mirror of
				https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
				synced 2025-10-25 15:48:02 +02:00 
			
		
		
		
	Compare commits
	
		
			2 Commits
		
	
	
		
			50fd7ccee2
			...
			74a2b1970e
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|   | 74a2b1970e | ||
|   | 91876214f0 | 
| @ -6,9 +6,9 @@ let | ||||
|     "Kurs" | ||||
|   ]; | ||||
| 
 | ||||
|   giteaCfg = config.services.gitea; | ||||
|   cfg = config.services.gitea; | ||||
| 
 | ||||
|   giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" { | ||||
|   program = pkgs.writers.writePython3 "gitea-web-secret-provider" { | ||||
|     libraries = with pkgs.python3Packages; [ requests ]; | ||||
|     flakeIgnore = [ | ||||
|       "E501" # Line over 80 chars lol | ||||
| @ -20,7 +20,28 @@ let | ||||
|     makeWrapperArgs = [ | ||||
|       "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}" | ||||
|     ]; | ||||
|   } (builtins.fileContents ./gitea-web-secret-provider.py); | ||||
|   } (lib.pipe ./gitea-web-secret-provider.py [ | ||||
|     builtins.readFile | ||||
|     (lib.splitString "\n") | ||||
|     (lib.drop 2) | ||||
|     lib.concatLines | ||||
|   ]); | ||||
| 
 | ||||
|   commonHardening = { | ||||
|     NoNewPrivileges = true; | ||||
|     PrivateTmp = true; | ||||
|     PrivateDevices = true; | ||||
|     ProtectSystem = true; | ||||
|     ProtectHome = true; | ||||
|     ProtectControlGroups = true; | ||||
|     ProtectKernelModules = true; | ||||
|     ProtectKernelTunables = true; | ||||
|     RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; | ||||
|     RestrictRealtime = true; | ||||
|     RestrictSUIDSGID = true; | ||||
|     MemoryDenyWriteExecute = true; | ||||
|     LockPersonality = true; | ||||
|   }; | ||||
| in | ||||
| { | ||||
|   sops.secrets."gitea/web-secret-provider/token" = { | ||||
| @ -61,59 +82,74 @@ in | ||||
|   # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers | ||||
|   # %i - instance name (after the @) | ||||
|   # %d - secrets directory | ||||
|   systemd.services."gitea-web-secret-provider@" = { | ||||
|     description = "Ensure all repos in %i has an SSH key to push web content"; | ||||
|     requires = [ "gitea.service" "network.target" ]; | ||||
|     serviceConfig = { | ||||
|       Slice = "system-giteaweb.slice"; | ||||
|       Type = "oneshot"; | ||||
|       ExecStart = let | ||||
|         args = lib.cli.toGNUCommandLineShell { } { | ||||
|           org = "%i"; | ||||
|           token-path = "%d/token"; | ||||
|           api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1"; | ||||
|           key-dir = "/var/lib/gitea-web/keys/%i"; | ||||
|           authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i"; | ||||
|           rrsync-script = pkgs.writeShellScript "rrsync-chown" '' | ||||
|             ${lib.getExe pkgs.rrsync} -wo "$1" | ||||
|             ${pkgs.coreutils}/bin/chown -R gitea:nginx "$1" | ||||
|           ''; | ||||
|           web-dir = "/var/lib/gitea-web/web"; | ||||
|         }; | ||||
|       in "${giteaWebSecretProviderScript} ${args}"; | ||||
|       User = "gitea"; | ||||
|       Group = "gitea"; | ||||
|       StateDirectory = "%i"; | ||||
|       LoadCredential = [ | ||||
|         "token:${config.sops.secrets."gitea/web-secret-provider/token".path}" | ||||
|       ]; | ||||
|       NoNewPrivileges = true; | ||||
|       PrivateTmp = true; | ||||
|       PrivateDevices = true; | ||||
|       ProtectSystem = true; | ||||
|       ProtectHome = true; | ||||
|       ProtectControlGroups = true; | ||||
|       ProtectKernelModules = true; | ||||
|       ProtectKernelTunables = true; | ||||
|       RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; | ||||
|       RestrictRealtime = true; | ||||
|       RestrictSUIDSGID = true; | ||||
|       MemoryDenyWriteExecute = true; | ||||
|       LockPersonality = true; | ||||
|   # %S - /var/lib | ||||
|   systemd.services = { | ||||
|     "gitea-web-secret-provider@" = { | ||||
|       description = "Ensure all repos in %i has an SSH key to push web content"; | ||||
|       requires = [ "gitea.service" "network.target" ]; | ||||
|       serviceConfig = { | ||||
|         Slice = "system-giteaweb.slice"; | ||||
|         Type = "oneshot"; | ||||
|         ExecStart = let | ||||
|           args = lib.cli.toGNUCommandLineShell { } { | ||||
|             org = "%i"; | ||||
|             token-path = "%d/token"; | ||||
|             api-url = "${cfg.settings.server.ROOT_URL}api/v1"; | ||||
|             key-dir = "%S/gitea-web/keys/%i"; | ||||
|             authorized-keys-path = "%S/gitea-web/authorized_keys.d/%i"; | ||||
|             rrsync-path = "${pkgs.rrsync}/bin/rrsync"; | ||||
|             web-dir = "%S/gitea-web/web"; | ||||
|           }; | ||||
|         in "${program} ${args}"; | ||||
|         User = "gitea"; | ||||
|         Group = "gitea"; | ||||
|         StateDirectory = "%i"; | ||||
|         LoadCredential = [ | ||||
|           "token:${config.sops.secrets."gitea/web-secret-provider/token".path}" | ||||
|         ]; | ||||
|       } // commonHardening; | ||||
|     }; | ||||
| 
 | ||||
|     "gitea-web-chown@" = { | ||||
|       description = "Ensure all gitea-web content has correct ownership"; | ||||
|       serviceConfig = { | ||||
|         Slice = "system-giteaweb.slice"; | ||||
|         Type = "oneshot"; | ||||
|         ExecStart = "${pkgs.coreutils}/bin/chown -R gitea:nginx '%S/gitea-web/web/%i'"; | ||||
|         PrivateNetwork = true; | ||||
|       } // commonHardening; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   systemd.timers."gitea-web-secret-provider@" = { | ||||
|     description = "Ensure all repos in %i has an SSH key to push web content"; | ||||
|     timerConfig = { | ||||
|       RandomizedDelaySec = "1h"; | ||||
|       Persistent = true; | ||||
|       Unit = "gitea-web-secret-provider@%i.service"; | ||||
|       OnCalendar = "daily"; | ||||
|   systemd.timers = { | ||||
|     "gitea-web-secret-provider@" = { | ||||
|       description = "Ensure all repos in %i has an SSH key to push web content"; | ||||
|       timerConfig = { | ||||
|         RandomizedDelaySec = "1h"; | ||||
|         Persistent = true; | ||||
|         Unit = "gitea-web-secret-provider@%i.service"; | ||||
|         OnCalendar = "daily"; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     "gitea-web-chown@" = { | ||||
|       description = "Ensure all gitea-web content is owned by the gitea user"; | ||||
|       timerConfig = { | ||||
|         RandomizedDelaySec = "10m"; | ||||
|         Persistent = true; | ||||
|         Unit = "gitea-web-chown@%i.service"; | ||||
|         OnCalendar = "hourly"; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations; | ||||
|   systemd.targets.timers.wants = lib.mapCartesianProduct ({ timer, org }: "${timer}@${org}.timer") { | ||||
|     timer = [ | ||||
|       "gitea-web-secret-provider" | ||||
|       "gitea-web-chown" | ||||
|     ]; | ||||
|     org = organizations; | ||||
|   }; | ||||
| 
 | ||||
|   services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations; | ||||
| 
 | ||||
|  | ||||
| @ -1,3 +1,6 @@ | ||||
| #!/usr/bin/env nix-shell | ||||
| #!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ requests ])" openssh | ||||
| 
 | ||||
| import argparse | ||||
| import hashlib | ||||
| import os | ||||
| @ -13,7 +16,7 @@ def parse_args(): | ||||
|     parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1") | ||||
|     parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider") | ||||
|     parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider") | ||||
|     parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument") | ||||
|     parser.add_argument("--rrsync-path", metavar='PATH', type=Path, help="The path to the rrsync binary", default="/run/current-system/sw/bin/rrsync") | ||||
|     parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www") | ||||
|     parser.add_argument("--force", action="store_true", help="Overwrite existing keys") | ||||
|     return parser.parse_args() | ||||
| @ -45,14 +48,15 @@ def generate_ssh_key(args: argparse.Namespace, repository: str): | ||||
|             [ | ||||
|                 "ssh-keygen", | ||||
|                 *("-t", "ed25519"), | ||||
|                 *("-b", "4096"), | ||||
|                 *("-f", key_path), | ||||
|                 *("-N", ""), | ||||
|                 *("-C", f"{args.org}/{repository}"), | ||||
|             ], | ||||
|             check=True, | ||||
|             stdin=subprocess.DEVNULL, | ||||
|             stdout=subprocess.PIPE, | ||||
|             stderr=subprocess.PIPE, | ||||
|             stdout=subprocess.DEVNULL, | ||||
|             stderr=subprocess.DEVNULL | ||||
|         ) | ||||
|         print(f"Generated SSH key for `{args.org}/{repository}`") | ||||
| 
 | ||||
| @ -78,7 +82,7 @@ SSH_OPTS = ",".join([ | ||||
| def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]): | ||||
|     lines = [] | ||||
|     for repo, public_key in repo_public_keys: | ||||
|         command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}" | ||||
|         command = f"{args.rrsync_path} -wo {args.web_dir}/{args.org}/{repo}" | ||||
|         lines.append(f'command="{command}",{SSH_OPTS} {public_key}') | ||||
| 
 | ||||
|     with open(args.authorized_keys_path, "w") as f: | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user