sourcehut: include module #65109
sourcehut: include module #65109
Conversation
ofborg
bot
added
6.topic: nixos
eadwu
force-pushed
the
sourcehut/include-module
branch
from
27741ab to
958e98b
Compare
ofborg
bot
added
10.rebuild-darwin: 0
eadwu
force-pushed
the
sourcehut/include-module
branch
from
958e98b to
3948461
Compare
eadwu
force-pushed
the
sourcehut/include-module
branch
3 times, most recently
from
88e4c6d to
17cf6fe
Compare
eadwu
force-pushed
the
sourcehut/include-module
branch
3 times, most recently
from
729bf36 to
c01ec1c
Compare
| # from other sites in your network. | ||
| # | ||
| # Use the srht-webhook-keygen command to generate a key. | ||
| webhooks.private-key = mkDefault null; |
There was a problem hiding this comment.
Serious security problem here.
Any idea? I thought of just appending this part from the content of a secure file, creating a third, non-store config for the service to use.
There was a problem hiding this comment.
IIRC services e.g. ssh generate keys on service start if they're not present...
There was a problem hiding this comment.
Appending won't fix the problem, it'll still end up in the store. If you don't want it to be in the store, the only option is to have as an external file and you're better off setting it up yourself since I can't access the settings unless I parse the file's contents.
I'm pretty sure the generated key isn't suppose to be used for ssh connections.
There was a problem hiding this comment.
Why wont appending fix the problem? I dont think you understood what I meant. The file we're appending from is not in the store, and neiter is the file were appending to. Only the 'base' file (the one created here, without private keys) would be in the store.
There was a problem hiding this comment.
As far as I know, the only configuration file for sourcehut lies in /etc/sr.ht/config.ini since the relative config.ini is out of the question unless one starts overriding the derivation.
a = 1;
${builtins.readFile path_to_external_file}
Would have the file contents of path_to_external_file in the file in the store.
There was a problem hiding this comment.
This really is a sourcehut bug. Secrets dont go in config files.
|
Any progress here? |
|
All the web interfaces should work fine? At least when I ran a couple of qemu vms through nixops it seemed everything worked fine locally in terms of the interface. For the lists and other integration things (like mailbox server) things I have no clue. I basically only host an instance with meta/git/paste locally. |
|
Could you share your I have a mailserver running on that server, as well as postgres and redis, but no cron (yet, as I use systemd timers). I wonder how to properly set this up using containers for everything (or VMs, as said not sure which way to go, yet). |
|
https://git.sr.ht/~eadwu/nixos-configuration/tree/master/nixops/sourcehut Some configuration options might be missing in this PR. |
Basically a port from git TESTED Creating a repo through the web interface Cloning through https `hg clone --insecure`
TESTED Creating a ticket through the web interface Responding, resolving, blah, blah through the web interface
eadwu
force-pushed
the
sourcehut/include-module
branch
from
c01ec1c to
b015be3
Compare
ofborg
bot
added
10.rebuild-linux: 1-10
10.rebuild-linux: 1
and removed
10.rebuild-linux: 0
| }; | ||
|
|
||
| settings = mkOption { | ||
| type = with types; attrsOf (attrsOf (nullOr (either bool (either int (either float (either str path)))))); |
There was a problem hiding this comment.
This will produce a crazy type like the one in #86402. Can you add a decription with // { description = "..."; }?
There was a problem hiding this comment.
Isn't there already a description for this in line 73?
There was a problem hiding this comment.
I think he meant an example maybe?
|
Hey, what is the status of this PR? I'm looking to setup sourcehut on my nixOS server, is there anything I can do to get this finished? Any help needed? EDIT: I would need a bit of guidance, I'm quite new to the nix world |
|
@pinpox I am by no means an expert, so take my advice with a grain of salt. Let me know if anything doesn't make sense. |
|
Why was this closed? |
|
It is extremely unlikely that I will ever finish the entire module. I don't use some of the sub-services at all (such as builds or lists) nor do I have the experience of setting up build clusters correctly. |
|
If anybody ever picks this up again, just put a comment here, I'm interested in helping the person test the PR and merge it. |
|
ok thanks @eadwu for the update. I'll take a hit at it as soon as I figure it well |
|
Had to update some of the available settings, but the existing setup seems to function (https://todo.srht.tomberek.info/). Registration + email works. There are some fiddly things. The current one: |
|
I believe the original approach in this PR was a workaround for a bug in the implementation but it was since fixed upstream. Sadly I don't remember the specifics. |
|
This is in relation to gtsrht-update-hook. It seems os.Args[0] is the full path, not the relative path and symlink. It is expecting something like "hooks/pre-receive". The links exist on disk. Looks okay. Was thinking there might be some obscure git setting "don't resolve symlinks before calling them". |
|
Did a mass update to the latest sources and added the 5100 API (not exactly sure if i did that right, but until I did, none of the web services were responding at all). Still have the same issue with the gitsrht-update-hook. |
|
The arg0 was an artifact caused by Nix. The python builder wraps all the executables in |
|
Putting my WIP here: https://git.srht.tomberek.info/~tomberek2/sourcehut-nix @eadwu can we reopen this, or should we start a new PR? |
|
A new PR, I won't be able to review it since as stated above I don't use all the services anyway. |
In case I ever finish this or if someone wants to see some sort of thing as reference.
Motivation for this change
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)