WIP: bekkalokk/gitea: host gitea-web

bekkalokk/gitea: add web-secret-provider timed script
2025-04-09 15:31:21 +02:00 · 2024-08-14 02:15:49 +02:00 · 2024-08-14 02:14:48 +02:00
4 changed files with 37 additions and 95 deletions
--- a/base.nix
+++ b/base.nix
@ -76,19 +76,10 @@
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";
  # Let's not thermal throttle
  services.thermald.enable = lib.mkIf (lib.all (x: x) [
      (config.nixpkgs.system == "x86_64-linux")
      (!config.boot.isContainer or false)
    ]) true;
  services.openssh = {
    enable = true;
    extraConfig = ''
      PubkeyAcceptedAlgorithms=+ssh-rsa
      Match Group wheel
        PasswordAuthentication no
      Match All
    '';
    settings.PermitRootLogin = "yes";
  };
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@ -136,16 +136,10 @@ in {
    script = let
      logo-svg = ../../../../assets/logo_blue_regular.svg;
      logo-png = ../../../../assets/logo_blue_regular.png;
      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
      '';
    in ''
      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
    '';
  };
 }
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }:
 let
  organizations = [
-    "Drift"
+     "Drift"
-    "Projects"
+     "Projects"
-    "Kurs"
+     "Kurs"
  ];
  cfg = config.services.gitea;
@ -12,10 +12,10 @@ let
    libraries = with pkgs.python3Packages; [ requests ];
    flakeIgnore = [
      "E501" # Line over 80 chars lol
-      "E201" # "whitespace after {"
+      "E201" # "whitespace after {" < this looks better bruh
-      "E202" # "whitespace after }"
+      "E202" # "whitespace after }" < brot
-      "E251" # unexpected spaces around keyword / parameter equals
+      "E251" # unexpected spaces around keyword / parameter equals < megabrot
-      "W391" # Newline at end of file
+      "W391" # Newline at end of file < nei vil ikke
    ];
    makeWrapperArgs = [
      "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
@ -26,41 +26,17 @@ let
    (lib.drop 2)
    lib.concatLines
  ]);
  commonHardening = {
    NoNewPrivileges = true;
    PrivateTmp = true;
    PrivateDevices = true;
    ProtectSystem = true;
    ProtectHome = true;
    ProtectControlGroups = true;
    ProtectKernelModules = true;
    ProtectKernelTunables = true;
    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
    RestrictRealtime = true;
    RestrictSUIDSGID = true;
    MemoryDenyWriteExecute = true;
    LockPersonality = true;
  };
 in
 {
  sops.secrets."gitea/web-secret-provider/token" = {
    owner = "gitea";
    group = "gitea";
    restartUnits = [
-      "gitea-web-secret-provider@"
+      "gitea-web-secret-provider@.service"
-    ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
+      "gitea-web-secret-provider@.timer"
-  };
+    ]
-
+    ++ (map (org: "gitea-web-secret-provider@${org}.service") organizations)
-  systemd.tmpfiles.settings."10-gitea-web-secret-provider"."/var/lib/gitea-web/authorized_keys.d".d = {
+    ++ (map (org: "gitea-web-secret-provider@${org}.timer") organizations);
    user = "gitea";
    group = "gitea";
    mode = "700";
  };
  systemd.slices.system-giteaweb = {
    description = "Gitea web directories";
    wantedBy = [ "multi-user.target" ];
  };
  # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
@ -69,10 +45,9 @@ in
  # %S - /var/lib
  systemd.services = {
    "gitea-web-secret-provider@" = {
-      description = "Ensure all repos in %i has an SSH key to push web content";
+      description = "Gitea web secret provider";
      requires = [ "gitea.service" "network.target" ];
      serviceConfig = {
        Slice = "system-giteaweb.slice";
        Type = "oneshot";
        ExecStart = let
          args = lib.cli.toGNUCommandLineShell { } {
@ -91,30 +66,29 @@ in
        LoadCredential = [
          "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
        ];
      } // commonHardening;
    };
-    "gitea-web-chown@" = {
+        # Hardening
-      description = "Ensure all gitea-web content is owned by the gitea user";
+        NoNewPrivileges = true;
-      serviceConfig = {
+        PrivateTmp = true;
-        Slice = "system-giteaweb.slice";
+        PrivateDevices = true;
-        Type = "oneshot";
+        ProtectSystem = true;
-        ExecStart = "${pkgs.coreutils}/bin/chown -R gitea:gitea '%S/gitea-web'";
+        ProtectHome = true;
-
+        ProtectControlGroups = true;
-        StateDirectory = "%i";
+        ProtectKernelModules = true;
-
+        ProtectKernelTunables = true;
-        LoadCredential = [
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-          "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
+        RestrictRealtime = true;
-        ];
+        RestrictSUIDSGID = true;
-
+        MemoryDenyWriteExecute = true;
-        PrivateNetwork = true;
+        LockPersonality = true;
-      } // commonHardening;
+      };
    };
  };
  systemd.timers = {
    "gitea-web-secret-provider@" = {
-      description = "Ensure all repos in %i has an SSH key to push web content";
+      description = "Run the Gitea web secret provider";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        RandomizedDelaySec = "1h";
        Persistent = true;
@ -122,32 +96,17 @@ in
        OnCalendar = "daily";
      };
    };
    "gitea-web-chown@" = {
      description = "Ensure all gitea-web content is owned by the gitea user";
      timerConfig = {
        RandomizedDelaySec = "10m";
        Persistent = true;
        Unit = "gitea-web-chown@%i.service";
        OnCalendar = "hourly";
      };
    };
  };
-  systemd.targets.timers.wants = lib.mapCartesianProduct ({ timer, org }: "${timer}@${org}.timer") {
+  systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
-    timer = [
+
-      "gitea-web-secret-provider"
+  systemd.tmpfiles.settings."10-gitea-web-secret-provider"."/var/lib/gitea-web/authorized_keys.d".d = {
-      "gitea-web-chown"
+    user = "gitea";
-    ];
+    group = "gitea";
-    org = organizations;
+    mode = "700";
  };
  services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
-  services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
+  # services.nginx.virtualHosts.
    kTLS = true;
    forceSSL = true;
    enableACME = true;
    root = "/var/lib/gitea-web/web";
  };
 }
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
@ -6,7 +6,6 @@ import hashlib
 import os
 import requests
 import subprocess
 from pathlib import Path
 def parse_args():
@ -87,7 +86,6 @@ def main():
        token = f.read().strip()
    os.makedirs(args.key_dir, 0o700, exist_ok=True)
    os.makedirs(Path(args.authorized_keys_path).parent, 0o700, exist_ok=True)
    repos = get_org_repo_list(args, token)
    print(f'Found {len(repos)} repositories in `{args.org}`')
Author	SHA1	Message	Date
h7x4	0f67ad70ba	WIP: bekkalokk/gitea: host gitea-web	2024-08-14 02:15:49 +02:00
h7x4	98100a40fd	bekkalokk/gitea: add web-secret-provider timed script	2024-08-14 02:14:48 +02:00