redis.enable = true;
settings = {
"sr.ht" = {
environment = "production";
global-domain = "${sourcehut-fqdn}";
origin = "http://${sourcehut-fqdn}";
network-key = "/etc/nixos/secrets/sourcehut/network.key";
service-key = "/etc/nixos/secrets/sourcehut/service.key";
};
"git.sr.ht" = {
oauth-client-id = "7f2819091157584f";
oauth-client-secret = "/etc/nixos/secrets/sourcehut/git.oauth";
origin = "http://git.${sourcehut-fqdn}";
};
"man.sr.ht" = {
oauth-client-id = "man.sr.ht";
oauth-client-secret = "/etc/nixos/secrets/sourcehut/man.oauth";
origin = "http://man.${sourcehut-fqdn}";
};
"meta.sr.ht" = {
origin = "http://meta.${sourcehut-fqdn}";
onboarding-redirect = "http://meta.${sourcehut-fqdn}";
};
mail = {
pgp-key-id = "/etc/nixos/secrets/sourcehut/mail.key.id";
pgp-privkey = "/etc/nixos/secrets/sourcehut/mail.key";
pgp-pubkey = "/etc/nixos/secrets/sourcehut/mail.key.pub";
smtp-from = "mail@${sourcehut-fqdn}";
};
webhooks.private-key = "/etc/nixos/secrets/sourcehut/webhook.key";
};
};
# security.acme = {
# certs."${sourcehut-fqdn}".extraDomainNames = [
# "meta.${sourcehut-fqdn}"
# "man.${sourcehut-fqdn}"
# "git.${sourcehut-fqdn}"
# ];
# acceptTerms = true;
# defaults.email = "khais.colin+letsencrypt@gmail.com";
# };
security.pki.certificateFiles = [
/etc/nixos/secrets/certs/myCA.pem
];
services.nginx = {
enable = true;
recommendedTlsSettings = false;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"${sourcehut-fqdn}" = {
sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
};
"meta.${sourcehut-fqdn}" = {
sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
};
"man.${sourcehut-fqdn}" = {
sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
};
"git.${sourcehut-fqdn}" = {
sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
};
};
};
services.postgresql.enable = true;
}