# srht ~~ /etc/sr.ht/config.ini
# managed by Ansible
[sr.ht]
#
# The name of your network of sr.ht-based sites
site-name=hacker's hut
#
# The top-level info page for your site
site-info=http://{{ global.domain_name }}
#
#
site-blurb=hack the planet!
#
# If this != production, we add a banner to each page
environment=development
#
# Contact information for the site owners
owner-name={{ global.domain_name }}
owner-email=support@{{ global.domain_name }}
#
# The source code for your fork of sr.ht
source-url=https://git.sr.ht/~sircmpwn/srht
#
# Link to your instance's privacy policy. Uses the sr.ht privacy policy as the
# default, which describes the information collected by the upstream SourceHut
# code.
privacy-policy=
#
# A key used for encrypting session cookies. Use `srht-keygen service` to
# generate the service key. This must be shared between each node of the same
# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
# different keys. If you configure all of your services with the same
# config.ini, you may use the same service-key for all of them.
service-key={{ srht_key_service.stdout_lines[0] }}
#
# A secret key to encrypt internal messages with. Use `srht-keygen network` to
# generate this key. It must be consistent between all services and nodes.
network-key={{ srht_key_network.stdout_lines[0] }}
#
# The redis host URL. This is used for caching and temporary storage, and must
# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be
# shared between services. It may be shared between services, however, with no
# ill effect, if this better suits your infrastructure.
redis-host=redis://localhost
[objects]
#
# Configure S3-compatible object storage for services. Optional.
#
# Minio is recommended as a FOSS solution over AWS: https://min.io
s3-upstream=
s3-access-key=
s3-secret-key=
[mail]
#
# Outgoing SMTP settings
smtp-host=
smtp-port=
smtp-user=
smtp-password=
smtp-from=
#
# Application exceptions are emailed to this address
error-to=
error-from=
#
# You should generate a PGP key to allow users to authenticate emails received
# from your services. Use `gpg --edit-key [key id]` to remove the password from
# your private key, then export it to a file and set pgp-privkey to the path to
# that file. pgp-pubkey should be set to the path to your public key, and
# pgp-key-id should be set to the key ID string. Outgoing emails are signed with
# this PGP key.
pgp-privkey=
pgp-pubkey=
pgp-key-id=
[webhooks]
#
# base64-encoded Ed25519 key for signing webhook payloads. This should be
# consistent between all services.
#
# Use the `srht-keygen webhook` command to generate this key. Put the private
# key here and distribute the public key to anyone who would want to verify
# webhook payloads from your service.
private-key={{ srht_key_webhook.stdout_lines[0] }}
#public-key={{ srht_key_webhook.stdout_lines[1] }}
[meta.sr.ht]
#
# URL meta.sr.ht is being served at (protocol://domain)
origin=http://meta.git.{{ global.domain_name }}
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5000
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://postgres@localhost/meta.sr.ht?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# The redis connection used for the webhooks worker
webhooks=redis://localhost:6379/1?sslmode=disable
#
# If "yes", the user will be sent the stock sourcehut welcome emails after
# signup (requires cron to be configured properly). These are specific to the
# sr.ht instance so you probably want to patch these before enabling this.
welcome-emails=no
[meta.sr.ht::api]
#
# Maximum complexity of GraphQL queries. The higher this number, the more work
# that API clients can burden the API backend with. Complexity is equal to the
# number of discrete fields which would be returned to the user. 200 is a good
# default.
max-complexity=200
#
# The maximum time the API backend will spend processing a single API request.
#
# See https://golang.org/pkg/time/#ParseDuration
max-duration=3s
#
# Set of IP subnets which are permitted to utilize internal API
# authentication. This should be limited to the subnets from which your
# *.sr.ht services are running.
#
# Comma-separated, CIDR notation.
internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
[meta.sr.ht::settings]
#
# If "no", public registration will not be permitted.
registration=no
#
# Where to redirect new users upon registration
onboarding-redirect=http://example.org
#
# How many invites each user is issued upon registration (only applicable if
# open registration is disabled)
user-invites=5
[meta.sr.ht::aliases]
#
# You can add aliases for the client IDs of commonly used OAuth clients here.
#
# Example:
# git.sr.ht=12345
[meta.sr.ht::billing]
#
# "yes" to enable the billing system
enabled=no
#
# Get your keys at https://dashboard.stripe.com/account/apikeys
stripe-public-key=
stripe-secret-key=
[meta.sr.ht::auth]
#
# What authentication method to use.
# builtin: use sr.ht builtin authentication
# unix-pam: use Unix PAM authentication
#auth-method=builtin
[meta.sr.ht::auth::unix-pam]
#
# The default email domain to assign to newly created users when they first log
# in.
# User's email will be set to <username>@<email-default-domain>
email-default-domain=srht.{{ global.domain_name }}
#
# The PAM service to use for logging in.
#service=sshd
#
# Whether to automatically create new users when authentication succeeds but the
# user is not in the database.
create-users=yes
#
# The UNIX group users need to belong to to have access to sourcehut.
# If set,
# only users belonging to this group will be able to log into the site.
# If unset, any user on the system is able to log in if PAM authentication
# succeeds.
user-group=
#
# The UNIX group users need to belong to to have administrator permissions.
# If set, administrator status on the site will be synced with group
# association. Additionally, any user of this group will also be able to access
# sourcehut even if they are not in the group specified in user-group.
# If unset, administrator status can be manually assigned from the web
# interface.
admin-group={{ group_root }}
[git.sr.ht]
#
# URL git.sr.ht is being served at (protocol://domain)
origin=http://git.{{ global.domain_name }}
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5001
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://postgres@localhost/git.sr.ht?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# The redis connection used for the webhooks worker
webhooks=redis://localhost:6379/1?sslmode=disable
#
# A post-update script which is installed in every git repo.
post-update-script=/usr/bin/gitsrht-update-hook
#
# git.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id=CHANGEME
oauth-client-secret=CHANGEME
#
# Path to git repositories on disk
repos=/var/lib/git/
#
# Configure the S3 bucket and prefix for object storage. Leave empty to disable
# object storage. Bucket is required to enable object storage; prefix is
# optional.
s3-bucket=
s3-prefix=
#
# Required for preparing and sending patchsets from git.sr.ht
outgoing-domain=
[git.sr.ht::api]
#
# Maximum complexity of GraphQL queries. The higher this number, the more work
# that API clients can burden the API backend with. Complexity is equal to the
# number of discrete fields which would be returned to the user. 200 is a good
# default.
max-complexity=200
#
# The maximum time the API backend will spend processing a single API request.
#
# See https://golang.org/pkg/time/#ParseDuration
max-duration=3s
#
# Set of IP subnets which are permitted to utilize internal API
# authentication. This should be limited to the subnets from which your
# *.sr.ht services are running.
#
# Comma-separated, CIDR notation.
internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
[git.sr.ht::dispatch]
#
# The authorized keys hook uses this to dispatch to various handlers
# The format is a program to exec into as the key, and the user to match as the
# value. When someone tries to log in as this user, this program is executed
# and is expected to omit an AuthorizedKeys file.
#
# Uncomment the relevant lines to enable the various sr.ht dispatchers.
/usr/bin/gitsrht-keys=git:git
#/usr/bin/buildsrht-keys=builds:builds
[hub.sr.ht]
origin=http://git.{{ global.domain_name }}
oauth-client-id=CHANGEME
oauth-client-secret=CHANGEME
connection-string=postgresql://postgres@localhost/hub.sr.ht?sslmode=disable
