Set up web hosting for gitea projects #65
Labels
No Label
art
backup
big
blocked
bug
crash report
disputed
documentation
duplicate
enhancement
good first issue
logging
nixos
question
salt
security
servers n' hardware
wontfix
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Drift/pvv-nixos-config#65
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "setup-gitea-web"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
P-P-Pwease woast my python cyode @pederbs -sama rawr xd puppy eyes
Fixes Drift/issues#95
My rar bruk av python, som det å blande
pathlib
ogos.path
, men ingenting kritisk. Legger ved noen nits, men ingen av de er viktige@ -0,0 +16,4 @@
"E202" # "whitespace after }"
"E251" # unexpected spaces around keyword / parameter equals
"W391" # Newline at end of file
];
👍
@ -0,0 +11,4 @@
def parse_args():
parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
parser.add_argument("--org", required=True, help="The organization to generate keys for")
parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")
@ -0,0 +22,4 @@
return parser.parse_args()
def add_secret(args, token, repo, name, secret):
def add_secret(args: argsparse.Namespace, token: str, repo: str, name: str, secret: str) -> None:
@ -0,0 +72,4 @@
def generate_authorized_keys(args, repo_public_keys: list[tuple[str, str]]):
result = ""
for repo, public_key in repo_public_keys:
result += f"""
"a" + "b" vil allokere en ny string. Det er bedre å appende linjene i en liste og
"\n.join(...)
'e de til slutt, da ungår du n^2 minnebruktror de fleste file-like objektene støtter
.writeline
ce2f6a4546
toef8e29f576
ef8e29f576
to74a2b1970e
python diff lgtm
@ -0,0 +23,4 @@
} (lib.pipe ./gitea-web-secret-provider.py [
builtins.readFile
(lib.splitString "\n")
(lib.drop 2)
Litt sus, vurder å fjerne eller padde denne så den ikke gjør noe i stedet, så den tåler script både med og uten shebangs
@ -0,0 +95,4 @@
org = "%i";
token-path = "%d/token";
api-url = "${cfg.settings.server.ROOT_URL}api/v1";
key-dir = "%S/gitea-web/keys/%i";
/var/lib
er hardkodet over når tmpfiles-ene defineres, det bør samsvare med hvilke mapper som faktisk brukes. Hardkod gjerne/var/lib
her også for å holde det consistant@ -0,0 +100,4 @@
rrsync-path = "${pkgs.rrsync}/bin/rrsync";
web-dir = "%S/gitea-web/web";
};
in "${program} ${args}";
"program" er kanskje et uklart navn her? Høres ut som noe generisk, og ikke det konkrete skriptet
@ -0,0 +110,4 @@
} // commonHardening;
};
"gitea-web-chown@" = {
Kanskje den tillatte SSH-kommandoen kan peke på et eget script som først gjør
rrsync
og deretterchown
og/eller annen opprydding? Da slipper vi timere i hytt og pine, og filene blir umiddelbart fikset etter de er lagt på plass.@ -0,0 +143,4 @@
};
};
systemd.targets.timers.wants = lib.mapCartesianProduct ({ timer, org }: "${timer}@${org}.timer") {
hurr durr https://media.tenor.com/aVz01e5TJUAAAAAM/big-brain.gif
@ -0,0 +26,4 @@
result = requests.put(
f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
json = { 'data': secret },
headers = { 'Authorization': 'token ' + token },
"token" ser ikke ut til å være en gyldig auth schema, skal dette være Bearer?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_schemes
https://docs.gitea.com/next/development/api-usage er tullerusk og påstår at det må stå token her.
@ -0,0 +48,4 @@
[
"ssh-keygen",
*("-t", "ed25519"),
*("-b", "4096"),
Fra
man ssh-keygen
:@ -0,0 +55,4 @@
],
check=True,
stdin=subprocess.DEVNULL,
stdout=subprocess.DEVNULL,
Disse er sus, og fjerner alle nyttige feilmeldinger
74a2b1970e
to1ac43cdb72
1ac43cdb72
to50fd7ccee2
👉👈🥺
I haven't tried building and running this, but if it works, it looks good!
I would probably move a lot of the tmpdir generation into systemd using StateDirectory or WorkingDirectory or something to clean up the module, but this is just personal preference, no problem.
It might be a bit of work, as you want to separate it away from User=gitea to accomplish this, as it should be nginx or an entirely separate service user.
Otherwise, LGTM if you want to merge it either way 🚀
50fd7ccee2
to4e18642c14
4e18642c14
to4665456620
4665456620
tof45b70594d
f45b70594d
to4800c506c2
4800c506c2
to1f8692c36f
Do we need
users.users.nginx.extraGroups = [ "gitea-web" ];
when we have/chown -R gitea-web:nginx "$1"
?If we remove nginx from the gitea-web-group, other things running under
nginx
will not be able to read the SSH keys, but will still be able to serve the web files, if I understand it correctly?The private keys will still be private, and the rest is just public keys. Is it reasonable to change it to
chown -R gitea-web:gitea-web
?I'm a bit worried about changing the inner web group to nginx, when the state directory is
0750 gitea-web:gitea-web
Ah, yes they're 0600, oops. Well, why does nginx have to be in the gitea-web group? I believe
gitea-web:nginx
and no extra groups is better if that works?Edit after your edit: Okay, if you change it to gitea-web:gitea-web, I guess it's fine.
1f8692c36f
toacf46cb576
Let's Get This Militarized 🚀