bekkalokk/gitea: set up gitea-web sync units

@@ -0,0 +16,4 @@
+      "E202" # "whitespace after }"
+      "E251" # unexpected spaces around keyword / parameter equals
+      "W391" # Newline at end of file
+    ];

@@ -0,0 +11,4 @@
+
+def parse_args():
+    parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
+    parser.add_argument("--org", required=True, help="The organization to generate keys for")

@@ -0,0 +22,4 @@
+    return parser.parse_args()
+
+
+def add_secret(args, token, repo, name, secret):

@@ -0,0 +72,4 @@
+def generate_authorized_keys(args, repo_public_keys: list[tuple[str, str]]):
+    result = ""
+    for repo, public_key in repo_public_keys:
+        result += f"""

@@ -0,0 +23,4 @@
+  } (lib.pipe ./gitea-web-secret-provider.py [
+    builtins.readFile
+    (lib.splitString "\n")
+    (lib.drop 2)

@@ -0,0 +95,4 @@
+            org = "%i";
+            token-path = "%d/token";
+            api-url = "${cfg.settings.server.ROOT_URL}api/v1";
+            key-dir = "%S/gitea-web/keys/%i";

@@ -0,0 +100,4 @@
+            rrsync-path = "${pkgs.rrsync}/bin/rrsync";
+            web-dir = "%S/gitea-web/web";
+          };
+        in "${program} ${args}";

@@ -0,0 +110,4 @@
+      } // commonHardening;
+    };
+
+    "gitea-web-chown@" = {

@@ -0,0 +143,4 @@
+    };
+  };
+
+  systemd.targets.timers.wants = lib.mapCartesianProduct ({ timer, org }: "${timer}@${org}.timer") {

@@ -0,0 +26,4 @@
+    result = requests.put(
+        f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
+        json = { 'data': secret },
+        headers = { 'Authorization': 'token ' + token },

@@ -0,0 +48,4 @@
+            [
+                "ssh-keygen",
+                *("-t", "ed25519"),
+                *("-b", "4096"),

@@ -0,0 +55,4 @@
+            ],
+            check=True,
+            stdin=subprocess.DEVNULL,
+            stdout=subprocess.DEVNULL,