commit b5d175faa1c06933f502c798d2ab9cce6c5cfeaf · julien.rbrt.fr/tangled-core

+46 -22

flake.nix

···

       230
        
             pkgs,

     

       231
        
             lib,

     

       232
        
             ...

     

       233
       -
           }:

     

       0
        
       
     

       0
        
       
     

       234
        
             with lib; {

     

       235
        
               options = {

     

       236
        
                 services.tangled-knotserver = {

     
···

       252
        
                     description = "User that hosts git repos and performs git operations";

     

       253
        
                   };

     

       254
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       255
        
                   repo = {

     

       256
        
                     scanPath = mkOption {

     

       257
        
                       type = types.path;

     

       258
       -
                       default = "/home/git";

     

       259
        
                       description = "Path where repositories are scanned from";

     

       260
        
                     };

     

       261
        
       

     
···

       287
        
       

     

       288
        
                     dbPath = mkOption {

     

       289
        
                       type = types.path;

     

       290
       -
                       default = "knotserver.db";

     

       291
        
                       description = "Path to the database file";

     

       292
        
                     };

     

       293
        
       

     
···

       306
        
                 };

     

       307
        
               };

     

       308
        
       

     

       309
       -
               config = mkIf config.services.tangled-knotserver.enable {

     

       310
        
                 environment.systemPackages = with pkgs; [git];

     

       311
        
       

     

       312
        
                 system.activationScripts.gitConfig = ''

     

       313
       -
                   mkdir -p /home/git/.config/git

     

       314
       -
                   cat > /home/git/.config/git/config << EOF

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       315
        
                   [user]

     

       316
        
                       name = Git User

     

       317
        
                       email = git@example.com

     

       318
        
                   EOF

     

       319
       -
                   chown -R git:git /home/git/.config

     

       0
        
       
     

       320
        
                 '';

     

       321
        
       

     

       322
       -
                 users.users.git = {

     

       323
       -
                   isNormalUser = true;

     

       324
       -
                   home = "/home/git";

     

       0
        
       
     

       325
        
                   createHome = true;

     

       326
       -
                   group = "git";

     

       327
        
                 };

     

       328
        
       

     

       329
       -
                 users.groups.git = {};

     

       330
        
       

     

       331
        
                 services.openssh = {

     

       332
        
                   enable = true;

     

       333
        
                   extraConfig = ''

     

       334
       -
                     Match User git

     

       335
        
                         AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper

     

       336
        
                         AuthorizedKeysCommandUser nobody

     

       337
        
                   '';

     
···

       343
        
                     #!${pkgs.stdenv.shell}

     

       344
        
                     ${self.packages.${pkgs.system}.keyfetch}/bin/keyfetch \

     

       345
        
                       -repoguard-path ${self.packages.${pkgs.system}.repoguard}/bin/repoguard \

     

       0
        
       
     

       0
        
       
     

       346
        
                       -log-path /tmp/repoguard.log

     

       347
        
                   '';

     

       348
        
                 };

     
···

       352
        
                   after = ["network.target" "sshd.service"];

     

       353
        
                   wantedBy = ["multi-user.target"];

     

       354
        
                   serviceConfig = {

     

       355
       -
                     User = "git";

     

       356
       -
                     WorkingDirectory = "/home/git";

     

       357
        
                     Environment = [

     

       358
       -
                       "KNOT_REPO_SCAN_PATH=${config.services.tangled-knotserver.repo.scanPath}"

     

       359
       -
                       "APPVIEW_ENDPOINT=${config.services.tangled-knotserver.appviewEndpoint}"

     

       360
       -
                       "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${config.services.tangled-knotserver.server.internalListenAddr}"

     

       361
       -
                       "KNOT_SERVER_LISTEN_ADDR=${config.services.tangled-knotserver.server.listenAddr}"

     

       362
       -
                       "KNOT_SERVER_HOSTNAME=${config.services.tangled-knotserver.server.hostname}"

     

       0
        
       
     

       0
        
       
     

       363
        
                     ];

     

       364
       -
                     EnvironmentFile = config.services.tangled-knotserver.server.secretFile;

     

       365
        
                     ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver";

     

       366
        
                     Restart = "always";

     

       367
        
                   };

     

       368
        
                 };

     

       369
        
       

     

       370
       -
                 networking.firewall.allowedTCPPorts = [22];

     

       371
        
               };

     

       372
        
             };

     

       373

···

       230
        
             pkgs,

     

       231
        
             lib,

     

       232
        
             ...

     

       233
       +
           }: let

     

       234
       +
             cfg = config.services.tangled-knotserver;

     

       235
       +
           in

     

       236
        
             with lib; {

     

       237
        
               options = {

     

       238
        
                 services.tangled-knotserver = {

     
···

       254
        
                     description = "User that hosts git repos and performs git operations";

     

       255
        
                   };

     

       256
        
       

     

       257
       +
                   openFirewall = mkOption {

     

       258
       +
                     type = types.bool;

     

       259
       +
                     default = true;

     

       260
       +
                     description = "Open port 22 in the firewall for ssh";

     

       261
       +
                   };

     

       262
       +
       

     

       263
       +
                   stateDir = mkOption {

     

       264
       +
                     type = types.path;

     

       265
       +
                     default = "/home/${cfg.gitUser}";

     

       266
       +
                     description = "Tangled knot data directory";

     

       267
       +
                   };

     

       268
       +
       

     

       269
        
                   repo = {

     

       270
        
                     scanPath = mkOption {

     

       271
        
                       type = types.path;

     

       272
       +
                       default = cfg.stateDir;

     

       273
        
                       description = "Path where repositories are scanned from";

     

       274
        
                     };

     

       275
        
       

     
···

       301
        
       

     

       302
        
                     dbPath = mkOption {

     

       303
        
                       type = types.path;

     

       304
       +
                       default = "${cfg.stateDir}/knotserver.db";

     

       305
        
                       description = "Path to the database file";

     

       306
        
                     };

     

       307
        
       

     
···

       320
        
                 };

     

       321
        
               };

     

       322
        
       

     

       323
       +
               config = mkIf cfg.enable {

     

       324
        
                 environment.systemPackages = with pkgs; [git];

     

       325
        
       

     

       326
        
                 system.activationScripts.gitConfig = ''

     

       327
       +
                   mkdir -p "${cfg.repo.scanPath}"

     

       328
       +
                   chown -R ${cfg.gitUser}:${cfg.gitUser} \

     

       329
       +
                       "${cfg.repo.scanPath}"

     

       330
       +
       

     

       331
       +
                   mkdir -p "${cfg.stateDir}/.config/git"

     

       332
       +
                   cat > "${cfg.stateDir}/.config/git/config" << EOF

     

       333
        
                   [user]

     

       334
        
                       name = Git User

     

       335
        
                       email = git@example.com

     

       336
        
                   EOF

     

       337
       +
                   chown -R ${cfg.gitUser}:${cfg.gitUser} \

     

       338
       +
                       "${cfg.stateDir}"

     

       339
        
                 '';

     

       340
        
       

     

       341
       +
                 users.users.${cfg.gitUser} = {

     

       342
       +
                   isSystemUser = true;

     

       343
       +
                   useDefaultShell = true;

     

       344
       +
                   home = cfg.stateDir;

     

       345
        
                   createHome = true;

     

       346
       +
                   group = cfg.gitUser;

     

       347
        
                 };

     

       348
        
       

     

       349
       +
                 users.groups.${cfg.gitUser} = {};

     

       350
        
       

     

       351
        
                 services.openssh = {

     

       352
        
                   enable = true;

     

       353
        
                   extraConfig = ''

     

       354
       +
                     Match User ${cfg.gitUser}

     

       355
        
                         AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper

     

       356
        
                         AuthorizedKeysCommandUser nobody

     

       357
        
                   '';

     
···

       363
        
                     #!${pkgs.stdenv.shell}

     

       364
        
                     ${self.packages.${pkgs.system}.keyfetch}/bin/keyfetch \

     

       365
        
                       -repoguard-path ${self.packages.${pkgs.system}.repoguard}/bin/repoguard \

     

       366
       +
                       -internal-api "http://${cfg.server.internalListenAddr}" \

     

       367
       +
                       -git-dir "${cfg.repo.scanPath}" \

     

       368
        
                       -log-path /tmp/repoguard.log

     

       369
        
                   '';

     

       370
        
                 };

     
···

       374
        
                   after = ["network.target" "sshd.service"];

     

       375
        
                   wantedBy = ["multi-user.target"];

     

       376
        
                   serviceConfig = {

     

       377
       +
                     User = cfg.gitUser;

     

       378
       +
                     WorkingDirectory = cfg.stateDir;

     

       379
        
                     Environment = [

     

       380
       +
                       "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}"

     

       381
       +
                       "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}"

     

       382
       +
                       "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}"

     

       383
       +
                       "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}"

     

       384
       +
                       "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}"

     

       385
       +
                       "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}"

     

       386
       +
                       "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}"

     

       387
        
                     ];

     

       388
       +
                     EnvironmentFile = cfg.server.secretFile;

     

       389
        
                     ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver";

     

       390
        
                     Restart = "always";

     

       391
        
                   };

     

       392
        
                 };

     

       393
        
       

     

       394
       +
                 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22];

     

       395
        
               };

     

       396
        
             };

     

       397