WIP: enable gickup on bicep

WIP: gickup module
2025-07-09 05:43:33 +02:00 · 2025-03-30 17:43:58 +02:00 · 2025-03-30 17:43:23 +02:00
4 changed files with 140 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -91,6 +91,7 @@
        modules = [
          inputs.matrix-next.nixosModules.default
          inputs.pvv-calendar-bot.nixosModules.default
+          self.nixosModules.gickup
        ];
        overlays = [
          inputs.pvv-calendar-bot.overlays.x86_64-linux.default
@ -164,6 +165,7 @@
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
      robots-txt = ./modules/robots-txt.nix;
+      gickup = ./modules/gickup.nix;
    };

    devShells = forAllSystems (system: {
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@ -8,6 +8,7 @@
    ./services/nginx

    ./services/calendar-bot.nix
+    ./services/git-mirrors
    ./services/mysql.nix
    ./services/postgres.nix

--- a/hosts/bicep/services/git-mirrors/default.nix
+++ b/hosts/bicep/services/git-mirrors/default.nix
@ -0,0 +1,49 @@
+{ ... }:
+{
+  services.gickup = {
+    enable = true;
+
+    settings = {
+      source = {
+        github = [{
+          # token_file = sops
+          include = [
+            "go-gitea/gitea"
+            "unmojang/FjordLauncher"
+            "unmojang/drasl"
+            "NixOS/nixpkgs"
+            "saltstack/salt"
+            "heimdal/heimdal"
+            "yushijinhun/authlib-injector"
+            "Git-Mediawiki/Git-Mediawiki"
+          ];
+          wiki = true;
+          issues = true;
+        }];
+        gitlab = [{
+          include = [
+            "mx-puppet/discord/better-discord.js"
+            "mx-puppet/discord/matrix-discord-parser"
+            "mx-puppet/discord/discord-markdown"
+            "mx-puppet/discord/mx-puppet-discord"
+            "mx-puppet/mx-puppet-bridge"
+          ];
+        }];
+        any = [
+          {
+            url = "https://sourceware.org/git/glibc.git";
+          }
+        ];
+      };
+
+      destination.local = [{
+        path = "/data/git-mirrors";
+        structured = true;
+        zip = true;
+        keep = 5;
+        bare = true;
+        lfs = true;
+      }];
+    };
+  };
+}
--- a/modules/gickup.nix
+++ b/modules/gickup.nix
@ -0,0 +1,88 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gickup;
+  format = pkgs.formats.yaml { };
+in
+{
+  options.services.gickup = {
+    enable = lib.mkEnableOption "gickup, a git repository mirroring service";
+    package = lib.mkPackageOption pkgs "gickup" { };
+
+    gitPackage = lib.mkPackageOption pkgs "git" { };
+    gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { };
+
+    settings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.gickup = {
+      isSystemUser = true;
+      group = "gickup";
+      home = "/var/lib/gickup";
+    };
+
+    users.groups.gickup = { };
+
+    systemd.services.gickup = {
+      description = "Gickup git repository mirroring service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      path = [
+        cfg.gitPackage
+        cfg.gitLfsPackage
+      ];
+
+      serviceConfig = {
+        ExecStart = utils.escapeSystemdExecArgs [
+          (lib.getExe cfg.package)
+          (format.generate "gickup-settings.conf" cfg.settings)
+        ];
+
+        StateDirectory = "gickup";
+        WorkingDirectory = "gickup";
+        RuntimeDirectory = "gickup";
+        RuntimeDirectoryMode = "0700";
+
+        # Hardening options
+        AmbientCapabilities = [];
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@resources"
+          "~@privileged"
+        ];
+        UMask = "0002";
+        CapabilityBoundingSet = [];
+      };
+    };
+  };
+}
Author	SHA1	Message	Date
h7x4	e928a5e981	WIP: enable gickup on bicep	2025-03-30 17:43:58 +02:00
h7x4	cf7f4c996f	WIP: gickup module	2025-03-30 17:43:23 +02:00