pyrox.dev
lol
nixosTests.sourcehut: factor-out node configuration
+111
-94
+107
nixos/tests/sourcehut/nodes/common.nix
+107
nixos/tests/sourcehut/nodes/common.nix
···
1
+
{ config, pkgs, nodes, ... }:
2
+
let
3
+
domain = config.networking.domain;
4
+
5
+
# Note that wildcard certificates just under the TLD (eg. *.com)
6
+
# would be rejected by clients like curl.
7
+
tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
8
+
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 36500 \
9
+
-subj '/CN=${domain}' -extensions v3_req \
10
+
-addext 'subjectAltName = DNS:*.${domain}'
11
+
install -D -t $out key.pem cert.pem
12
+
'';
13
+
in
14
+
{
15
+
# buildsrht needs space
16
+
virtualisation.diskSize = 4 * 1024;
17
+
virtualisation.memorySize = 2 * 1024;
18
+
networking.enableIPv6 = false;
19
+
20
+
services.sourcehut = {
21
+
enable = true;
22
+
nginx.enable = true;
23
+
nginx.virtualHost = {
24
+
forceSSL = true;
25
+
sslCertificate = "${tls-cert}/cert.pem";
26
+
sslCertificateKey = "${tls-cert}/key.pem";
27
+
};
28
+
postgresql.enable = true;
29
+
redis.enable = true;
30
+
31
+
meta.enable = true;
32
+
33
+
settings."sr.ht" = {
34
+
environment = "production";
35
+
global-domain = config.networking.domain;
36
+
service-key = pkgs.writeText "service-key" "8b327279b77e32a3620e2fc9aabce491cc46e7d821fd6713b2a2e650ce114d01";
37
+
network-key = pkgs.writeText "network-key" "cEEmc30BRBGkgQZcHFksiG7hjc6_dK1XR2Oo5Jb9_nQ=";
38
+
};
39
+
settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA=";
40
+
settings.mail = {
41
+
smtp-from = "root+hut@${domain}";
42
+
# WARNING: take care to keep pgp-privkey outside the Nix store in production,
43
+
# or use LoadCredentialEncrypted=
44
+
pgp-privkey = toString (pkgs.writeText "sourcehut.pgp-privkey" ''
45
+
-----BEGIN PGP PRIVATE KEY BLOCK-----
46
+
47
+
lFgEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd
48
+
Gk7hYQoAAP9X4oPmxxrHN8LewBpWITdBomNqlHoiP7mI0nz/BOPJHxEktDZuaXhv
49
+
cy90ZXN0cy9zb3VyY2VodXQgPHJvb3QraHV0QHNvdXJjZWh1dC5sb2NhbGRvbWFp
50
+
bj6IlwQTFgoAPxYhBPqjgjnL8RHN4JnADNicgXaYm0jJBQJioNE5AhsDBQkDwmcA
51
+
BgsJCAcDCgUVCgkICwUWAwIBAAIeBQIXgAAKCRDYnIF2mJtIySVCAP9e2nHsVHSi
52
+
2B1YGZpVG7Xf36vxljmMkbroQy+0gBPwRwEAq+jaiQqlbGhQ7R/HMFcAxBIVsq8h
53
+
Aw1rngsUd0o3dAicXQRioNE5EgorBgEEAZdVAQUBAQdAXZV2Sd5ZNBVTBbTGavMv
54
+
D6ORrUh8z7TI/3CsxCE7+yADAQgHAAD/c1RU9xH+V/uI1fE7HIn/zL0LUPpsuce2
55
+
cH++g4u3kBgTOYh+BBgWCgAmFiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg0TkC
56
+
GwwFCQPCZwAACgkQ2JyBdpibSMlKagD/cTre6p1m8QuJ7kwmCFRSz5tBzIuYMMgN
57
+
xtT7dmS91csA/35fWsOykSiFRojQ7ccCSUTHL7ApF2EbL968tP/D2hIG
58
+
=Hjoc
59
+
-----END PGP PRIVATE KEY BLOCK-----
60
+
'');
61
+
pgp-pubkey = pkgs.writeText "sourcehut.pgp-pubkey" ''
62
+
-----BEGIN PGP PUBLIC KEY BLOCK-----
63
+
64
+
mDMEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd
65
+
Gk7hYQq0Nm5peG9zL3Rlc3RzL3NvdXJjZWh1dCA8cm9vdCtodXRAc291cmNlaHV0
66
+
LmxvY2FsZG9tYWluPoiXBBMWCgA/FiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg
67
+
0TkCGwMFCQPCZwAGCwkIBwMKBRUKCQgLBRYDAgEAAh4FAheAAAoJENicgXaYm0jJ
68
+
JUIA/17acexUdKLYHVgZmlUbtd/fq/GWOYyRuuhDL7SAE/BHAQCr6NqJCqVsaFDt
69
+
H8cwVwDEEhWyryEDDWueCxR3Sjd0CLg4BGKg0TkSCisGAQQBl1UBBQEBB0BdlXZJ
70
+
3lk0FVMFtMZq8y8Po5GtSHzPtMj/cKzEITv7IAMBCAeIfgQYFgoAJhYhBPqjgjnL
71
+
8RHN4JnADNicgXaYm0jJBQJioNE5AhsMBQkDwmcAAAoJENicgXaYm0jJSmoA/3E6
72
+
3uqdZvELie5MJghUUs+bQcyLmDDIDcbU+3ZkvdXLAP9+X1rDspEohUaI0O3HAklE
73
+
xy+wKRdhGy/evLT/w9oSBg==
74
+
=pJD7
75
+
-----END PGP PUBLIC KEY BLOCK-----
76
+
'';
77
+
pgp-key-id = "0xFAA38239CBF111CDE099C00CD89C8176989B48C9";
78
+
};
79
+
};
80
+
81
+
networking.firewall.allowedTCPPorts = [ 80 443 ];
82
+
security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];
83
+
services.nginx = {
84
+
enable = true;
85
+
recommendedGzipSettings = true;
86
+
recommendedOptimisation = true;
87
+
recommendedTlsSettings = true;
88
+
recommendedProxySettings = true;
89
+
};
90
+
91
+
services.postgresql = {
92
+
enable = true;
93
+
enableTCPIP = false;
94
+
settings.unix_socket_permissions = "0770";
95
+
};
96
+
97
+
services.openssh = {
98
+
enable = true;
99
+
settings.PasswordAuthentication = false;
100
+
settings.PermitRootLogin = "no";
101
+
};
102
+
103
+
environment.systemPackages = with pkgs; [
104
+
hut # For interacting with the Sourcehut APIs via CLI
105
+
(callPackage ../srht-gen-oauth-tok.nix { }) # To automatically generate OAuth tokens
106
+
];
107
+
}
+4
-94
nixos/tests/sourcehut/sourcehut.nix
+4
-94
nixos/tests/sourcehut/sourcehut.nix
···
1
1
import ../make-test-python.nix ({ pkgs, lib, ... }:
2
2
let
3
3
domain = "sourcehut.localdomain";
4
-
5
-
# Note that wildcard certificates just under the TLD (eg. *.com)
6
-
# would be rejected by clients like curl.
7
-
tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
8
-
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 36500 \
9
-
-subj '/CN=${domain}' -extensions v3_req \
10
-
-addext 'subjectAltName = DNS:*.${domain}'
11
-
install -D -t $out key.pem cert.pem
12
-
'';
13
4
in
14
5
{
15
6
name = "sourcehut";
···
17
8
meta.maintainers = with pkgs.lib.maintainers; [ tomberek nessdoor ];
18
9
19
10
nodes.machine = { config, pkgs, nodes, ... }: {
20
-
# buildsrht needs space
21
-
virtualisation.diskSize = 4 * 1024;
22
-
virtualisation.memorySize = 2 * 1024;
11
+
imports = [
12
+
./nodes/common.nix
13
+
];
14
+
23
15
networking.domain = domain;
24
-
networking.enableIPv6 = false;
25
16
networking.extraHosts = ''
26
17
${config.networking.primaryIPAddress} builds.${domain}
27
18
${config.networking.primaryIPAddress} git.${domain}
···
29
20
'';
30
21
31
22
services.sourcehut = {
32
-
enable = true;
33
-
nginx.enable = true;
34
-
nginx.virtualHost = {
35
-
forceSSL = true;
36
-
sslCertificate = "${tls-cert}/cert.pem";
37
-
sslCertificateKey = "${tls-cert}/key.pem";
38
-
};
39
-
postgresql.enable = true;
40
-
redis.enable = true;
41
-
42
-
meta.enable = true;
43
23
builds = {
44
24
enable = true;
45
25
# FIXME: see why it does not seem to activate fully.
···
48
28
};
49
29
git.enable = true;
50
30
51
-
settings."sr.ht" = {
52
-
environment = "production";
53
-
global-domain = config.networking.domain;
54
-
service-key = pkgs.writeText "service-key" "8b327279b77e32a3620e2fc9aabce491cc46e7d821fd6713b2a2e650ce114d01";
55
-
network-key = pkgs.writeText "network-key" "cEEmc30BRBGkgQZcHFksiG7hjc6_dK1XR2Oo5Jb9_nQ=";
56
-
};
57
31
settings."builds.sr.ht" = {
58
32
oauth-client-secret = pkgs.writeText "buildsrht-oauth-client-secret" "2260e9c4d9b8dcedcef642860e0504bc";
59
33
oauth-client-id = "299db9f9c2013170";
···
62
36
oauth-client-secret = pkgs.writeText "gitsrht-oauth-client-secret" "3597288dc2c716e567db5384f493b09d";
63
37
oauth-client-id = "d07cb713d920702e";
64
38
};
65
-
settings.webhooks.private-key = pkgs.writeText "webhook-key" "Ra3IjxgFiwG9jxgp4WALQIZw/BMYt30xWiOsqD0J7EA=";
66
-
settings.mail = {
67
-
smtp-from = "root+hut@${domain}";
68
-
# WARNING: take care to keep pgp-privkey outside the Nix store in production,
69
-
# or use LoadCredentialEncrypted=
70
-
pgp-privkey = toString (pkgs.writeText "sourcehut.pgp-privkey" ''
71
-
-----BEGIN PGP PRIVATE KEY BLOCK-----
72
-
73
-
lFgEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd
74
-
Gk7hYQoAAP9X4oPmxxrHN8LewBpWITdBomNqlHoiP7mI0nz/BOPJHxEktDZuaXhv
75
-
cy90ZXN0cy9zb3VyY2VodXQgPHJvb3QraHV0QHNvdXJjZWh1dC5sb2NhbGRvbWFp
76
-
bj6IlwQTFgoAPxYhBPqjgjnL8RHN4JnADNicgXaYm0jJBQJioNE5AhsDBQkDwmcA
77
-
BgsJCAcDCgUVCgkICwUWAwIBAAIeBQIXgAAKCRDYnIF2mJtIySVCAP9e2nHsVHSi
78
-
2B1YGZpVG7Xf36vxljmMkbroQy+0gBPwRwEAq+jaiQqlbGhQ7R/HMFcAxBIVsq8h
79
-
Aw1rngsUd0o3dAicXQRioNE5EgorBgEEAZdVAQUBAQdAXZV2Sd5ZNBVTBbTGavMv
80
-
D6ORrUh8z7TI/3CsxCE7+yADAQgHAAD/c1RU9xH+V/uI1fE7HIn/zL0LUPpsuce2
81
-
cH++g4u3kBgTOYh+BBgWCgAmFiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg0TkC
82
-
GwwFCQPCZwAACgkQ2JyBdpibSMlKagD/cTre6p1m8QuJ7kwmCFRSz5tBzIuYMMgN
83
-
xtT7dmS91csA/35fWsOykSiFRojQ7ccCSUTHL7ApF2EbL968tP/D2hIG
84
-
=Hjoc
85
-
-----END PGP PRIVATE KEY BLOCK-----
86
-
'');
87
-
pgp-pubkey = pkgs.writeText "sourcehut.pgp-pubkey" ''
88
-
-----BEGIN PGP PUBLIC KEY BLOCK-----
89
-
90
-
mDMEYqDRORYJKwYBBAHaRw8BAQdAehGoy36FUx2OesYm07be2rtLyvR5Pb/ltstd
91
-
Gk7hYQq0Nm5peG9zL3Rlc3RzL3NvdXJjZWh1dCA8cm9vdCtodXRAc291cmNlaHV0
92
-
LmxvY2FsZG9tYWluPoiXBBMWCgA/FiEE+qOCOcvxEc3gmcAM2JyBdpibSMkFAmKg
93
-
0TkCGwMFCQPCZwAGCwkIBwMKBRUKCQgLBRYDAgEAAh4FAheAAAoJENicgXaYm0jJ
94
-
JUIA/17acexUdKLYHVgZmlUbtd/fq/GWOYyRuuhDL7SAE/BHAQCr6NqJCqVsaFDt
95
-
H8cwVwDEEhWyryEDDWueCxR3Sjd0CLg4BGKg0TkSCisGAQQBl1UBBQEBB0BdlXZJ
96
-
3lk0FVMFtMZq8y8Po5GtSHzPtMj/cKzEITv7IAMBCAeIfgQYFgoAJhYhBPqjgjnL
97
-
8RHN4JnADNicgXaYm0jJBQJioNE5AhsMBQkDwmcAAAoJENicgXaYm0jJSmoA/3E6
98
-
3uqdZvELie5MJghUUs+bQcyLmDDIDcbU+3ZkvdXLAP9+X1rDspEohUaI0O3HAklE
99
-
xy+wKRdhGy/evLT/w9oSBg==
100
-
=pJD7
101
-
-----END PGP PUBLIC KEY BLOCK-----
102
-
'';
103
-
pgp-key-id = "0xFAA38239CBF111CDE099C00CD89C8176989B48C9";
104
-
};
105
-
};
106
-
107
-
networking.firewall.allowedTCPPorts = [ 80 443 ];
108
-
security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];
109
-
services.nginx = {
110
-
enable = true;
111
-
recommendedGzipSettings = true;
112
-
recommendedOptimisation = true;
113
-
recommendedTlsSettings = true;
114
-
recommendedProxySettings = true;
115
-
};
116
-
117
-
services.postgresql = {
118
-
enable = true;
119
-
enableTCPIP = false;
120
-
settings.unix_socket_permissions = "0770";
121
-
};
122
-
123
-
services.openssh = {
124
-
enable = true;
125
-
settings.PasswordAuthentication = false;
126
-
settings.PermitRootLogin = "no";
127
39
};
128
40
129
41
environment.systemPackages = with pkgs; [
130
42
git
131
-
hut # For interacting with the Sourcehut APIs via CLI
132
-
(callPackage ./srht-gen-oauth-tok.nix { }) # To automatically generate OAuth tokens
133
43
];
134
44
};
135
45