felixalb
/
pvv-nixos-config
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:50fd7ccee276231d9f9670c5bc4844862062f0b0
Branches Tags
felixalb:main
felixalb:pvvvvv
felixalb:init-bakke
felixalb:hookshot
felixalb:disable-postgres-on-bekkalokk
felixalb:sleipner-authorised-keys
felixalb:sounding
felixalb:retain-flake-inputs
felixalb:openstack-image-builder
felixalb:elysium
felixalb:cleanup
felixalb:fix-openstack-networking
felixalb:systemd_exporter
felixalb:backup-databases
felixalb:smartd-notifs
felixalb:systemd-journald-remote
felixalb:skrot
felixalb:deploy-doorbell
felixalb:misc-gitea-fixes
felixalb:run-vm
felixalb:spotifyd
felixalb:remote
felixalb:nix-topology
felixalb:dagali-heimdal-openldap-sasl-stack
felixalb:setup-bikkje-login
felixalb:ozai-prod
felixalb:add-bluemap
felixalb:ozai
felixalb:setup-postfix-for-service-machines
felixalb:fix-gitea-ci-runner-network-issues
felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
felixalb:gitea-metrics
felixalb:misc1
felixalb:add-simple-saml-theme
felixalb:misc-extra-gitea-setup
felixalb:add-skrott
felixalb:setup-kerberos
felixalb:setup-home-areas
felixalb:setup-openvpn-tunnel
felixalb:shark-kanidm
felixalb:prometheusexim
..
compare: felixalb:1f8692c36f8ff27a67272d2d9e9d4703a5fa0a84
Branches Tags
felixalb:pvvvvv
felixalb:main
felixalb:init-bakke
felixalb:hookshot
felixalb:disable-postgres-on-bekkalokk
felixalb:sleipner-authorised-keys
felixalb:sounding
felixalb:retain-flake-inputs
felixalb:openstack-image-builder
felixalb:elysium
felixalb:cleanup
felixalb:fix-openstack-networking
felixalb:systemd_exporter
felixalb:backup-databases
felixalb:smartd-notifs
felixalb:systemd-journald-remote
felixalb:skrot
felixalb:deploy-doorbell
felixalb:misc-gitea-fixes
felixalb:run-vm
felixalb:spotifyd
felixalb:remote
felixalb:nix-topology
felixalb:dagali-heimdal-openldap-sasl-stack
felixalb:setup-bikkje-login
felixalb:ozai-prod
felixalb:add-bluemap
felixalb:ozai
felixalb:setup-postfix-for-service-machines
felixalb:fix-gitea-ci-runner-network-issues
felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
felixalb:gitea-metrics
felixalb:misc1
felixalb:add-simple-saml-theme
felixalb:misc-extra-gitea-setup
felixalb:add-skrott
felixalb:setup-kerberos
felixalb:setup-home-areas
felixalb:setup-openvpn-tunnel
felixalb:shark-kanidm
felixalb:prometheusexim

2 Commits
50fd7ccee2 ... 1f8692c36f

Author SHA1 Message Date
h7x4 1f8692c36f
bekkalokk/gitea-web: host pages 2024-08-26 18:15:12 +02:00
h7x4 5f264c6a9e
bekkalokk/gitea: set up gitea-web sync units 2024-08-26 18:15:12 +02:00
1 changed files with 18 additions and 30 deletions
Show Stats Expand all files Collapse all files

48
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
View File

@ -20,40 +20,23 @@ let
makeWrapperArgs = [ makeWrapperArgs = [
"--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}" "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
]; ];
} (builtins.fileContents ./gitea-web-secret-provider.py); } (builtins.readFile ./gitea-web-secret-provider.py);
in in
{ {
users.groups."gitea-web" = { };
users.users."gitea-web" = {
group = "gitea-web";
isSystemUser = true;
};
sops.secrets."gitea/web-secret-provider/token" = { sops.secrets."gitea/web-secret-provider/token" = {
owner = "gitea"; owner = "gitea-web";
group = "gitea"; group = "gitea-web";
restartUnits = [ restartUnits = [
"gitea-web-secret-provider@" "gitea-web-secret-provider@"
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations); ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
}; };
systemd.tmpfiles.settings."10-gitea-web-secret-provider" = {
"/var/lib/gitea-web/authorized_keys.d".d = {
user = "gitea";
group = "gitea";
mode = "700";
};
"/var/lib/gitea-web/web".d = {
user = "gitea";
group = "nginx";
mode = "750";
};
} //
(builtins.listToAttrs (map (org: {
name = "/var/lib/gitea-web/web/${org}";
value = {
d = {
user = "gitea";
group = "nginx";
mode = "750";
};
};
}) organizations));
systemd.slices.system-giteaweb = { systemd.slices.system-giteaweb = {
description = "Gitea web directories"; description = "Gitea web directories";
}; };
@ -76,17 +59,21 @@ in
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i"; authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
rrsync-script = pkgs.writeShellScript "rrsync-chown" '' rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
${lib.getExe pkgs.rrsync} -wo "$1" ${lib.getExe pkgs.rrsync} -wo "$1"
${pkgs.coreutils}/bin/chown -R gitea:nginx "$1" ${pkgs.coreutils}/bin/chown -R gitea-web:nginx "$1"
''; '';
web-dir = "/var/lib/gitea-web/web"; web-dir = "/var/lib/gitea-web/web";
}; };
in "${giteaWebSecretProviderScript} ${args}"; in "${giteaWebSecretProviderScript} ${args}";
User = "gitea";
Group = "gitea"; User = "gitea-web";
StateDirectory = "%i"; Group = "gitea-web";
StateDirectory = "gitea-web";
StateDirectoryMode = "0750";
LoadCredential = [ LoadCredential = [
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}" "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
]; ];
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
@ -117,6 +104,7 @@ in
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations; services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
users.users.nginx.extraGroups = [ "gitea-web" ];
services.nginx.virtualHosts."pages.pvv.ntnu.no" = { services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
kTLS = true; kTLS = true;
forceSSL = true; forceSSL = true;