bekkalokk/gitea-web: host pages

hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py

@@ -11,18 +11,18 @@ from pathlib import Path
 
 def parse_args():
     parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
-    parser.add_argument("--org", required=True, help="The organization to generate keys for")
+    parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")
-    parser.add_argument("--token-path", metavar='PATH', required=True, help="Path to a file containing the Gitea API token")
+    parser.add_argument("--token-path", metavar='PATH', required=True, type=Path, help="Path to a file containing the Gitea API token")
-    parser.add_argument("--api-url", metavar='URL', help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
+    parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
-    parser.add_argument("--key-dir", metavar='PATH', help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
+    parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
-    parser.add_argument("--authorized-keys-path", metavar='PATH', help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
+    parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
-    parser.add_argument("--rrsync-path", metavar='PATH', help="The path to the rrsync binary", default="/run/current-system/sw/bin/rrsync")
+    parser.add_argument("--rrsync-path", metavar='PATH', type=Path, help="The path to the rrsync binary", default="/run/current-system/sw/bin/rrsync")
-    parser.add_argument("--web-dir", metavar='PATH', help="The directory to sync the repositories to", default="/var/www")
+    parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
     parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
     return parser.parse_args()
 
 
-def add_secret(args, token, repo, name, secret):
+def add_secret(args: argparse.Namespace, token: str, repo: str, name: str, secret: str):
     result = requests.put(
         f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
         json = { 'data': secret },
@@ -32,7 +32,7 @@ def add_secret(args, token, repo, name, secret):
         raise Exception(f"Failed to add secret: {result.json()}")
 
 
-def get_org_repo_list(args, token):
+def get_org_repo_list(args: argparse.Namespace, token: str):
     result = requests.get(
         f"{args.api_url}/orgs/{args.org}/repos",
         headers = { 'Authorization': 'token ' + token },
@@ -40,16 +40,16 @@ def get_org_repo_list(args, token):
     return [repo["name"] for repo in result.json()]
 
 
-def generate_ssh_key(args, repository: str):
+def generate_ssh_key(args: argparse.Namespace, repository: str):
     keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
-
+    key_path = args.key_dir / keyname
-    if not os.path.exists(os.path.join(args.key_dir, keyname)) or args.force:
+    if not key_path.exists() or args.force:
         subprocess.run(
             [
                 "ssh-keygen",
                 *("-t", "ed25519"),
                 *("-b", "4096"),
-                *("-f", os.path.join(args.key_dir, keyname)),
+                *("-f", key_path),
                 *("-N", ""),
                 *("-C", f"{args.org}/{repository}"),
             ],
@@ -60,24 +60,32 @@ def generate_ssh_key(args, repository: str):
         )
         print(f"Generated SSH key for `{args.org}/{repository}`")
 
-    with open(os.path.join(args.key_dir, keyname), "r") as f:
+    with open(key_path, "r") as f:
         private_key = f.read()
 
-    with open(os.path.join(args.key_dir, keyname + ".pub"), "r") as f:
+    with open(key_path.append_suffix('.pub'), "r") as f:
         public_key = f.read()
 
     return private_key, public_key
 
 
-def generate_authorized_keys(args, repo_public_keys: list[tuple[str, str]]):
+SSH_OPTS = ",".join([
-    result = ""
+    "restrict",
+    "no-agent-forwarding",
+    "no-port-forwarding",
+    "no-pty",
+    "no-X11-forwarding",
+])
+
+
+def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
+    lines = []
     for repo, public_key in repo_public_keys:
-        result += f"""
+        command = f"{args.rrsync_path} -wo {args.web_dir}/{args.org}/{repo}"
-            command="{args.rrsync_path} -wo {args.web_dir}/{args.org}/{repo}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding {public_key}
+        lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
-        """.strip() + "\n"
 
     with open(args.authorized_keys_path, "w") as f:
-        f.write(result)
+        f.writelines(lines)
 
 
 def main():
@@ -87,7 +95,7 @@ def main():
         token = f.read().strip()
 
     os.makedirs(args.key_dir, 0o700, exist_ok=True)
-    os.makedirs(Path(args.authorized_keys_path).parent, 0o700, exist_ok=True)
+    os.makedirs(args.authorized_keys_path.parent, 0o700, exist_ok=True)
 
     repos = get_org_repo_list(args, token)
     print(f'Found {len(repos)} repositories in `{args.org}`')