bekkalokk/gitea-web: host pages

hosts/bekkalokk/services/gitea/web-secret-provider/default.nix

@@ -6,9 +6,9 @@ let
     "Kurs"
   ];
 
-  cfg = config.services.gitea;
+  giteaCfg = config.services.gitea;
 
-  program = pkgs.writers.writePython3 "gitea-web-secret-provider" {
+  giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" {
     libraries = with pkgs.python3Packages; [ requests ];
     flakeIgnore = [
       "E501" # Line over 80 chars lol
@@ -20,28 +20,7 @@ let
     makeWrapperArgs = [
       "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
     ];
-  } (lib.pipe ./gitea-web-secret-provider.py [
-    builtins.readFile
-    (lib.splitString "\n")
-    (lib.drop 2)
-    lib.concatLines
-  ]);
-
-  commonHardening = {
-    NoNewPrivileges = true;
-    PrivateTmp = true;
-    PrivateDevices = true;
-    ProtectSystem = true;
-    ProtectHome = true;
-    ProtectControlGroups = true;
-    ProtectKernelModules = true;
-    ProtectKernelTunables = true;
-    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-    RestrictRealtime = true;
-    RestrictSUIDSGID = true;
-    MemoryDenyWriteExecute = true;
-    LockPersonality = true;
-  };
+  } (builtins.fileContents ./gitea-web-secret-provider.py);
 in
 {
   sops.secrets."gitea/web-secret-provider/token" = {
@@ -82,74 +61,59 @@ in
   # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
   # %i - instance name (after the @)
   # %d - secrets directory
-  # %S - /var/lib
-  systemd.services = {
-    "gitea-web-secret-provider@" = {
-      description = "Ensure all repos in %i has an SSH key to push web content";
-      requires = [ "gitea.service" "network.target" ];
-      serviceConfig = {
-        Slice = "system-giteaweb.slice";
-        Type = "oneshot";
-        ExecStart = let
-          args = lib.cli.toGNUCommandLineShell { } {
-            org = "%i";
-            token-path = "%d/token";
-            api-url = "${cfg.settings.server.ROOT_URL}api/v1";
-            key-dir = "%S/gitea-web/keys/%i";
-            authorized-keys-path = "%S/gitea-web/authorized_keys.d/%i";
-            rrsync-path = "${pkgs.rrsync}/bin/rrsync";
-            web-dir = "%S/gitea-web/web";
-          };
-        in "${program} ${args}";
-        User = "gitea";
-        Group = "gitea";
-        StateDirectory = "%i";
-        LoadCredential = [
-          "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
-        ];
-      } // commonHardening;
-    };
-
-    "gitea-web-chown@" = {
-      description = "Ensure all gitea-web content has correct ownership";
-      serviceConfig = {
-        Slice = "system-giteaweb.slice";
-        Type = "oneshot";
-        ExecStart = "${pkgs.coreutils}/bin/chown -R gitea:nginx '%S/gitea-web/web/%i'";
-        PrivateNetwork = true;
-      } // commonHardening;
+  systemd.services."gitea-web-secret-provider@" = {
+    description = "Ensure all repos in %i has an SSH key to push web content";
+    requires = [ "gitea.service" "network.target" ];
+    serviceConfig = {
+      Slice = "system-giteaweb.slice";
+      Type = "oneshot";
+      ExecStart = let
+        args = lib.cli.toGNUCommandLineShell { } {
+          org = "%i";
+          token-path = "%d/token";
+          api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
+          key-dir = "/var/lib/gitea-web/keys/%i";
+          authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
+          rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
+            ${lib.getExe pkgs.rrsync} -wo "$1"
+            ${pkgs.coreutils}/bin/chown -R gitea:nginx "$1"
+          '';
+          web-dir = "/var/lib/gitea-web/web";
+        };
+      in "${giteaWebSecretProviderScript} ${args}";
+      User = "gitea";
+      Group = "gitea";
+      StateDirectory = "%i";
+      LoadCredential = [
+        "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
+      ];
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      ProtectSystem = true;
+      ProtectHome = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      MemoryDenyWriteExecute = true;
+      LockPersonality = true;
     };
   };
 
-  systemd.timers = {
-    "gitea-web-secret-provider@" = {
-      description = "Ensure all repos in %i has an SSH key to push web content";
-      timerConfig = {
-        RandomizedDelaySec = "1h";
-        Persistent = true;
-        Unit = "gitea-web-secret-provider@%i.service";
-        OnCalendar = "daily";
-      };
-    };
-
-    "gitea-web-chown@" = {
-      description = "Ensure all gitea-web content is owned by the gitea user";
-      timerConfig = {
-        RandomizedDelaySec = "10m";
-        Persistent = true;
-        Unit = "gitea-web-chown@%i.service";
-        OnCalendar = "hourly";
-      };
+  systemd.timers."gitea-web-secret-provider@" = {
+    description = "Ensure all repos in %i has an SSH key to push web content";
+    timerConfig = {
+      RandomizedDelaySec = "1h";
+      Persistent = true;
+      Unit = "gitea-web-secret-provider@%i.service";
+      OnCalendar = "daily";
     };
   };
 
-  systemd.targets.timers.wants = lib.mapCartesianProduct ({ timer, org }: "${timer}@${org}.timer") {
-    timer = [
-      "gitea-web-secret-provider"
-      "gitea-web-chown"
-    ];
-    org = organizations;
-  };
+  systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
 
   services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
 

hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py

@@ -1,6 +1,3 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ requests ])" openssh
-
 import argparse
 import hashlib
 import os
@@ -16,7 +13,7 @@ def parse_args():
     parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
     parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
     parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
-    parser.add_argument("--rrsync-path", metavar='PATH', type=Path, help="The path to the rrsync binary", default="/run/current-system/sw/bin/rrsync")
+    parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument")
     parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
     parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
     return parser.parse_args()
@@ -48,15 +45,14 @@ def generate_ssh_key(args: argparse.Namespace, repository: str):
             [
                 "ssh-keygen",
                 *("-t", "ed25519"),
-                *("-b", "4096"),
                 *("-f", key_path),
                 *("-N", ""),
                 *("-C", f"{args.org}/{repository}"),
             ],
             check=True,
             stdin=subprocess.DEVNULL,
-            stdout=subprocess.DEVNULL,
-            stderr=subprocess.DEVNULL
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
         )
         print(f"Generated SSH key for `{args.org}/{repository}`")
 
@@ -82,7 +78,7 @@ SSH_OPTS = ",".join([
 def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
     lines = []
     for repo, public_key in repo_public_keys:
-        command = f"{args.rrsync_path} -wo {args.web_dir}/{args.org}/{repo}"
+        command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}"
         lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
 
     with open(args.authorized_keys_path, "w") as f: