Compare commits
2 Commits
50fd7ccee2
...
4e18642c14
| Author | SHA1 | Date |
|---|---|---|
 Oystein Kristoffer Tveit
|
4e18642c14
|
|
|
Oystein Kristoffer Tveit
|
a2ef39e8da
|
|
|
@ -23,36 +23,31 @@ let
|
|||
} (builtins.fileContents ./gitea-web-secret-provider.py);
|
||||
in
|
||||
{
|
||||
users.groups."gitea-web" = { };
|
||||
users.users."gitea-web" = {
|
||||
group = "gitea-web";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
sops.secrets."gitea/web-secret-provider/token" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
owner = "gitea-web";
|
||||
group = "gitea-web";
|
||||
restartUnits = [
|
||||
"gitea-web-secret-provider@"
|
||||
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings."10-gitea-web-secret-provider" = {
|
||||
"/var/lib/gitea-web/authorized_keys.d".d = {
|
||||
user = "gitea";
|
||||
group = "gitea";
|
||||
mode = "700";
|
||||
};
|
||||
"/var/lib/gitea-web/web".d = {
|
||||
user = "gitea";
|
||||
group = "nginx";
|
||||
mode = "750";
|
||||
};
|
||||
} //
|
||||
(builtins.listToAttrs (map (org: {
|
||||
name = "/var/lib/gitea-web/web/${org}";
|
||||
value = {
|
||||
d = {
|
||||
user = "gitea";
|
||||
group = "nginx";
|
||||
mode = "750";
|
||||
systemd.tmpfiles.settings."10-gitea-web-secret-provider" =
|
||||
builtins.listToAttrs (map (org: {
|
||||
name = "/var/lib/gitea-web/web/${org}";
|
||||
value = {
|
||||
d = {
|
||||
user = "gitea-web";
|
||||
group = "nginx";
|
||||
mode = "750";
|
||||
};
|
||||
};
|
||||
};
|
||||
}) organizations));
|
||||
}) organizations);
|
||||
|
||||
systemd.slices.system-giteaweb = {
|
||||
description = "Gitea web directories";
|
||||
|
|
@ -76,17 +71,23 @@ in
|
|||
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
|
||||
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
|
||||
${lib.getExe pkgs.rrsync} -wo "$1"
|
||||
${pkgs.coreutils}/bin/chown -R gitea:nginx "$1"
|
||||
${pkgs.coreutils}/bin/chown -R gitea-web:nginx "$1"
|
||||
'';
|
||||
web-dir = "/var/lib/gitea-web/web";
|
||||
};
|
||||
in "${giteaWebSecretProviderScript} ${args}";
|
||||
User = "gitea";
|
||||
Group = "gitea";
|
||||
StateDirectory = "%i";
|
||||
|
||||
User = "gitea-web";
|
||||
Group = "gitea-web";
|
||||
|
||||
StateDirectory = toString [
|
||||
"gitea-web/keys/%i"
|
||||
"gitea-web/authorized_keys.d/%i"
|
||||
];
|
||||
LoadCredential = [
|
||||
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
|
||||
];
|
||||
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
|
|
|
|||
Loading…
Reference in New Issue