pvv-nixos-config/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix

{ config, pkgs, lib, ... }:
let
  sops.secrets = {
    "gitea/web-secret-provider/Drift" = {
      owner = "gitea";
      group = "gitea";
      restartUnits = [ "gitea-web-secret-provider@Drift" ];
    };
    "gitea/web-secret-provider/Projects" = {
      owner = "gitea";
      group = "gitea";
      restartUnits = [ "gitea-web-secret-provider@Projects" ];
    };
    "gitea/web-secret-provider/Kurs" = {
      owner = "gitea";
      group = "gitea";
      restartUnits = [ "gitea-web-secret-provider@Kurs" ];
  };

  cfg = config.services.gitea;

  program = pkgs.writers.writePython3 "gitea-web-secret-provider" {
    libraries = with pkgs.python3Packages; [ requests ];
    makeWrapperArgs = [
      "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
    ];
  } (builtins.readFile ./gitea-web-secret-provider.py);
in
{

  # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
  # %i - instance name (after the @)
  # %d - secrets directory
  # %s - /var/lib
  systemd.services = {
    "gitea-web-secret-provider@" = {
      description = "Gitea web secret provider";
      wantedBy = [ "multi-user.target" ];
      requires = [ "gitea.service" "network.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = let
          args = lib.cli.toGNUCommandLineShell { } {
            org = "%i";
            token-path = "%d/token";
            api-url = "${cfg.settings.server.ROOT_URL}api/v1";
            key-dir = "%s/%i/keys";
            authorized-keys-path = "%s/gitea-web/authorized_keys.d/%i";
            rrsync-path = "${pkgs.rrsync}/bin/rrsync";
            web-dir = "%s/gitea-web/web";
          };
        in "${program} ${args}";
        User = "gitea";
        Group = "gitea";
        Restart = "always";

        StateDir = "%i";
        WorkingDirectory = "%s/%i";

        # Hardening
        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectSystem = true;
        ProtectHome = true;
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        MemoryDenyWriteExecute = true;
        LockPersonality = true;
      };
    };
  }
  //
  builtins.listToAttrs (map (org: lib.nameValuePair "gitea-web-secret-provider@${org}" {
      serviceConfig.LoadCredential = [
        "token:${config.sops.secrets."gitea/web-secret-provider/${org}".path}"
      ];
  }));

  systemd.timers = {
    "gitea-web-secret-provider@" = {
      description = "Run the Gitea web secret provider";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "daily";
        RandomizedDelaySec = "1h";
        Persistent = true;
        Unit = "gitea-web-secret-provider@%i.service";
      };
    };
  }
  //
  builtins.listToAttrs (map (org: lib.nameValuePair "gitea-web-secret-provider@${org}" { }));

  # services.nginx.virtualHosts.
}
WIP 2024-08-13 19:21:07 +02:00			`{ config, pkgs, lib, ... }:`
			`let`
			`sops.secrets = {`
			`"gitea/web-secret-provider/Drift" = {`
			`owner = "gitea";`
			`group = "gitea";`
			`restartUnits = [ "gitea-web-secret-provider@Drift" ];`
			`};`
			`"gitea/web-secret-provider/Projects" = {`
			`owner = "gitea";`
			`group = "gitea";`
			`restartUnits = [ "gitea-web-secret-provider@Projects" ];`
			`};`
			`"gitea/web-secret-provider/Kurs" = {`
			`owner = "gitea";`
			`group = "gitea";`
			`restartUnits = [ "gitea-web-secret-provider@Kurs" ];`
			`};`

			`cfg = config.services.gitea;`

			`program = pkgs.writers.writePython3 "gitea-web-secret-provider" {`
			`libraries = with pkgs.python3Packages; [ requests ];`
			`makeWrapperArgs = [`
			`"--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"`
			`];`
			`} (builtins.readFile ./gitea-web-secret-provider.py);`
			`in`
			`{`

			`# https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers`
			`# %i - instance name (after the @)`
			`# %d - secrets directory`
			`# %s - /var/lib`
			`systemd.services = {`
			`"gitea-web-secret-provider@" = {`
			`description = "Gitea web secret provider";`
			`wantedBy = [ "multi-user.target" ];`
			`requires = [ "gitea.service" "network.target" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`ExecStart = let`
			`args = lib.cli.toGNUCommandLineShell { } {`
			`org = "%i";`
			`token-path = "%d/token";`
			`api-url = "${cfg.settings.server.ROOT_URL}api/v1";`
			`key-dir = "%s/%i/keys";`
			`authorized-keys-path = "%s/gitea-web/authorized_keys.d/%i";`
			`rrsync-path = "${pkgs.rrsync}/bin/rrsync";`
			`web-dir = "%s/gitea-web/web";`
			`};`
			`in "${program} ${args}";`
			`User = "gitea";`
			`Group = "gitea";`
			`Restart = "always";`

			`StateDir = "%i";`
			`WorkingDirectory = "%s/%i";`

			`# Hardening`
			`NoNewPrivileges = true;`
			`PrivateTmp = true;`
			`PrivateDevices = true;`
			`ProtectSystem = true;`
			`ProtectHome = true;`
			`ProtectControlGroups = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`MemoryDenyWriteExecute = true;`
			`LockPersonality = true;`
			`};`
			`};`
			`}`
			`//`
			`builtins.listToAttrs (map (org: lib.nameValuePair "gitea-web-secret-provider@${org}" {`
			`serviceConfig.LoadCredential = [`
			`"token:${config.sops.secrets."gitea/web-secret-provider/${org}".path}"`
			`];`
			`}));`

			`systemd.timers = {`
			`"gitea-web-secret-provider@" = {`
			`description = "Run the Gitea web secret provider";`
			`wantedBy = [ "timers.target" ];`
			`timerConfig = {`
			`OnCalendar = "daily";`
			`RandomizedDelaySec = "1h";`
			`Persistent = true;`
			`Unit = "gitea-web-secret-provider@%i.service";`
			`};`
			`};`
			`}`
			`//`
			`builtins.listToAttrs (map (org: lib.nameValuePair "gitea-web-secret-provider@${org}" { }));`

			`# services.nginx.virtualHosts.`
			`}`