commit b5d175faa1c06933f502c798d2ab9cce6c5cfeaf · tangled.org/core

+46 -22

flake.nix

··· 230 pkgs, 231 lib, 232 ... 233 - }: 234 with lib; { 235 options = { 236 services.tangled-knotserver = { ··· 252 description = "User that hosts git repos and performs git operations"; 253 }; 254 255 repo = { 256 scanPath = mkOption { 257 type = types.path; 258 - default = "/home/git"; 259 description = "Path where repositories are scanned from"; 260 }; 261 ··· 287 288 dbPath = mkOption { 289 type = types.path; 290 - default = "knotserver.db"; 291 description = "Path to the database file"; 292 }; 293 ··· 306 }; 307 }; 308 309 - config = mkIf config.services.tangled-knotserver.enable { 310 environment.systemPackages = with pkgs; [git]; 311 312 system.activationScripts.gitConfig = '' 313 - mkdir -p /home/git/.config/git 314 - cat > /home/git/.config/git/config << EOF 315 [user] 316 name = Git User 317 email = git@example.com 318 EOF 319 - chown -R git:git /home/git/.config 320 ''; 321 322 - users.users.git = { 323 - isNormalUser = true; 324 - home = "/home/git"; 325 createHome = true; 326 - group = "git"; 327 }; 328 329 - users.groups.git = {}; 330 331 services.openssh = { 332 enable = true; 333 extraConfig = '' 334 - Match User git 335 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper 336 AuthorizedKeysCommandUser nobody 337 ''; ··· 343 #!${pkgs.stdenv.shell} 344 ${self.packages.${pkgs.system}.keyfetch}/bin/keyfetch \ 345 -repoguard-path ${self.packages.${pkgs.system}.repoguard}/bin/repoguard \ 346 -log-path /tmp/repoguard.log 347 ''; 348 }; ··· 352 after = ["network.target" "sshd.service"]; 353 wantedBy = ["multi-user.target"]; 354 serviceConfig = { 355 - User = "git"; 356 - WorkingDirectory = "/home/git"; 357 Environment = [ 358 - "KNOT_REPO_SCAN_PATH=${config.services.tangled-knotserver.repo.scanPath}" 359 - "APPVIEW_ENDPOINT=${config.services.tangled-knotserver.appviewEndpoint}" 360 - "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${config.services.tangled-knotserver.server.internalListenAddr}" 361 - "KNOT_SERVER_LISTEN_ADDR=${config.services.tangled-knotserver.server.listenAddr}" 362 - "KNOT_SERVER_HOSTNAME=${config.services.tangled-knotserver.server.hostname}" 363 ]; 364 - EnvironmentFile = config.services.tangled-knotserver.server.secretFile; 365 ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver"; 366 Restart = "always"; 367 }; 368 }; 369 370 - networking.firewall.allowedTCPPorts = [22]; 371 }; 372 }; 373

··· 230 pkgs, 231 lib, 232 ... 233 + }: let 234 + cfg = config.services.tangled-knotserver; 235 + in 236 with lib; { 237 options = { 238 services.tangled-knotserver = { ··· 254 description = "User that hosts git repos and performs git operations"; 255 }; 256 257 + openFirewall = mkOption { 258 + type = types.bool; 259 + default = true; 260 + description = "Open port 22 in the firewall for ssh"; 261 + }; 262 + 263 + stateDir = mkOption { 264 + type = types.path; 265 + default = "/home/${cfg.gitUser}"; 266 + description = "Tangled knot data directory"; 267 + }; 268 + 269 repo = { 270 scanPath = mkOption { 271 type = types.path; 272 + default = cfg.stateDir; 273 description = "Path where repositories are scanned from"; 274 }; 275 ··· 301 302 dbPath = mkOption { 303 type = types.path; 304 + default = "${cfg.stateDir}/knotserver.db"; 305 description = "Path to the database file"; 306 }; 307 ··· 320 }; 321 }; 322 323 + config = mkIf cfg.enable { 324 environment.systemPackages = with pkgs; [git]; 325 326 system.activationScripts.gitConfig = '' 327 + mkdir -p "${cfg.repo.scanPath}" 328 + chown -R ${cfg.gitUser}:${cfg.gitUser} \ 329 + "${cfg.repo.scanPath}" 330 + 331 + mkdir -p "${cfg.stateDir}/.config/git" 332 + cat > "${cfg.stateDir}/.config/git/config" << EOF 333 [user] 334 name = Git User 335 email = git@example.com 336 EOF 337 + chown -R ${cfg.gitUser}:${cfg.gitUser} \ 338 + "${cfg.stateDir}" 339 ''; 340 341 + users.users.${cfg.gitUser} = { 342 + isSystemUser = true; 343 + useDefaultShell = true; 344 + home = cfg.stateDir; 345 createHome = true; 346 + group = cfg.gitUser; 347 }; 348 349 + users.groups.${cfg.gitUser} = {}; 350 351 services.openssh = { 352 enable = true; 353 extraConfig = '' 354 + Match User ${cfg.gitUser} 355 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper 356 AuthorizedKeysCommandUser nobody 357 ''; ··· 363 #!${pkgs.stdenv.shell} 364 ${self.packages.${pkgs.system}.keyfetch}/bin/keyfetch \ 365 -repoguard-path ${self.packages.${pkgs.system}.repoguard}/bin/repoguard \ 366 + -internal-api "http://${cfg.server.internalListenAddr}" \ 367 + -git-dir "${cfg.repo.scanPath}" \ 368 -log-path /tmp/repoguard.log 369 ''; 370 }; ··· 374 after = ["network.target" "sshd.service"]; 375 wantedBy = ["multi-user.target"]; 376 serviceConfig = { 377 + User = cfg.gitUser; 378 + WorkingDirectory = cfg.stateDir; 379 Environment = [ 380 + "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}" 381 + "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}" 382 + "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}" 383 + "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}" 384 + "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}" 385 + "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}" 386 + "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}" 387 ]; 388 + EnvironmentFile = cfg.server.secretFile; 389 ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver"; 390 Restart = "always"; 391 }; 392 }; 393 394 + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22]; 395 }; 396 }; 397