Compare commits

..

2 Commits

Author SHA1 Message Date
h7x4 50fd7ccee2
bekkalokk/gitea-web: host pages 2024-08-20 20:54:56 +02:00
h7x4 f68c7a1dae
bekkalokk/gitea: set up gitea-web sync units 2024-08-20 20:54:56 +02:00
1 changed files with 30 additions and 18 deletions

View File

@ -20,23 +20,40 @@ let
makeWrapperArgs = [ makeWrapperArgs = [
"--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}" "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
]; ];
} (builtins.readFile ./gitea-web-secret-provider.py); } (builtins.fileContents ./gitea-web-secret-provider.py);
in in
{ {
users.groups."gitea-web" = { };
users.users."gitea-web" = {
group = "gitea-web";
isSystemUser = true;
};
sops.secrets."gitea/web-secret-provider/token" = { sops.secrets."gitea/web-secret-provider/token" = {
owner = "gitea-web"; owner = "gitea";
group = "gitea-web"; group = "gitea";
restartUnits = [ restartUnits = [
"gitea-web-secret-provider@" "gitea-web-secret-provider@"
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations); ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
}; };
systemd.tmpfiles.settings."10-gitea-web-secret-provider" = {
"/var/lib/gitea-web/authorized_keys.d".d = {
user = "gitea";
group = "gitea";
mode = "700";
};
"/var/lib/gitea-web/web".d = {
user = "gitea";
group = "nginx";
mode = "750";
};
} //
(builtins.listToAttrs (map (org: {
name = "/var/lib/gitea-web/web/${org}";
value = {
d = {
user = "gitea";
group = "nginx";
mode = "750";
};
};
}) organizations));
systemd.slices.system-giteaweb = { systemd.slices.system-giteaweb = {
description = "Gitea web directories"; description = "Gitea web directories";
}; };
@ -59,21 +76,17 @@ in
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i"; authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" '' rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
${lib.getExe pkgs.rrsync} -wo "$1" ${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea-web:nginx "$1" ${pkgs.coreutils}/bin/chown -R gitea:nginx "$1"
''; '';
web-dir = "/var/lib/gitea-web/web"; web-dir = "/var/lib/gitea-web/web";
}; };
in "${giteaWebSecretProviderScript} ${args}"; in "${giteaWebSecretProviderScript} ${args}";
User = "gitea";
User = "gitea-web"; Group = "gitea";
Group = "gitea-web"; StateDirectory = "%i";
StateDirectory = "gitea-web";
StateDirectoryMode = "0750";
LoadCredential = [ LoadCredential = [
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}" "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
]; ];
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
@ -104,7 +117,6 @@ in
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations; services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
users.users.nginx.extraGroups = [ "gitea-web" ];
services.nginx.virtualHosts."pages.pvv.ntnu.no" = { services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
kTLS = true; kTLS = true;
forceSSL = true; forceSSL = true;