Differences between revisions 10 and 16 (spanning 6 versions)
Revision 10 as of 2022-09-09 16:49:24
Size: 6354
Editor: DominicRicottone
Comment:
Revision 16 as of 2023-01-08 20:53:45
Size: 3882
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
Upstream only officially supports [[Linux/AlpineLinux|Alpine Linux 3.15]]. Upstream only officially supports [[Linux/Alpine|Alpine Linux 3.15]].
Line 19: Line 19:
The community package repository must be enabled. See [[Linux/AlpineLinux#Software_Installation|here]] for more details. The community package repository must be enabled. See [[Linux/Alpine/Apk|here]] for more details.
Line 36: Line 36:
Eli Schwartz maintains a set of packages for [[Linux/ArchLinux|Arch Linux]]. Eli Schwartz maintains a set of packages for [[Linux/Arch|Arch Linux]].
Line 68: Line 68:
=== SMTP === === Web Server ===
Line 70: Line 70:
TODO: copy from [[https://drewdevault.com/2018/08/05/Local-mail-server.html]] Sourcehut depends on a reverse proxy to dispatch between services. Furthermore, HTTP(S) cloning is not supported for git repositories, so an external web server is required.
Line 72: Line 72:
With a running MTA, update the `mail` section of the Sourcehut configuration. See [[Sourcehut/WebServer#Configuration|Web Server]] for configuration information.
Line 74: Line 74:
{{{
[mail]
smtp-host=localhost
smtp-port=25
smtp-from=root@localhost
smtp-encryption=insecure
smtp-auth=none
smtp-user=
smtp-password=
Line 84: Line 75:
error-to=root@localhost
error-from=root@localhost
Line 87: Line 76:
pgp-privkey=/etc/sr.ht/pgp.key
pgp-pubkey=/etc/sr.ht/pgp.pubkey
pgp-key-id=mykeyid
}}}		 === Mail Server ===
Line 92: Line 78:
If encryption is necessary, try:

{{{
smtp-encryption=starttls
}}}

If authentication is necessary, try:

{{{
smtp-auth=plain
smtp-user=myuser
smtp-password=mypassword
}}}

The PGP settings are also mandatory to update. The private key must be a password-less file. `pgp-key-id` should be set to the key's ID string. Try:

{{{
# need to remove passwords
# at gpg> prompt...
# type 'passwd'
# enter current password and leave new password blank
# read and agree to security warnings
gpg --edit-key KEYID

gpg --armor --export-options export-minimal --export KEYID >pgp.pubkey
gpg --armor --export-secret-key KEYID >pgp.key
}}}

For the `todo.sr.ht-lmtp` service, edit the `todo.sr.ht::mail` section of the Sourcehut configuration.

{{{
[todo.sr.ht::mail]
sock=/tmp/todo.sr.ht-lmtp.sock
sock-group=postfix
posting-domain=localhost.localdomain
}}}		 See [[Sourcehut/Mail#Configuration|Mail]] for configuration information.
Line 135: Line 86:
[[Redis]] will work out of the box. Simply ensure that the Sourcehut configuration can reach the service. [[Redis]] will work out of the box. Configure Sourcehut with the database URI.
Line 161: Line 112:

Line 163: Line 116:
SSH access to hosted repositories is a recurring challenge for git services. Sourcehut's approach is to insert an authentication dispatch into the host's `sshd(8)` configuration.

In `/etc/ssh/sshd_config`, set:

{{{
AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k"
AuthorizedKeysCommandUser=root
PermitUserEnvironment SRHT_*
}}}

A `git` user is created automatically by installing `git.sr.ht`, but an additional step of setting a login password is necessary.

{{{
sudo passwd git
}}}

When a user pulls to `[email protected]:~username/reponame`, `gitsrht-dispatch` will parse the `git.sr.ht::dispatch` section of the Sourcehut configuration.

{{{
[git.sr.ht::dispatch]
/usr/bin/gitsrht-keys=git:git
/usr/bin/buildsrht-keys=builds:builds
}}}

The right-hand side is the uid-gid pair that `gitsrht-dispatch` will scan for, and the left-hand side is a binary that will be dispatched to. Additional authentication stacks can be inserted here. If no dispatcher matches, `gitsrht-dispatch` just looks up the user's `authorized_users` file, to ensure that normal SSH access is uninterrupted.

`gitsrht-keys` will then 'generate' an `authorized_users` file based on the Sourcehut database of who should have access to the corresponding repository. This `authorized_users` file is then piped back to `sshd(8)` for normal key-based authentication. On the server side, this looks like the `git` user pulling from its `$HOME` directory (typically `var/lib/git`).		 See [[Sourcehut/SSH#Setup|SSH]] for setup information.

Sourcehut

Contents

  1. Sourcehut
    1. Installation
      1. Community Packages
      2. Development Setup
    2. Configuration
      1. Web Server
      2. Mail Server
      3. Redis
      4. PostgreSQL
      5. SSH
    3. Administration
      1. Users
      2. Git
      3. Mercurial
      4. Bug Tracker
      5. Page Hosting
      6. Mail Lists
      7. Automated Builds

Installation

Upstream only officially supports Alpine Linux 3.15.

To enable the package repository, add the following line to /etc/apk/repositories. It must be the first repository checked. 

https://mirror.sr.ht/alpine/v3.15/sr.ht

The community package repository must be enabled. See here for more details.

Install the packager's key and update the package index. 

wget -q -O /etc/apk/keys/[email protected] https://mirror.sr.ht/alpine/[email protected]
apk update

Sourcehut is a modular ecosystem, with meta.sr.ht being the only mandatory package (as it handles authentication and authorization). For example, to run the git and mercurial services, use git.sr.ht and hg.sr.ht, respectively. Installation and configuration of these modular services is detailed in a corresponding section under Administration.

Install the meta.sr.ht package. Start and enable three services: meta.sr.ht, meta.sr.ht-api, and meta.sr.ht-webhooks. Finally enable the metasrht-daily cronjob and set it to run daily.

Community Packages

Eli Schwartz maintains a set of packages for Arch Linux.

Add the mirror to /etc/pacman.conf: 

[sr.ht]
Server = https://mirror.sr.ht/archlinux/sr.ht

Then install the packagers' keys: 

sudo pacman-key --recv-keys C0AAFC1676BD998617C94C42DC59670F1EB0A189
sudo pacman-key --lsign-key C0AAFC1676BD998617C94C42DC59670F1EB0A189

Development Setup

TODO: copy from https://emersion.fr/blog/2021/setting-up-sr.ht-for-local-development/

Configuration

Several Sourcehut services depend on additional local services.

Web Server

Sourcehut depends on a reverse proxy to dispatch between services. Furthermore, HTTP(S) cloning is not supported for git repositories, so an external web server is required.

See Web Server for configuration information.

Mail Server

See Mail for configuration information.

To test the configuration, add an SSH key to the admin user. An automatic notification email will be generated by that trigger.

Redis

Redis will work out of the box. Configure Sourcehut with the database URI. 

[sr.ht]
...
redis-host=redis://localhost

[git.sr.ht]
...
webhooks=redis://localhost:6379/1

[meta.sr.ht]
...
webhooks=redis://localhost:6379/1

[todo.sr.ht]
...
webhooks=redis://localhost:6379/1

Note that each service can use an independent database if desired.

PostgreSQL

SSH

See SSH for setup information.

Administration

Users

To create an admin user, try: 

metasrht-manageuser -t admin -e <email> <username>

Note that admin users will permanently see a 'PRODUCTION ENVIRONMENT' banner on all pages.

With an existing admin user, users can be managed in the web UI.

Individual users then need to upload their own SSH and PGP keys, also through the web UI.

Git

Mercurial

Bug Tracker

Page Hosting

Mail Lists

Automated Builds

Anecdotally the build service is the most unreliable component of the Sourcehut ecosystem.

The master server runs the builds.sr.ht package and service. Each runner corresponds to a builds.sr.ht-worker service, which depends on the builds.sr.ht-worker and builds.sr.ht-images packages.

Upstream's production architecture thoroughly encapsulates the runners.

CategoryRicottone

Sourcehut (last edited 2025-12-19 21:38:51 by DominicRicottone)