+2

nixos/doc/manual/release-notes/rl-2311.section.md

··· 113 113 114 114 - [virt-manager](https://virt-manager.org/), an UI for managing virtual machines in libvirt, is now available as `programs.virt-manager`. 115 115 116 116 + - [Soft Serve](https://github.com/charmbracelet/soft-serve), a tasty, self-hostable Git server for the command line. Available as [services.soft-serve](#opt-services.soft-serve.enable). 117 117 + 116 118 ## Backward Incompatibilities {#sec-release-23.11-incompatibilities} 117 119 118 120 - `network-online.target` has been fixed to no longer time out for systems with `networking.useDHCP = true` and `networking.useNetworkd = true`.

+1

nixos/modules/module-list.nix

··· 730 730 ./services/misc/signald.nix 731 731 ./services/misc/siproxd.nix 732 732 ./services/misc/snapper.nix 733 733 + ./services/misc/soft-serve.nix 733 734 ./services/misc/sonarr.nix 734 735 ./services/misc/sourcehut 735 736 ./services/misc/spice-vdagentd.nix

+99

nixos/modules/services/misc/soft-serve.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + with lib; 4 4 + 5 5 + let 6 6 + cfg = config.services.soft-serve; 7 7 + configFile = format.generate "config.yaml" cfg.settings; 8 8 + format = pkgs.formats.yaml { }; 9 9 + docUrl = "https://charm.sh/blog/self-hosted-soft-serve/"; 10 10 + stateDir = "/var/lib/soft-serve"; 11 11 + in 12 12 + { 13 13 + options = { 14 14 + services.soft-serve = { 15 15 + enable = mkEnableOption "Enable soft-serve service"; 16 16 + 17 17 + package = mkPackageOption pkgs "soft-serve" { }; 18 18 + 19 19 + settings = mkOption { 20 20 + type = format.type; 21 21 + default = { }; 22 22 + description = mdDoc '' 23 23 + The contents of the configuration file. 24 24 + 25 25 + See <${docUrl}>. 26 26 + ''; 27 27 + example = literalExpression '' 28 28 + { 29 29 + name = "dadada's repos"; 30 30 + log_format = "text"; 31 31 + ssh = { 32 32 + listen_addr = ":23231"; 33 33 + public_url = "ssh://localhost:23231"; 34 34 + max_timeout = 30; 35 35 + idle_timeout = 120; 36 36 + }; 37 37 + stats.listen_addr = ":23233"; 38 38 + } 39 39 + ''; 40 40 + }; 41 41 + }; 42 42 + }; 43 43 + 44 44 + config = mkIf cfg.enable { 45 45 + 46 46 + systemd.tmpfiles.rules = [ 47 47 + # The config file has to be inside the state dir 48 48 + "L+ ${stateDir}/config.yaml - - - - ${configFile}" 49 49 + ]; 50 50 + 51 51 + systemd.services.soft-serve = { 52 52 + description = "Soft Serve git server"; 53 53 + documentation = [ docUrl ]; 54 54 + requires = [ "network-online.target" ]; 55 55 + after = [ "network-online.target" ]; 56 56 + wantedBy = [ "multi-user.target" ]; 57 57 + 58 58 + environment.SOFT_SERVE_DATA_PATH = stateDir; 59 59 + 60 60 + serviceConfig = { 61 61 + Type = "simple"; 62 62 + DynamicUser = true; 63 63 + Restart = "always"; 64 64 + ExecStart = "${getExe cfg.package} serve"; 65 65 + StateDirectory = "soft-serve"; 66 66 + WorkingDirectory = stateDir; 67 67 + RuntimeDirectory = "soft-serve"; 68 68 + RuntimeDirectoryMode = "0750"; 69 69 + ProcSubset = "pid"; 70 70 + ProtectProc = "invisible"; 71 71 + UMask = "0027"; 72 72 + CapabilityBoundingSet = ""; 73 73 + ProtectHome = true; 74 74 + PrivateDevices = true; 75 75 + PrivateUsers = true; 76 76 + ProtectHostname = true; 77 77 + ProtectClock = true; 78 78 + ProtectKernelTunables = true; 79 79 + ProtectKernelModules = true; 80 80 + ProtectKernelLogs = true; 81 81 + ProtectControlGroups = true; 82 82 + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; 83 83 + RestrictNamespaces = true; 84 84 + LockPersonality = true; 85 85 + MemoryDenyWriteExecute = true; 86 86 + RestrictRealtime = true; 87 87 + RemoveIPC = true; 88 88 + PrivateMounts = true; 89 89 + SystemCallArchitectures = "native"; 90 90 + SystemCallFilter = [ 91 91 + "@system-service" 92 92 + "~@cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap" 93 93 + ]; 94 94 + }; 95 95 + }; 96 96 + }; 97 97 + 98 98 + meta.maintainers = [ maintainers.dadada ]; 99 99 + }

+1

nixos/tests/all-tests.nix

··· 732 732 snapper = handleTest ./snapper.nix {}; 733 733 snipe-it = runTest ./web-apps/snipe-it.nix; 734 734 soapui = handleTest ./soapui.nix {}; 735 735 + soft-serve = handleTest ./soft-serve.nix {}; 735 736 sogo = handleTest ./sogo.nix {}; 736 737 solanum = handleTest ./solanum.nix {}; 737 738 sonarr = handleTest ./sonarr.nix {};

+102

nixos/tests/soft-serve.nix

··· 1 1 + import ./make-test-python.nix ({ pkgs, lib, ... }: 2 2 + let 3 3 + inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; 4 4 + sshPort = 8231; 5 5 + httpPort = 8232; 6 6 + statsPort = 8233; 7 7 + gitPort = 8418; 8 8 + in 9 9 + { 10 10 + name = "soft-serve"; 11 11 + meta.maintainers = with lib.maintainers; [ dadada ]; 12 12 + nodes = { 13 13 + client = { pkgs, ... }: { 14 14 + environment.systemPackages = with pkgs; [ 15 15 + curl 16 16 + git 17 17 + openssh 18 18 + ]; 19 19 + environment.etc.sshKey = { 20 20 + source = snakeOilPrivateKey; 21 21 + mode = "0600"; 22 22 + }; 23 23 + }; 24 24 + 25 25 + server = 26 26 + { config, ... }: 27 27 + { 28 28 + services.soft-serve = { 29 29 + enable = true; 30 30 + settings = { 31 31 + name = "TestServer"; 32 32 + ssh.listen_addr = ":${toString sshPort}"; 33 33 + git.listen_addr = ":${toString gitPort}"; 34 34 + http.listen_addr = ":${toString httpPort}"; 35 35 + stats.listen_addr = ":${toString statsPort}"; 36 36 + initial_admin_keys = [ snakeOilPublicKey ]; 37 37 + }; 38 38 + }; 39 39 + networking.firewall.allowedTCPPorts = [ sshPort httpPort statsPort ]; 40 40 + }; 41 41 + }; 42 42 + 43 43 + testScript = 44 44 + { ... }: 45 45 + '' 46 46 + SSH_PORT = ${toString sshPort} 47 47 + HTTP_PORT = ${toString httpPort} 48 48 + STATS_PORT = ${toString statsPort} 49 49 + KEY = "${snakeOilPublicKey}" 50 50 + SSH_KEY = "/etc/sshKey" 51 51 + SSH_COMMAND = f"ssh -p {SSH_PORT} -i {SSH_KEY} -o StrictHostKeyChecking=no" 52 52 + TEST_DIR = "/tmp/test" 53 53 + GIT = f"git -C {TEST_DIR}" 54 54 + 55 55 + for machine in client, server: 56 56 + machine.wait_for_unit("network.target") 57 57 + 58 58 + server.wait_for_unit("soft-serve.service") 59 59 + server.wait_for_open_port(SSH_PORT) 60 60 + 61 61 + with subtest("Get info"): 62 62 + status, test = client.execute(f"{SSH_COMMAND} server info") 63 63 + if status != 0: 64 64 + raise Exception("Failed to get SSH info") 65 65 + key = " ".join(KEY.split(" ")[0:2]) 66 66 + if not key in test: 67 67 + raise Exception("Admin key must be configured correctly") 68 68 + 69 69 + with subtest("Create user"): 70 70 + client.succeed(f"{SSH_COMMAND} server user create beatrice") 71 71 + client.succeed(f"{SSH_COMMAND} server user info beatrice") 72 72 + 73 73 + with subtest("Create repo"): 74 74 + client.succeed(f"git init {TEST_DIR}") 75 75 + client.succeed(f"{GIT} config --global user.email you@example.com") 76 76 + client.succeed(f"touch {TEST_DIR}/foo") 77 77 + client.succeed(f"{GIT} add foo") 78 78 + client.succeed(f"{GIT} commit --allow-empty -m test") 79 79 + client.succeed(f"{GIT} remote add origin git@server:test") 80 80 + client.succeed(f"GIT_SSH_COMMAND='{SSH_COMMAND}' {GIT} push -u origin master") 81 81 + client.execute("rm -r /tmp/test") 82 82 + 83 83 + server.wait_for_open_port(HTTP_PORT) 84 84 + 85 85 + with subtest("Clone over HTTP"): 86 86 + client.succeed(f"curl --connect-timeout 10 http://server:{HTTP_PORT}/") 87 87 + client.succeed(f"git clone http://server:{HTTP_PORT}/test /tmp/test") 88 88 + client.execute("rm -r /tmp/test") 89 89 + 90 90 + with subtest("Clone over SSH"): 91 91 + client.succeed(f"GIT_SSH_COMMAND='{SSH_COMMAND}' git clone git@server:test /tmp/test") 92 92 + client.execute("rm -r /tmp/test") 93 93 + 94 94 + with subtest("Get stats over HTTP"): 95 95 + server.wait_for_open_port(STATS_PORT) 96 96 + status, test = client.execute(f"curl --connect-timeout 10 http://server:{STATS_PORT}/metrics") 97 97 + if status != 0: 98 98 + raise Exception("Failed to get metrics from status port") 99 99 + if not "go_gc_duration_seconds_count" in test: 100 100 + raise Exception("Metrics did not contain key 'go_gc_duration_seconds_count'") 101 101 + ''; 102 102 + })

+3 -1

pkgs/servers/soft-serve/default.nix

··· 1 1 - { lib, buildGoModule, fetchFromGitHub, makeWrapper, git, bash }: 1 1 + { lib, buildGoModule, fetchFromGitHub, makeWrapper, nixosTests, git, bash }: 2 2 3 3 buildGoModule rec { 4 4 pname = "soft-serve"; ··· 25 25 wrapProgram $out/bin/soft \ 26 26 --prefix PATH : "${lib.makeBinPath [ git bash ]}" 27 27 ''; 28 28 + 29 29 + passthru.tests = nixosTests.soft-serve; 28 30 29 31 meta = with lib; { 30 32 description = "A tasty, self-hosted Git server for the command line";