Sourcehut

Contents

  1. Sourcehut
    1. Installation
      1. Community Packages
      2. Development Setup
    2. Configuration
      1. SMTP
      2. Redis
      3. PostgreSQL
      4. SSH
    3. Administration
      1. Users
      2. Git
      3. Mercurial
      4. Bug Tracker
      5. Page Hosting
      6. Mail Lists
      7. Automated Builds

Installation

Upstream only officially supports Alpine Linux 3.15.

To enable the package repository, add the following line to /etc/apk/repositories. It must be the first repository checked. 

https://mirror.sr.ht/alpine/v3.15/sr.ht

The community package repository must be enabled. See here for more details.

Install the packager's key and update the package index. 

wget -q -O /etc/apk/keys/[email protected] https://mirror.sr.ht/alpine/[email protected]
apk update

Sourcehut is a modular ecosystem, with meta.sr.ht being the only mandatory package (as it handles authentication and authorization). For example, to run the git and mercurial services, use git.sr.ht and hg.sr.ht, respectively. Installation and configuration of these modular services is detailed in a corresponding section under Administration.

Install the meta.sr.ht package. Start and enable three services: meta.sr.ht, meta.sr.ht-api, and meta.sr.ht-webhooks. Finally enable the metasrht-daily cronjob and set it to run daily.

Community Packages

Eli Schwartz maintains a set of packages for Arch Linux.

Add the mirror to /etc/pacman.conf: 

[sr.ht]
Server = https://mirror.sr.ht/archlinux/sr.ht

Then install the packagers' keys: 

sudo pacman-key --recv-keys C0AAFC1676BD998617C94C42DC59670F1EB0A189
sudo pacman-key --lsign-key C0AAFC1676BD998617C94C42DC59670F1EB0A189

Development Setup

TODO: copy from https://emersion.fr/blog/2021/setting-up-sr.ht-for-local-development/

Configuration

Several Sourcehut services depend on additional local services.

SMTP

TODO: copy from https://drewdevault.com/2018/08/05/Local-mail-server.html

With a running MTA, update the mail section of the Sourcehut configuration. 

[mail]
smtp-host=localhost
smtp-port=25
smtp-from=root@localhost
smtp-encryption=insecure
smtp-auth=none
smtp-user=
smtp-password=

error-to=root@localhost
error-from=root@localhost

pgp-privkey=/etc/sr.ht/pgp.key
pgp-pubkey=/etc/sr.ht/pgp.pubkey
pgp-key-id=mykeyid

If encryption is necessary, try: 

smtp-encryption=starttls

If authentication is necessary, try: 

smtp-auth=plain
smtp-user=myuser
smtp-password=mypassword

The PGP settings are also mandatory to update. The private key must be a password-less file. pgp-key-id should be set to the key's ID string. Try: 

# need to remove passwords
# at gpg> prompt...
#   type 'passwd'
#   enter current password and leave new password blank
#   read and agree to security warnings
gpg --edit-key KEYID

gpg --armor --export-options export-minimal --export KEYID >pgp.pubkey
gpg --armor --export-secret-key KEYID >pgp.key

For the todo.sr.ht-lmtp service, edit the todo.sr.ht::mail section of the Sourcehut configuration. 

[todo.sr.ht::mail]
sock=/tmp/todo.sr.ht-lmtp.sock
sock-group=postfix
posting-domain=localhost.localdomain

To test the configuration, add an SSH key to the admin user. An automatic notification email will be generated by that trigger.

Redis

Redis will work out of the box. Simply ensure that the Sourcehut configuration can reach the service. 

[sr.ht]
...
redis-host=redis://localhost

[git.sr.ht]
...
webhooks=redis://localhost:6379/1

[meta.sr.ht]
...
webhooks=redis://localhost:6379/1

[todo.sr.ht]
...
webhooks=redis://localhost:6379/1

Note that each service can use an independent database if desired.

PostgreSQL

SSH

SSH access to hosted repositories is a recurring challenge for git services. Sourcehut's approach is to insert an authentication dispatch into the host's sshd(8) configuration.

In /etc/ssh/sshd_config, set: 

AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k"
AuthorizedKeysCommandUser=root
PermitUserEnvironment SRHT_*

A git user is created automatically by installing git.sr.ht, but an additional step of setting a login password is necessary. 

sudo passwd git

When a user pulls to [email protected]:~username/reponame, gitsrht-dispatch will parse the git.sr.ht::dispatch section of the Sourcehut configuration. 

[git.sr.ht::dispatch]
/usr/bin/gitsrht-keys=git:git
/usr/bin/buildsrht-keys=builds:builds

The right-hand side is the uid-gid pair that gitsrht-dispatch will scan for, and the left-hand side is a binary that will be dispatched to. Additional authentication stacks can be inserted here. If no dispatcher matches, gitsrht-dispatch just looks up the user's authorized_users file, to ensure that normal SSH access is uninterrupted.

gitsrht-keys will then 'generate' an authorized_users file based on the Sourcehut database of who should have access to the corresponding repository. This authorized_users file is then piped back to sshd(8) for normal key-based authentication. On the server side, this looks like the git user pulling from its $HOME directory (typically var/lib/git).

Administration

Users

To create an admin user, try: 

metasrht-manageuser -t admin -e <email> <username>

Note that admin users will permanently see a 'PRODUCTION ENVIRONMENT' banner on all pages.

With an existing admin user, users can be managed in the web UI.

Individual users then need to upload their own SSH and PGP keys, also through the web UI.

Git

Mercurial

Bug Tracker

Page Hosting

Mail Lists

Automated Builds

Anecdotally the build service is the most unreliable component of the Sourcehut ecosystem.

The master server runs the builds.sr.ht package and service. Each runner corresponds to a builds.sr.ht-worker service, which depends on the builds.sr.ht-worker and builds.sr.ht-images packages.

Upstream's production architecture thoroughly encapsulates the runners.

CategoryRicottone