bekkalokk/gitea-web: host pages

hosts/bekkalokk/services/gitea/web-secret-provider/default.nix

@@ -52,15 +52,31 @@ in
     ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
   };
 
-  systemd.tmpfiles.settings."10-gitea-web-secret-provider"."/var/lib/gitea-web/authorized_keys.d".d = {
+  systemd.tmpfiles.settings."10-gitea-web-secret-provider" = {
-    user = "gitea";
+    "/var/lib/gitea-web/authorized_keys.d".d = {
-    group = "gitea";
+      user = "gitea";
-    mode = "700";
+      group = "gitea";
-  };
+      mode = "700";
+    };
+    "/var/lib/gitea-web/web".d = {
+      user = "gitea";
+      group = "nginx";
+      mode = "750";
+    };
+  } //
+  (builtins.listToAttrs (map (org: {
+    name = "/var/lib/gitea-web/web/${org}";
+    value = {
+      d = {
+        user = "gitea";
+        group = "nginx";
+        mode = "750";
+      };
+    };
+  }) organizations));
 
   systemd.slices.system-giteaweb = {
     description = "Gitea web directories";
-    wantedBy = [ "multi-user.target" ];
   };
 
   # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
@@ -79,7 +95,7 @@ in
             org = "%i";
             token-path = "%d/token";
             api-url = "${cfg.settings.server.ROOT_URL}api/v1";
-            key-dir = "%S/%i/keys";
+            key-dir = "%S/gitea-web/keys/%i";
             authorized-keys-path = "%S/gitea-web/authorized_keys.d/%i";
             rrsync-path = "${pkgs.rrsync}/bin/rrsync";
             web-dir = "%S/gitea-web/web";
@@ -95,18 +111,11 @@ in
     };
 
     "gitea-web-chown@" = {
-      description = "Ensure all gitea-web content is owned by the gitea user";
+      description = "Ensure all gitea-web content has correct ownership";
       serviceConfig = {
         Slice = "system-giteaweb.slice";
         Type = "oneshot";
-        ExecStart = "${pkgs.coreutils}/bin/chown -R gitea:gitea '%S/gitea-web'";
+        ExecStart = "${pkgs.coreutils}/bin/chown -R gitea:nginx '%S/gitea-web/web/%i'";
-
-        StateDirectory = "%i";
-
-        LoadCredential = [
-          "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
-        ];
-
         PrivateNetwork = true;
       } // commonHardening;
     };

hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py

@@ -43,7 +43,7 @@ def get_org_repo_list(args: argparse.Namespace, token: str):
 def generate_ssh_key(args: argparse.Namespace, repository: str):
     keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
     key_path = args.key_dir / keyname
-    if not key_path.exists() or args.force:
+    if not key_path.is_file() or args.force:
         subprocess.run(
             [
                 "ssh-keygen",
@@ -63,7 +63,8 @@ def generate_ssh_key(args: argparse.Namespace, repository: str):
     with open(key_path, "r") as f:
         private_key = f.read()
 
-    with open(key_path.append_suffix('.pub'), "r") as f:
+    pub_key_path = args.key_dir / (keyname + '.pub')
+    with open(pub_key_path, "r") as f:
         public_key = f.read()
 
     return private_key, public_key