[sr.ht]
#
# The name of your network of sr.ht-based sites
site-name=sourcehut
#
# The top-level info page for your site
site-info=https://sourcehut.org
#
# {{ site-name }}, {{ site-blurb }}
site-blurb=the hacker's forge
#
# If this != production, we add a banner to each page
environment=production
#
# Contact information for the site owners
owner-name=Drew DeVault
owner-email=sir@cmpwn.com
#
# The source code for your fork of sr.ht
source-url=https://git.sr.ht/~sircmpwn/srht
#
# A key used for encrypting session cookies. Use `srht-keygen service` to
# generate the service key. This must be shared between each node of the same
# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
# different keys. If you configure all of your services with the same
# config.ini, you may use the same service-key for all of them.
service-key={{SERVICE_KEY}}
#
# A secret key to encrypt internal messages with. Use `srht-keygen network` to
# generate this key. It must be consistent between all services and nodes.
network-key={{NETWORK_KEY}}
#
# The redis host URL. This is used for caching and temporary storage, and must
# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be
# shared between services. It may be shared between services, however, with no
# ill effect, if this better suits your infrastructure.
redis-host=redis://redis-kv:6379
#
# The Prometheus Pushgateway instance to deliver gitsrht-periodic metrics to (http[s]://host:port)
pushgateway=

[objects]
# Configure the S3-compatible object storage service. Leave empty to disable
# object storage.
#
# Minio is recommended as a FOSS solution over AWS: https://min.io
s3-upstream=
s3-access-key=
s3-secret-key=

[mail]
#
# Outgoing SMTP settings
smtp-host=
smtp-port=
smtp-from=
#
# Default: starttls
# Options: starttls, tls, insecure
smtp-encryption=starttls
#
# Default: plain
# Options: plain, none
smtp-auth=plain
# user / password are required if smtp-auth is plain
smtp-user=
smtp-password=
#
# Application exceptions are emailed to this address
error-to=
error-from=
#
# You should generate a PGP key to allow users to authenticate emails received
# from your services. Use `gpg --edit-key [key id]` to remove the password from
# your private key, then export it to a file and set pgp-privkey to the path to
# that file. pgp-pubkey should be set to the path to your public key, and
# pgp-key-id should be set to the key ID string. Outgoing emails are signed with
# this PGP key.
pgp-privkey=
pgp-pubkey=
pgp-key-id=

[webhooks]
#
# base64-encoded Ed25519 key for signing webhook payloads. This should be
# consistent between all services.
#
# Use the `srht-keygen webhook` command to generate this key. Put the private
# key here and distribute the public key to anyone who would want to verify
# webhook payloads from your service.
private-key={{WEBHOOK_KEY}}


[git.sr.ht]
#
# URL git.sr.ht is being served at (protocol://domain)
origin=http://git.localtest.me
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5001
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://sourcehut:sourcehut@database/gitsrht?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# The redis connection used for the webhooks worker
webhooks=redis://redis-kv:6379/1
#
# A post-update script which is installed in every git repo.
post-update-script=/usr/bin/gitsrht-update-hook
#
# git.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id=CHANGEME
oauth-client-secret=CHANGEME
#
# Path to git repositories on disk
repos=/var/lib/git/
#
# Configure the S3 bucket and prefix for object storage. Leave empty to disable
# object storage. Bucket is required to enable object storage; prefix is
# optional.
s3-bucket=
s3-prefix=
#
# Required for preparing and sending patchsets from git.sr.ht
outgoing-domain=

#
# Origin URL for the API
# Only needed if not run behind a reverse proxy, e.g. for local development.
# By default, the API port is 100 more than the web port
#api-origin=http://localhost:5101

[git.sr.ht::api]
#
# Maximum complexity of GraphQL queries. The higher this number, the more work
# that API clients can burden the API backend with. Complexity is equal to the
# number of discrete fields which would be returned to the user. 200 is a good
# default.
max-complexity=200

#
# The maximum time the API backend will spend processing a single API request.
#
# See https://golang.org/pkg/time/#ParseDuration
max-duration=3s

#
# Set of IP subnets which are permitted to utilize internal API
# authentication. This should be limited to the subnets from which your
# *.sr.ht services are running.
#
# Comma-separated, CIDR notation.
internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8

[git.sr.ht::dispatch]
#
# The authorized keys hook uses this to dispatch to various handlers
# The format is a program to exec into as the key, and the user to match as the
# value. When someone tries to log in as this user, this program is executed
# and is expected to omit an AuthorizedKeys file.
#
# Uncomment the relevant lines to enable the various sr.ht dispatchers.
/usr/bin/gitsrht-keys=git:git
#/usr/bin/buildsrht-keys=builds:builds

[meta.sr.ht]
origin=http://meta.localtest.me
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5000
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://sourcehut:sourcehut@database/metasrht?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes

# The redis connection used for the webhooks worker
webhooks=redis://redis-kv:6379/1
#
# If "yes", the user will be sent the stock sourcehut welcome emails after
# signup (requires cron to be configured properly). These are specific to the
# sr.ht instance so you probably want to patch these before enabling this.
welcome-emails=no

#
# Origin URL for the API
# By default, the API port is 100 more than the web port
# api-origin=http://localhost:5100

[meta.sr.ht::api]
#
# Maximum complexity of GraphQL queries. The higher this number, the more work
# that API clients can burden the API backend with. Complexity is equal to the
# number of discrete fields which would be returned to the user. 200 is a good
# default.
max-complexity=200

#
# The maximum time the API backend will spend processing a single API request.
#
# See https://golang.org/pkg/time/#ParseDuration
max-duration=3s

#
# Set of IP subnets which are permitted to utilize internal API
# authentication. This should be limited to the subnets from which your
# *.sr.ht services are running.
#
# Comma-separated, CIDR notation.
internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8

[meta.sr.ht::settings]
#
# If "no", public registration will not be permitted.
registration=yes
#
# Where to redirect new users upon registration
onboarding-redirect=http://git.localtest.me/
#
# How many invites each user is issued upon registration (only applicable if
# open registration is disabled)
user-invites=5

[meta.sr.ht::aliases]
#
# You can add aliases for the client IDs of commonly used OAuth clients here.
#
# Example:
# git.sr.ht=12345
# Uncomment this to provide optional builds.sr.ht integration


[meta.sr.ht::billing]
#
# "yes" to enable the billing system
enabled=no
#
# Get your keys at https://dashboard.stripe.com/account/apikeys
stripe-public-key=
stripe-secret-key=

[paste.sr.ht]
#
# URL paste.sr.ht is being served at (protocol://domain)
origin=http://paste.localtest.me
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5011
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://sourcehut:sourcehut@database/pastesrht?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# paste.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id=
oauth-client-secret=
#
# Origin URL for the API
# Only needed if not run behind a reverse proxy, e.g. for local development.
# By default, the API port is 100 more than the web port
#api-origin=http://localhost:5111

[lists.sr.ht]
#
# URL lists.sr.ht is being served at (protocol://domain)
origin=http://lists.localtest.me
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5006
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://sourcehut:sourcehut@database/listssrht?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# The redis connection used for the webhooks worker
webhooks=redis://redis-kv:6379/1
#
# The redis connection used for the Celery worker (configure this on both the
# master and workers)
redis=redis://redis-kv:6379/0
#
# The domain that incoming email should be sent to. Forward mail sent here to
# the LTMP socket.
posting-domain=http://lists.localtest.me
#
# lists.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id=
oauth-client-secret=
#
# Trusted upstream SMTP server generating Authentication-Results header fields
msgauth-server=mail.sr.ht.local
#
# If "no", prevents non-admins from creating new lists
allow-new-lists=yes
#
# Origin URL for the API
# Only needed if not run behind a reverse proxy, e.g. for local development.
# By default, the API port is 100 more than the web port
#api-origin=http://localhost:5106

[lists.sr.ht::worker]
# Protocol used by the daemon. Either lmtp or smtp. By default ltmp if using
# unix socket and smtp if using tcp socket.
protocol=lmtp
#
# Path for the lmtp daemon's unix socket. Direct incoming mail to this socket.
# Alternatively, specify IP:PORT will run the server using tcp.
sock=/tmp/lists.sr.ht-lmtp.sock
#
# The lmtp daemon will make the unix socket group-read/write for users in this
# group.
sock-group=postfix
#
# Comma-delimited list of Content-Types to reject. Messages with Content-Types
# included in this list are rejected. Multipart messages are always supported,
# and each part is checked against this list.
#
# Uses fnmatch for wildcard expansion.
reject-mimetypes=text/html
#
# Link to include in the rejection message where senders can get help
# correcting their email.
reject-url=https://man.sr.ht/lists.sr.ht/etiquette.md

[lists.sr.ht::api]
#
# Maximum complexity of GraphQL queries. The higher this number, the more work
# that API clients can burden the API backend with. Complexity is equal to the
# number of discrete fields which would be returned to the user. 200 is a good
# default.
max-complexity=200

#
# The maximum time the API backend will spend processing a single API request.
#
# See https://golang.org/pkg/time/#ParseDuration
max-duration=90s

#
# Set of IP subnets which are permitted to utilize internal API
# authentication. This should be limited to the subnets from which your
# *.sr.ht services are running.
#
# Comma-separated, CIDR notation.
internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8

[lists.sr.ht::redirects]
#
# Redirects for migrating old mailing lists to new ones. This just sets up the
# redirect for incoming emails.
#
# old-address=~example/new-name

[todo.sr.ht]
#
# URL todo.sr.ht is being served at (protocol://domain)
origin=http://todo.localtest.me
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5003
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://sourcehut:sourcehut@database/todosrht?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# todo.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id=CHANGEME
oauth-client-secret=CHANGEME
#
# Outgoing email for notifications generated by users
notify-from=CHANGEME@example.org
#
# The redis connection used for the webhooks worker
webhooks=redis://redis-kv:6379/1
#
# Origin URL for the API
# Only needed if not run behind a reverse proxy, e.g. for local development.
# By default, the API port is 100 more than the web port
#api-origin=http://localhost:5103

[todo.sr.ht::mail]
#
# Path for the lmtp daemon's unix socket. Direct incoming mail to this socket.
# Alternatively, specify IP:PORT and an SMTP server will be run instead.
sock=/tmp/todo.sr.ht-lmtp.sock
#
# The lmtp daemon will make the unix socket group-read/write for users in this
# group.
sock-group=postfix
#
# Fill this in with the name of the domain to which emails should be sent.
# Leave blank to disable email submission.
posting-domain=

[builds.sr.ht]
#
# URL builds.sr.ht is being served at (protocol://domain)
origin=http://builds.localtest.me
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5002
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://sourcehut:sourcehut@database/buildssrht?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# The redis connection used for the Celery worker (configure this on both the
# master and workers)
redis=redis://redis-kv:6379/0
#
# builds.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id=
oauth-client-secret=
#
# Script used to launch on ssh connnection. /usr/bin/master-shell on master,
# /usr/bin/runner-shell for workers.
# If master and worker are on the same system set to /usr/bin/runner-shell
shell=/usr/bin/master-shell
#
# Set to "yes" to allow nonpaying users to submit builds
allow-free=yes
#
# Origin URL for the API
# Only needed if not run behind a reverse proxy, e.g. for local development.
# By default, the API port is 100 more than the web port
#api-origin=http://localhost:5102

#
# These config options are only necessary for systems running a build runner
[builds.sr.ht::worker]
#
# Name of this build runner (with HTTP port if not 80)
name=runner.sr.ht.local
#
# Path to write build logs
buildlogs=./logs
#
# Path to the build images
images=./images
#
# In production you should NOT put the build user in the docker group. Instead,
# make a scratch user who is and write a sudoers or doas.conf file that allows
# them to execute just the control command, then update this config option. For
# example:
#
#   doas -u docker /var/lib/images/control
#
# Assuming doas.conf looks something like this:
#
#   permit nopass builds as docker cmd /var/lib/images/control
#
# For more information about the security model of builds.sr.ht, visit the wiki:
#
#   https://man.sr.ht/builds.sr.ht/installation.md
controlcmd=./images/control
#
# Max build duration. See https://golang.org/pkg/time/#ParseDuration
timeout=45m
#
# Http bind address for serving local build information/monitoring
bind-address=0.0.0.0:8080
#
# Build trigger email
trigger-from=
#
# Configure the S3 bucket and prefix for object storage. Leave empty to disable
# object storage. Bucket is required to enable object storage; prefix is
# optional.
s3-bucket=
s3-prefix=

[hg.sr.ht]
#
# URL hg.sr.ht is being served at (protocol://domain)
origin=http://hg.localtest.me
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5010
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://sourcehut:sourcehut@database/hgsrht?sslmode=disable
#
# The redis connection used for the webhooks worker
webhooks=redis://redis-kv:6379/1
#
# Disable server "publishing" for new repositories.
# When 'true', this sets the phases.publish configuration option to 'false' on
# newly created Mercurial repositories.
disable-publishing=false
#
# A post-update script which is installed in every mercurial repo.
changegroup-script=/usr/bin/hgsrht-hook-changegroup
#
# hg.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id=CHANGEME
oauth-client-secret=CHANGEME
#
# Path to mercurial repositories on disk
repos=/var/lib/mercurial/
#
# Path to the srht mercurial extension
# (defaults to where the hgsrht code is)
#srhtext=
#
# .hg/store size (in MB) past which the nightly job generates clone bundles.
#clone_bundle_threshold=50
#
# Path to hg (if not in $PATH or if you want sourcehut to use a custom one)
# hg_path=/path/to/hg

[hg.sr.ht::api]
#
# Number of mercurial server processes to spawn
# server-pool-size=4
#
# Maximum complexity of GraphQL queries. The higher this number, the more work
# that API clients can burden the API backend with. Complexity is equal to the
# number of discrete fields which would be returned to the user. 200 is a good
# default.
max-complexity=200

#
# The maximum time the API backend will spend processing a single API request.
#
# See https://golang.org/pkg/time/#ParseDuration
max-duration=3s

#
# Set of IP subnets which are permitted to utilize internal API
# authentication. This should be limited to the subnets from which your
# *.sr.ht services are running.
#
# Comma-separated, CIDR notation.
internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8

# NOTE: this is not a typo. It goes into the git dispatch section because
# that script actually handles all the dispatching (git, hg, man, etc.)

[man.sr.ht]
#
# URL man.sr.ht is being served at (protocol://domain)
origin=http://man.localtest.me
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5004
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://sourcehut:sourcehut@database/mansrht?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# man.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id=CHANGEME
oauth-client-secret=CHANGEME