summaryrefslogtreecommitdiff
path: root/nix/modules/public_inbox.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nix/modules/public_inbox.nix')
-rw-r--r--nix/modules/public_inbox.nix101
1 files changed, 101 insertions, 0 deletions
diff --git a/nix/modules/public_inbox.nix b/nix/modules/public_inbox.nix
new file mode 100644
index 0000000..cba1e39
--- /dev/null
+++ b/nix/modules/public_inbox.nix
@@ -0,0 +1,101 @@
+{ lib, config, ... }:
+{
+ systemd.tmpfiles.rules = [
+ "C+ /var/lib/public-inbox/style.css 0644 public-inbox public-inbox - ${../data/public-inbox.css}"
+ ];
+ systemd.services.public-inbox-httpd = if config.monorepo.profiles.server.enable then {
+ preStart = ''
+ # Copy or link the file.
+ # Using 'cp' is often safer for sandboxed services than linking to the store. Lol.
+ cp -f ${../data/public-inbox.css} /var/lib/public-inbox/style.css
+ chmod 644 /var/lib/public-inbox/style.css
+ '';
+
+ serviceConfig = {
+ # Allow the service to see the file it just created
+ BindPaths = [
+ "/var/lib/public-inbox"
+ "/srv/git/"
+ ];
+ ReadOnlyPaths = [ "/var/lib/public-inbox/style.css" ];
+ # Ensure it can actually write to the directory during preStart
+ ReadWritePaths = [ "/var/lib/public-inbox" ];
+ };
+ } else {};
+
+ systemd.services.public-inbox-watch = if config.monorepo.profiles.server.enable then {
+ after = [ "sops-nix.service" ];
+ confinement.enable = lib.mkForce false;
+ preStart = ''
+ mkdir -p /var/lib/public-inbox/.tmp
+ chmod 0700 /var/lib/public-inbox/.tmp
+ ln -sfn ${config.sops.templates."public-inbox-netrc".path} /var/lib/public-inbox/.netrc
+ '';
+ environment = {
+ PUBLIC_INBOX_FORCE_IPV4 = "1";
+ NETRC = config.sops.templates."public-inbox-netrc".path;
+ HOME = "/var/lib/public-inbox";
+ TMPDIR = "/var/lib/public-inbox/.tmp";
+ };
+
+ serviceConfig = {
+ RestrictSUIDSGID = lib.mkForce false;
+ ReadWritePaths = [ "/var/lib/public-inbox" ];
+ RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+ PrivateNetwork = lib.mkForce false;
+ SystemCallFilter = lib.mkForce [];
+ RootDirectory = lib.mkForce "";
+
+ CapabilityBoundingSet = lib.mkForce [ "~" ];
+ UMask = lib.mkForce "0022";
+ ProtectSystem = lib.mkForce false;
+ };
+ } else {};
+
+ services.public-inbox = {
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ settings = {
+ coderepo."nullerbot".dir = "/srv/git/nullerbot.git";
+ coderepo."nullerbot".cgitUrl = "https://git.nullring.xyz/nullerbot.git";
+ coderepo."monorepo".dir = "/srv/git/monorepo.git";
+ coderepo."monorepo".cgitUrl = "https://git.nullring.xyz/monorepo.git";
+ publicinbox.css = ["/var/lib/public-inbox/style.css"];
+ publicinbox.wwwlisting = "all";
+ };
+ http = {
+ enable = true;
+ port = 9090;
+ };
+ inboxes = {
+ "monorepo" = {
+ description = "discussion of ret2pop's monorepo project and related work.";
+ address = [ "monorepo@${config.monorepo.vars.orgHost}" ];
+ inboxdir = "/var/lib/public-inbox/monorepo";
+ url = "https://list.${config.monorepo.vars.orgHost}/monorepo";
+ watch = [ "imaps://monorepo%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ];
+ coderepo = [
+ "monorepo"
+ ];
+ };
+
+ "discussion" = {
+ description = "Main Nullring Discussion Mailing List";
+ address = [ "discussion@${config.monorepo.vars.orgHost}" ];
+ inboxdir = "/var/lib/public-inbox/discuss";
+ url = "https://list.${config.monorepo.vars.orgHost}/discussion";
+ watch = [ "imaps://discussion%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ];
+ };
+
+ "nullerbot" = {
+ description = "Discussion of Nullerbot Matrix Bot";
+ address = [ "nullerbot@${config.monorepo.vars.orgHost}" ];
+ inboxdir = "/var/lib/public-inbox/nullerbot";
+ url = "https://list.${config.monorepo.vars.orgHost}/nullerbot";
+ watch = [ "imaps://nullerbot%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ];
+ coderepo = [
+ "nullerbot"
+ ];
+ };
+ };
+ };
+}
generated by cgit v1.3 (git 2.53.0) at 2026-05-31 20:11:23 +0000