besaid.zone
yemou.pink
+46
-22
flake.nix
+46
-22
flake.nix
···
230
230
pkgs,
231
231
lib,
232
232
...
233
-
}:
233
+
}: let
234
+
cfg = config.services.tangled-knotserver;
235
+
in
234
236
with lib; {
235
237
options = {
236
238
services.tangled-knotserver = {
···
252
254
description = "User that hosts git repos and performs git operations";
253
255
};
254
256
257
+
openFirewall = mkOption {
258
+
type = types.bool;
259
+
default = true;
260
+
description = "Open port 22 in the firewall for ssh";
261
+
};
262
+
263
+
stateDir = mkOption {
264
+
type = types.path;
265
+
default = "/home/${cfg.gitUser}";
266
+
description = "Tangled knot data directory";
267
+
};
268
+
255
269
repo = {
256
270
scanPath = mkOption {
257
271
type = types.path;
258
-
default = "/home/git";
272
+
default = cfg.stateDir;
259
273
description = "Path where repositories are scanned from";
260
274
};
261
275
···
287
301
288
302
dbPath = mkOption {
289
303
type = types.path;
290
-
default = "knotserver.db";
304
+
default = "${cfg.stateDir}/knotserver.db";
291
305
description = "Path to the database file";
292
306
};
293
307
···
306
320
};
307
321
};
308
322
309
-
config = mkIf config.services.tangled-knotserver.enable {
323
+
config = mkIf cfg.enable {
310
324
environment.systemPackages = with pkgs; [git];
311
325
312
326
system.activationScripts.gitConfig = ''
313
-
mkdir -p /home/git/.config/git
314
-
cat > /home/git/.config/git/config << EOF
327
+
mkdir -p "${cfg.repo.scanPath}"
328
+
chown -R ${cfg.gitUser}:${cfg.gitUser} \
329
+
"${cfg.repo.scanPath}"
330
+
331
+
mkdir -p "${cfg.stateDir}/.config/git"
332
+
cat > "${cfg.stateDir}/.config/git/config" << EOF
315
333
[user]
316
334
name = Git User
317
335
email = git@example.com
318
336
EOF
319
-
chown -R git:git /home/git/.config
337
+
chown -R ${cfg.gitUser}:${cfg.gitUser} \
338
+
"${cfg.stateDir}"
320
339
'';
321
340
322
-
users.users.git = {
323
-
isNormalUser = true;
324
-
home = "/home/git";
341
+
users.users.${cfg.gitUser} = {
342
+
isSystemUser = true;
343
+
useDefaultShell = true;
344
+
home = cfg.stateDir;
325
345
createHome = true;
326
-
group = "git";
346
+
group = cfg.gitUser;
327
347
};
328
348
329
-
users.groups.git = {};
349
+
users.groups.${cfg.gitUser} = {};
330
350
331
351
services.openssh = {
332
352
enable = true;
333
353
extraConfig = ''
334
-
Match User git
354
+
Match User ${cfg.gitUser}
335
355
AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper
336
356
AuthorizedKeysCommandUser nobody
337
357
'';
···
343
363
#!${pkgs.stdenv.shell}
344
364
${self.packages.${pkgs.system}.keyfetch}/bin/keyfetch \
345
365
-repoguard-path ${self.packages.${pkgs.system}.repoguard}/bin/repoguard \
366
+
-internal-api "http://${cfg.server.internalListenAddr}" \
367
+
-git-dir "${cfg.repo.scanPath}" \
346
368
-log-path /tmp/repoguard.log
347
369
'';
348
370
};
···
352
374
after = ["network.target" "sshd.service"];
353
375
wantedBy = ["multi-user.target"];
354
376
serviceConfig = {
355
-
User = "git";
356
-
WorkingDirectory = "/home/git";
377
+
User = cfg.gitUser;
378
+
WorkingDirectory = cfg.stateDir;
357
379
Environment = [
358
-
"KNOT_REPO_SCAN_PATH=${config.services.tangled-knotserver.repo.scanPath}"
359
-
"APPVIEW_ENDPOINT=${config.services.tangled-knotserver.appviewEndpoint}"
360
-
"KNOT_SERVER_INTERNAL_LISTEN_ADDR=${config.services.tangled-knotserver.server.internalListenAddr}"
361
-
"KNOT_SERVER_LISTEN_ADDR=${config.services.tangled-knotserver.server.listenAddr}"
362
-
"KNOT_SERVER_HOSTNAME=${config.services.tangled-knotserver.server.hostname}"
380
+
"KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}"
381
+
"KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}"
382
+
"APPVIEW_ENDPOINT=${cfg.appviewEndpoint}"
383
+
"KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}"
384
+
"KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}"
385
+
"KNOT_SERVER_DB_PATH=${cfg.server.dbPath}"
386
+
"KNOT_SERVER_HOSTNAME=${cfg.server.hostname}"
363
387
];
364
-
EnvironmentFile = config.services.tangled-knotserver.server.secretFile;
388
+
EnvironmentFile = cfg.server.secretFile;
365
389
ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver";
366
390
Restart = "always";
367
391
};
368
392
};
369
393
370
-
networking.firewall.allowedTCPPorts = [22];
394
+
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22];
371
395
};
372
396
};
373
397