Compare commits
2 Commits
74a2b1970e
...
1ac43cdb72
Author | SHA1 | Date |
---|---|---|
Oystein Kristoffer Tveit | 1ac43cdb72 | |
Oystein Kristoffer Tveit | a8663b7df0 |
|
@ -6,9 +6,9 @@ let
|
|||
"Kurs"
|
||||
];
|
||||
|
||||
cfg = config.services.gitea;
|
||||
giteaCfg = config.services.gitea;
|
||||
|
||||
program = pkgs.writers.writePython3 "gitea-web-secret-provider" {
|
||||
giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" {
|
||||
libraries = with pkgs.python3Packages; [ requests ];
|
||||
flakeIgnore = [
|
||||
"E501" # Line over 80 chars lol
|
||||
|
@ -20,28 +20,7 @@ let
|
|||
makeWrapperArgs = [
|
||||
"--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
|
||||
];
|
||||
} (lib.pipe ./gitea-web-secret-provider.py [
|
||||
builtins.readFile
|
||||
(lib.splitString "\n")
|
||||
(lib.drop 2)
|
||||
lib.concatLines
|
||||
]);
|
||||
|
||||
commonHardening = {
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectSystem = true;
|
||||
ProtectHome = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
LockPersonality = true;
|
||||
};
|
||||
} (lib.fileContents ./gitea-web-secret-provider.py);
|
||||
in
|
||||
{
|
||||
sops.secrets."gitea/web-secret-provider/token" = {
|
||||
|
@ -82,9 +61,7 @@ in
|
|||
# https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
|
||||
# %i - instance name (after the @)
|
||||
# %d - secrets directory
|
||||
# %S - /var/lib
|
||||
systemd.services = {
|
||||
"gitea-web-secret-provider@" = {
|
||||
systemd.services."gitea-web-secret-provider@" = {
|
||||
description = "Ensure all repos in %i has an SSH key to push web content";
|
||||
requires = [ "gitea.service" "network.target" ];
|
||||
serviceConfig = {
|
||||
|
@ -94,35 +71,39 @@ in
|
|||
args = lib.cli.toGNUCommandLineShell { } {
|
||||
org = "%i";
|
||||
token-path = "%d/token";
|
||||
api-url = "${cfg.settings.server.ROOT_URL}api/v1";
|
||||
key-dir = "%S/gitea-web/keys/%i";
|
||||
authorized-keys-path = "%S/gitea-web/authorized_keys.d/%i";
|
||||
rrsync-path = "${pkgs.rrsync}/bin/rrsync";
|
||||
web-dir = "%S/gitea-web/web";
|
||||
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
|
||||
key-dir = "/var/lib/gitea-web/keys/%i";
|
||||
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
|
||||
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
|
||||
${lib.getExe pkgs.rrsync} -wo "$1"
|
||||
${pkgs.coreutils}/bin/chown -R gitea:nginx "$1"
|
||||
'';
|
||||
web-dir = "/var/lib/gitea-web/web";
|
||||
};
|
||||
in "${program} ${args}";
|
||||
in "${giteaWebSecretProviderScript} ${args}";
|
||||
User = "gitea";
|
||||
Group = "gitea";
|
||||
StateDirectory = "%i";
|
||||
LoadCredential = [
|
||||
"token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
|
||||
];
|
||||
} // commonHardening;
|
||||
};
|
||||
|
||||
"gitea-web-chown@" = {
|
||||
description = "Ensure all gitea-web content has correct ownership";
|
||||
serviceConfig = {
|
||||
Slice = "system-giteaweb.slice";
|
||||
Type = "oneshot";
|
||||
ExecStart = "${pkgs.coreutils}/bin/chown -R gitea:nginx '%S/gitea-web/web/%i'";
|
||||
PrivateNetwork = true;
|
||||
} // commonHardening;
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectSystem = true;
|
||||
ProtectHome = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
LockPersonality = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.timers = {
|
||||
"gitea-web-secret-provider@" = {
|
||||
systemd.timers."gitea-web-secret-provider@" = {
|
||||
description = "Ensure all repos in %i has an SSH key to push web content";
|
||||
timerConfig = {
|
||||
RandomizedDelaySec = "1h";
|
||||
|
@ -132,24 +113,7 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
"gitea-web-chown@" = {
|
||||
description = "Ensure all gitea-web content is owned by the gitea user";
|
||||
timerConfig = {
|
||||
RandomizedDelaySec = "10m";
|
||||
Persistent = true;
|
||||
Unit = "gitea-web-chown@%i.service";
|
||||
OnCalendar = "hourly";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.targets.timers.wants = lib.mapCartesianProduct ({ timer, org }: "${timer}@${org}.timer") {
|
||||
timer = [
|
||||
"gitea-web-secret-provider"
|
||||
"gitea-web-chown"
|
||||
];
|
||||
org = organizations;
|
||||
};
|
||||
systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
|
||||
|
||||
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
|
||||
|
||||
|
|
|
@ -1,6 +1,3 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ requests ])" openssh
|
||||
|
||||
import argparse
|
||||
import hashlib
|
||||
import os
|
||||
|
@ -16,7 +13,7 @@ def parse_args():
|
|||
parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
|
||||
parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
|
||||
parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
|
||||
parser.add_argument("--rrsync-path", metavar='PATH', type=Path, help="The path to the rrsync binary", default="/run/current-system/sw/bin/rrsync")
|
||||
parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument")
|
||||
parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
|
||||
parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
|
||||
return parser.parse_args()
|
||||
|
@ -48,15 +45,14 @@ def generate_ssh_key(args: argparse.Namespace, repository: str):
|
|||
[
|
||||
"ssh-keygen",
|
||||
*("-t", "ed25519"),
|
||||
*("-b", "4096"),
|
||||
*("-f", key_path),
|
||||
*("-N", ""),
|
||||
*("-C", f"{args.org}/{repository}"),
|
||||
],
|
||||
check=True,
|
||||
stdin=subprocess.DEVNULL,
|
||||
stdout=subprocess.DEVNULL,
|
||||
stderr=subprocess.DEVNULL
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE,
|
||||
)
|
||||
print(f"Generated SSH key for `{args.org}/{repository}`")
|
||||
|
||||
|
@ -82,7 +78,7 @@ SSH_OPTS = ",".join([
|
|||
def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
|
||||
lines = []
|
||||
for repo, public_key in repo_public_keys:
|
||||
command = f"{args.rrsync_path} -wo {args.web_dir}/{args.org}/{repo}"
|
||||
command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}"
|
||||
lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
|
||||
|
||||
with open(args.authorized_keys_path, "w") as f:
|
||||
|
|
Loading…
Reference in New Issue