bekkalokk/gitea-web: host pages

bekkalokk/gitea: set up gitea-web sync units
2024-08-15 09:58:32 +02:00 · 2024-08-15 09:58:32 +02:00
2 changed files with 28 additions and 18 deletions
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
@ -52,15 +52,31 @@ in
    ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
  };

-  systemd.tmpfiles.settings."10-gitea-web-secret-provider"."/var/lib/gitea-web/authorized_keys.d".d = {
+  systemd.tmpfiles.settings."10-gitea-web-secret-provider" = {
+    "/var/lib/gitea-web/authorized_keys.d".d = {
      user = "gitea";
      group = "gitea";
      mode = "700";
    };
+    "/var/lib/gitea-web/web".d = {
+      user = "gitea";
+      group = "nginx";
+      mode = "750";
+    };
+  } //
+  (builtins.listToAttrs (map (org: {
+    name = "/var/lib/gitea-web/web/${org}";
+    value = {
+      d = {
+        user = "gitea";
+        group = "nginx";
+        mode = "750";
+      };
+    };
+  }) organizations));

  systemd.slices.system-giteaweb = {
    description = "Gitea web directories";
-    wantedBy = [ "multi-user.target" ];
  };

  # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
@ -79,7 +95,7 @@ in
            org = "%i";
            token-path = "%d/token";
            api-url = "${cfg.settings.server.ROOT_URL}api/v1";
-            key-dir = "%S/%i/keys";
+            key-dir = "%S/gitea-web/keys/%i";
            authorized-keys-path = "%S/gitea-web/authorized_keys.d/%i";
            rrsync-path = "${pkgs.rrsync}/bin/rrsync";
            web-dir = "%S/gitea-web/web";
@ -95,18 +111,11 @@ in
    };

    "gitea-web-chown@" = {
-      description = "Ensure all gitea-web content is owned by the gitea user";
+      description = "Ensure all gitea-web content has correct ownership";
      serviceConfig = {
        Slice = "system-giteaweb.slice";
        Type = "oneshot";
-        ExecStart = "${pkgs.coreutils}/bin/chown -R gitea:gitea '%S/gitea-web'";
-
-        StateDirectory = "%i";
-
-        LoadCredential = [
-          "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
-        ];
-
+        ExecStart = "${pkgs.coreutils}/bin/chown -R gitea:nginx '%S/gitea-web/web/%i'";
        PrivateNetwork = true;
      } // commonHardening;
    };
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
@ -43,7 +43,7 @@ def get_org_repo_list(args: argparse.Namespace, token: str):
 def generate_ssh_key(args: argparse.Namespace, repository: str):
    keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
    key_path = args.key_dir / keyname
-    if not key_path.exists() or args.force:
+    if not key_path.is_file() or args.force:
        subprocess.run(
            [
                "ssh-keygen",
@ -63,7 +63,8 @@ def generate_ssh_key(args: argparse.Namespace, repository: str):
    with open(key_path, "r") as f:
        private_key = f.read()

-    with open(key_path.append_suffix('.pub'), "r") as f:
+    pub_key_path = args.key_dir / (keyname + '.pub')
+    with open(pub_key_path, "r") as f:
        public_key = f.read()

    return private_key, public_key
Author	SHA1	Message	Date
Oystein Kristoffer Tveit	74a2b1970e	bekkalokk/gitea-web: host pages	2024-08-15 09:58:32 +02:00
Oystein Kristoffer Tveit	91876214f0	bekkalokk/gitea: set up gitea-web sync units	2024-08-15 09:58:32 +02:00