···
234
+
cfg = config.services.tangled-knotserver;
services.tangled-knotserver = {
···
description = "User that hosts git repos and performs git operations";
257
+
openFirewall = mkOption {
260
+
description = "Open port 22 in the firewall for ssh";
263
+
stateDir = mkOption {
265
+
default = "/home/${cfg.gitUser}";
266
+
description = "Tangled knot data directory";
258
-
default = "/home/git";
272
+
default = cfg.stateDir;
description = "Path where repositories are scanned from";
···
290
-
default = "knotserver.db";
304
+
default = "${cfg.stateDir}/knotserver.db";
description = "Path to the database file";
···
309
-
config = mkIf config.services.tangled-knotserver.enable {
323
+
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [git];
system.activationScripts.gitConfig = ''
313
-
mkdir -p /home/git/.config/git
314
-
cat > /home/git/.config/git/config << EOF
327
+
mkdir -p "${cfg.repo.scanPath}"
328
+
chown -R ${cfg.gitUser}:${cfg.gitUser} \
329
+
"${cfg.repo.scanPath}"
331
+
mkdir -p "${cfg.stateDir}/.config/git"
332
+
cat > "${cfg.stateDir}/.config/git/config" << EOF
319
-
chown -R git:git /home/git/.config
337
+
chown -R ${cfg.gitUser}:${cfg.gitUser} \
322
-
users.users.git = {
323
-
isNormalUser = true;
324
-
home = "/home/git";
341
+
users.users.${cfg.gitUser} = {
342
+
isSystemUser = true;
343
+
useDefaultShell = true;
344
+
home = cfg.stateDir;
346
+
group = cfg.gitUser;
329
-
users.groups.git = {};
349
+
users.groups.${cfg.gitUser} = {};
354
+
Match User ${cfg.gitUser}
AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper
AuthorizedKeysCommandUser nobody
···
${self.packages.${pkgs.system}.keyfetch}/bin/keyfetch \
-repoguard-path ${self.packages.${pkgs.system}.repoguard}/bin/repoguard \
366
+
-internal-api "http://${cfg.server.internalListenAddr}" \
367
+
-git-dir "${cfg.repo.scanPath}" \
-log-path /tmp/repoguard.log
···
after = ["network.target" "sshd.service"];
wantedBy = ["multi-user.target"];
356
-
WorkingDirectory = "/home/git";
377
+
User = cfg.gitUser;
378
+
WorkingDirectory = cfg.stateDir;
358
-
"KNOT_REPO_SCAN_PATH=${config.services.tangled-knotserver.repo.scanPath}"
359
-
"APPVIEW_ENDPOINT=${config.services.tangled-knotserver.appviewEndpoint}"
360
-
"KNOT_SERVER_INTERNAL_LISTEN_ADDR=${config.services.tangled-knotserver.server.internalListenAddr}"
361
-
"KNOT_SERVER_LISTEN_ADDR=${config.services.tangled-knotserver.server.listenAddr}"
362
-
"KNOT_SERVER_HOSTNAME=${config.services.tangled-knotserver.server.hostname}"
380
+
"KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}"
381
+
"KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}"
382
+
"APPVIEW_ENDPOINT=${cfg.appviewEndpoint}"
383
+
"KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}"
384
+
"KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}"
385
+
"KNOT_SERVER_DB_PATH=${cfg.server.dbPath}"
386
+
"KNOT_SERVER_HOSTNAME=${cfg.server.hostname}"
364
-
EnvironmentFile = config.services.tangled-knotserver.server.secretFile;
388
+
EnvironmentFile = cfg.server.secretFile;
ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver";
370
-
networking.firewall.allowedTCPPorts = [22];
394
+
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22];
julien.rbrt.fr
yemou.pink