From cf7f4c996fd41e5b46dae50c8b6eb5f465bed864 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sun, 30 Mar 2025 17:18:28 +0200
Subject: [PATCH] WIP: gickup module

---
 flake.nix          |  2 ++
 modules/gickup.nix | 88 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+)
 create mode 100644 modules/gickup.nix

diff --git a/flake.nix b/flake.nix
index 3d12130..44683c8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -91,6 +91,7 @@
         modules = [
           inputs.matrix-next.nixosModules.default
           inputs.pvv-calendar-bot.nixosModules.default
+          self.nixosModules.gickup
         ];
         overlays = [
           inputs.pvv-calendar-bot.overlays.x86_64-linux.default
@@ -164,6 +165,7 @@
       snakeoil-certs = ./modules/snakeoil-certs.nix;
       snappymail = ./modules/snappymail.nix;
       robots-txt = ./modules/robots-txt.nix;
+      gickup = ./modules/gickup.nix;
     };
 
     devShells = forAllSystems (system: {
diff --git a/modules/gickup.nix b/modules/gickup.nix
new file mode 100644
index 0000000..4834fc8
--- /dev/null
+++ b/modules/gickup.nix
@@ -0,0 +1,88 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gickup;
+  format = pkgs.formats.yaml { };
+in
+{
+  options.services.gickup = {
+    enable = lib.mkEnableOption "gickup, a git repository mirroring service";
+    package = lib.mkPackageOption pkgs "gickup" { };
+
+    gitPackage = lib.mkPackageOption pkgs "git" { };
+    gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { };
+
+    settings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.gickup = {
+      isSystemUser = true;
+      group = "gickup";
+      home = "/var/lib/gickup";
+    };
+
+    users.groups.gickup = { };
+
+    systemd.services.gickup = {
+      description = "Gickup git repository mirroring service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      path = [
+        cfg.gitPackage
+        cfg.gitLfsPackage
+      ];
+
+      serviceConfig = {
+        ExecStart = utils.escapeSystemdExecArgs [
+          (lib.getExe cfg.package)
+          (format.generate "gickup-settings.conf" cfg.settings)
+        ];
+
+        StateDirectory = "gickup";
+        WorkingDirectory = "gickup";
+        RuntimeDirectory = "gickup";
+        RuntimeDirectoryMode = "0700";
+
+        # Hardening options
+        AmbientCapabilities = [];
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@resources"
+          "~@privileged"
+        ];
+        UMask = "0002";
+        CapabilityBoundingSet = [];
+      };
+    };
+  };
+}