Compare commits
2 Commits
50fd7ccee2
...
1f8692c36f
| Author | SHA1 | Date |
|---|---|---|
h7x4
|
1f8692c36f | |
|
h7x4
|
5f264c6a9e |
|
|
@ -20,40 +20,23 @@ let
|
|||
makeWrapperArgs = [
|
||||
"--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
|
||||
];
|
||||
} (builtins.fileContents ./gitea-web-secret-provider.py);
|
||||
} (builtins.readFile ./gitea-web-secret-provider.py);
|
||||
in
|
||||
{
|
||||
users.groups."gitea-web" = { };
|
||||
users.users."gitea-web" = {
|
||||
group = "gitea-web";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
sops.secrets."gitea/web-secret-provider/token" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
owner = "gitea-web";
|
||||
group = "gitea-web";
|
||||
restartUnits = [
|
||||
"gitea-web-secret-provider@"
|
||||
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings."10-gitea-web-secret-provider" = {
|
||||
"/var/lib/gitea-web/authorized_keys.d".d = {
|
||||
user = "gitea";
|
||||
group = "gitea";
|
||||
mode = "700";
|
||||
};
|
||||
"/var/lib/gitea-web/web".d = {
|
||||
user = "gitea";
|
||||
group = "nginx";
|
||||
mode = "750";
|
||||
};
|
||||
} //
|
||||
(builtins.listToAttrs (map (org: {
|
||||
name = "/var/lib/gitea-web/web/${org}";
|
||||
value = {
|
||||
d = {
|
||||
user = "gitea";
|
||||
group = "nginx";
|
||||
mode = "750";
|
||||
};
|
||||
};
|
||||
}) organizations));
|
||||
|
||||
systemd.slices.system-giteaweb = {
|
||||
description = "Gitea web directories";
|
||||
};
|
||||
|
|
@ -76,17 +59,21 @@ in
|
|||
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
|
||||
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
|
||||
${lib.getExe pkgs.rrsync} -wo "$1"
|
||||
${pkgs.coreutils}/bin/chown -R gitea:nginx "$1"
|
||||
${pkgs.coreutils}/bin/chown -R gitea-web:nginx "$1"
|
||||
'';
|
||||
web-dir = "/var/lib/gitea-web/web";
|
||||
};
|
||||
in "${giteaWebSecretProviderScript} ${args}";
|
||||
User = "gitea";
|
||||
Group = "gitea";
|
||||
StateDirectory = "%i";
|
||||
|
||||
User = "gitea-web";
|
||||
Group = "gitea-web";
|
||||
|
||||
StateDirectory = "gitea-web";
|
||||
StateDirectoryMode = "0750";
|
||||
LoadCredential = [
|
||||
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
|
||||
];
|
||||
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
|
|
@ -117,6 +104,7 @@ in
|
|||
|
||||
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
|
||||
|
||||
users.users.nginx.extraGroups = [ "gitea-web" ];
|
||||
services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
|
||||
kTLS = true;
|
||||
forceSSL = true;
|
||||
|
|
|
|||
Loading…
Reference in New Issue