3 files changed, 104 insertions, 26 deletions
diff --git a/automation.nix b/automation.nix
new file mode 100644
index 0000000..6645935
--- /dev/null
+++ b/automation.nix
@@ -0,0 +1,57 @@
+# Automation server
+# Copyright (C) 2023  Nguyễn Gia Phong
+#
+# This file is part of loang configuration.
+#
+# Loang configuration is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Loang configuration is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
+
+{ config, lib, pkgs, ... }:
+let
+  inherit (config.networking) domain;
+  httpSock = "unix:${workingDir}/http.sock";
+  workingDir = "/var/lib/laminar";
+in {
+  environment.systemPackages = [ pkgs.laminar ];
+
+  services.nginx.virtualHosts."xong.${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://${httpSock}";
+  };
+
+  systemd.services.laminar = {
+    after = [ "network.target" ];
+    description = "Laminar continuous integration service";
+    documentation = [ "man:laminard(8)" "https://laminar.ohwg.net/docs.html" ];
+    environment = {
+      LAMINAR_HOME = workingDir;
+      LAMINAR_BIND_HTTP = httpSock;
+    };
+    serviceConfig = {
+      ExecStart = "${pkgs.laminar}/bin/laminard";
+      Group = "laminar";
+      User = "laminar";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  users = {
+    users.laminar = {
+      isSystemUser = true;
+      group = "laminar";
+      home = workingDir;
+    };
+    groups.laminar.members = [ "cnx" "nginx" ];
+  };
+}
diff --git a/configuration.nix b/configuration.nix
index f2c52fa..6654bd9 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -30,6 +30,7 @@
   };
 
   imports = [
+    ./automation.nix
     ./dbms.nix
     ./dns.nix
     ./ipfs.nix
diff --git a/git.nix b/git.nix
index 152de98..99fb287 100644
--- a/git.nix
+++ b/git.nix
@@ -19,35 +19,55 @@
 { config, lib, pkgs, ... }:
 let inherit (config.networking) domain;
 in {
-  services = {
-    lighttpd = {
-      cgit = {
-        configText = let
-          httpsClone = "https://trong.${domain}/$CGIT_REPO_URL";
-          scanPath = "/var/lib/git";
-          sshClone = "ssh://${domain}:2211${scanPath}/$CGIT_REPO_URL";
-        in ''
-          about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
-          source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+  services = let
+    cgitrc = pkgs.writeText "cgitrc" ''
+      about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
+      css=/style.css
+      favicon=/favicon.ico
+      logo=/cgit.png
+      source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+      virtual-root=/
 
-          clone-url=${httpsClone} ${sshClone}
-          enable-blame=1
-          enable-git-config=1
-          readme=:README.md
-          snapshots=tar.gz tar.zst
-          scan-path=${scanPath}
-        '';
-        enable = true;
-        subdir = "";
-      };
-      enable = true;
-      port = 9418;
-    };
+      clone-url=${httpsClone} ${sshClone}
+      enable-blame=1
+      enable-git-config=1
+      enable-index-links=1
+      enable-index-owner=0
+      readme=:README.md
+      snapshots=tar.gz tar.zst
+      scan-path=${scanPath}
+    '';
+    css = builtins.readFile "${pkgs.cgit}/cgit/cgit.css" + ''
 
-    nginx."trong.${domain}" = let port = config.services.lighttpd.port;
-    in {
+      div#cgit {
+          font-size: initial;
+      }
+    '';
+    httpsClone = "https://trong.${domain}/$CGIT_REPO_URL";
+    scanPath = "/var/lib/git";
+    sshClone = "ssh://${domain}:2211${scanPath}/$CGIT_REPO_URL";
+  in {
+    fcgiwrap.enable = true;
+    nginx.virtualHosts."trong.${domain}" = {
       enableACME = true;
       forceSSL = true;
-      locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+      locations = {
+        "/" = {
+          root = "${pkgs.cgit}/cgit/";
+          tryFiles = "$uri @cgit";
+        };
+        "~ ^/(cgit.png|favicon.ico|robots.txt)$".alias = "${pkgs.cgit}/cgit/$1";
+        "= /style.css".alias = builtins.toFile "style.css" css;
+        "@cgit".extraConfig = ''
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          fastcgi_param CGIT_CONFIG ${cgitrc};
+          fastcgi_param HTTP_HOST $server_name;
+          fastcgi_param PATH_INFO $uri;
+          fastcgi_param QUERY_STRING $args;
+          fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi;
+          fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+        '';
+      };
     };
+  };
 }