Compare commits
2 Commits
50fd7ccee2
...
4e18642c14
| Author | SHA1 | Date |
|---|---|---|
 Oystein Kristoffer Tveit
|
4e18642c14
|
|
|
Oystein Kristoffer Tveit
|
a2ef39e8da
|
|
|
@ -23,36 +23,31 @@ let
|
||||||
} (builtins.fileContents ./gitea-web-secret-provider.py);
|
} (builtins.fileContents ./gitea-web-secret-provider.py);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
users.groups."gitea-web" = { };
|
||||||
|
users.users."gitea-web" = {
|
||||||
|
group = "gitea-web";
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
|
||||||
sops.secrets."gitea/web-secret-provider/token" = {
|
sops.secrets."gitea/web-secret-provider/token" = {
|
||||||
owner = "gitea";
|
owner = "gitea-web";
|
||||||
group = "gitea";
|
group = "gitea-web";
|
||||||
restartUnits = [
|
restartUnits = [
|
||||||
"gitea-web-secret-provider@"
|
"gitea-web-secret-provider@"
|
||||||
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
|
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.settings."10-gitea-web-secret-provider" = {
|
systemd.tmpfiles.settings."10-gitea-web-secret-provider" =
|
||||||
"/var/lib/gitea-web/authorized_keys.d".d = {
|
builtins.listToAttrs (map (org: {
|
||||||
user = "gitea";
|
name = "/var/lib/gitea-web/web/${org}";
|
||||||
group = "gitea";
|
value = {
|
||||||
mode = "700";
|
d = {
|
||||||
};
|
user = "gitea-web";
|
||||||
"/var/lib/gitea-web/web".d = {
|
group = "nginx";
|
||||||
user = "gitea";
|
mode = "750";
|
||||||
group = "nginx";
|
};
|
||||||
mode = "750";
|
|
||||||
};
|
|
||||||
} //
|
|
||||||
(builtins.listToAttrs (map (org: {
|
|
||||||
name = "/var/lib/gitea-web/web/${org}";
|
|
||||||
value = {
|
|
||||||
d = {
|
|
||||||
user = "gitea";
|
|
||||||
group = "nginx";
|
|
||||||
mode = "750";
|
|
||||||
};
|
};
|
||||||
};
|
}) organizations);
|
||||||
}) organizations));
|
|
||||||
|
|
||||||
systemd.slices.system-giteaweb = {
|
systemd.slices.system-giteaweb = {
|
||||||
description = "Gitea web directories";
|
description = "Gitea web directories";
|
||||||
|
|
@ -76,17 +71,23 @@ in
|
||||||
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
|
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
|
||||||
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
|
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
|
||||||
${lib.getExe pkgs.rrsync} -wo "$1"
|
${lib.getExe pkgs.rrsync} -wo "$1"
|
||||||
${pkgs.coreutils}/bin/chown -R gitea:nginx "$1"
|
${pkgs.coreutils}/bin/chown -R gitea-web:nginx "$1"
|
||||||
'';
|
'';
|
||||||
web-dir = "/var/lib/gitea-web/web";
|
web-dir = "/var/lib/gitea-web/web";
|
||||||
};
|
};
|
||||||
in "${giteaWebSecretProviderScript} ${args}";
|
in "${giteaWebSecretProviderScript} ${args}";
|
||||||
User = "gitea";
|
|
||||||
Group = "gitea";
|
User = "gitea-web";
|
||||||
StateDirectory = "%i";
|
Group = "gitea-web";
|
||||||
|
|
||||||
|
StateDirectory = toString [
|
||||||
|
"gitea-web/keys/%i"
|
||||||
|
"gitea-web/authorized_keys.d/%i"
|
||||||
|
];
|
||||||
LoadCredential = [
|
LoadCredential = [
|
||||||
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
|
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
|
||||||
];
|
];
|
||||||
|
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue