Drift/pvv-nixos-config
17
5
Fork 1
Code Issues Pull Requests 7 Actions Wiki Activity

Set up web hosting for gitea projects #65

Merged
oysteikt merged 2 commits from setup-gitea-web into main 2024-08-26 20:36:03 +02:00
Conversation 9 Commits 2 Files Changed 6 +233 -4
oysteikt commented 2024-08-14 21:32:35 +02:00
Owner
Copy Link

P-P-Pwease woast my python cyode @pederbs -sama rawr xd puppy eyes

Fixes Drift/issues#95

P-P-Pwease woast my python cyode @pederbs -sama rawr xd *puppy eyes* Fixes https://git.pvv.ntnu.no/Drift/issues/issues/95
oysteikt requested review from pederbs 2024-08-14 21:32:42 +02:00
pederbs reviewed 2024-08-15 00:56:21 +02:00
pederbs left a comment
Owner
Copy Link

My rar bruk av python, som det å blande pathlib og os.path, men ingenting kritisk. Legger ved noen nits, men ingen av de er viktige

My rar bruk av python, som det å blande `pathlib` og `os.path`, men ingenting kritisk. Legger ved noen nits, men ingen av de er viktige
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix Outdated
@@ -0,0 +16,4 @@
"E202" # "whitespace after }"
"E251" # unexpected spaces around keyword / parameter equals
"W391" # Newline at end of file
];
pederbs commented 2024-08-15 00:31:07 +02:00
Owner
Copy Link

👍

:+1:
👍 1
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py Outdated
@@ -0,0 +11,4 @@
def parse_args():
parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
parser.add_argument("--org", required=True, help="The organization to generate keys for")
pederbs commented 2024-08-15 00:24:43 +02:00
Owner
Copy Link

parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")

` parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for") `
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py Outdated
@@ -0,0 +22,4 @@
return parser.parse_args()
def add_secret(args, token, repo, name, secret):
pederbs commented 2024-08-15 00:25:31 +02:00
Owner
Copy Link

def add_secret(args: argsparse.Namespace, token: str, repo: str, name: str, secret: str) -> None:

`def add_secret(args: argsparse.Namespace, token: str, repo: str, name: str, secret: str) -> None:`
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py Outdated
@@ -0,0 +72,4 @@
def generate_authorized_keys(args, repo_public_keys: list[tuple[str, str]]):
result = ""
for repo, public_key in repo_public_keys:
result += f"""
pederbs commented 2024-08-15 00:28:41 +02:00
Owner
Copy Link

"a" + "b" vil allokere en ny string. Det er bedre å appende linjene i en liste og "\n.join(...)'e de til slutt, da ungår du n^2 minnebruk

"a" + "b" vil allokere en ny string. Det er bedre å appende linjene i en liste og `"\n.join(...)`'e de til slutt, da ungår du n^2 minnebruk
pederbs commented 2024-08-15 00:29:19 +02:00
Owner
Copy Link

tror de fleste file-like objektene støtter .writeline

tror de fleste file-like objektene støtter `.writeline`
oysteikt marked this conversation as resolved
oysteikt force-pushed setup-gitea-web from ce2f6a4546 to ef8e29f576 2024-08-15 09:23:06 +02:00 Compare
oysteikt force-pushed setup-gitea-web from ef8e29f576 to 74a2b1970e 2024-08-15 09:58:38 +02:00 Compare
pederbs reviewed 2024-08-15 22:54:52 +02:00
pederbs left a comment
Owner
Copy Link

python diff lgtm

python diff lgtm
oysteikt requested review from danio 2024-08-16 01:35:50 +02:00
felixalb reviewed 2024-08-18 04:08:38 +02:00
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix Outdated
@@ -0,0 +23,4 @@
} (lib.pipe ./gitea-web-secret-provider.py [
builtins.readFile
(lib.splitString "\n")
(lib.drop 2)
felixalb commented 2024-08-18 03:18:16 +02:00
Owner
Copy Link

Litt sus, vurder å fjerne eller padde denne så den ikke gjør noe i stedet, så den tåler script både med og uten shebangs

Litt sus, vurder å fjerne eller padde denne så den ikke gjør noe i stedet, så den tåler script både med og uten shebangs
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix Outdated
@@ -0,0 +95,4 @@
org = "%i";
token-path = "%d/token";
api-url = "${cfg.settings.server.ROOT_URL}api/v1";
key-dir = "%S/gitea-web/keys/%i";
felixalb commented 2024-08-18 03:24:25 +02:00
Owner
Copy Link

/var/lib er hardkodet over når tmpfiles-ene defineres, det bør samsvare med hvilke mapper som faktisk brukes. Hardkod gjerne /var/lib her også for å holde det consistant

`/var/lib` er hardkodet over når tmpfiles-ene defineres, det bør samsvare med hvilke mapper som faktisk brukes. Hardkod gjerne `/var/lib` her også for å holde det consistant
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix Outdated
@@ -0,0 +100,4 @@
rrsync-path = "${pkgs.rrsync}/bin/rrsync";
web-dir = "%S/gitea-web/web";
};
in "${program} ${args}";
felixalb commented 2024-08-18 03:21:45 +02:00
Owner
Copy Link

"program" er kanskje et uklart navn her? Høres ut som noe generisk, og ikke det konkrete skriptet

"program" er kanskje et uklart navn her? Høres ut som noe generisk, og ikke det konkrete skriptet
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix Outdated
@@ -0,0 +110,4 @@
} // commonHardening;
};
"gitea-web-chown@" = {
felixalb commented 2024-08-18 03:35:34 +02:00
Owner
Copy Link

Kanskje den tillatte SSH-kommandoen kan peke på et eget script som først gjør rrsync og deretter chown og/eller annen opprydding? Da slipper vi timere i hytt og pine, og filene blir umiddelbart fikset etter de er lagt på plass.

Kanskje den tillatte SSH-kommandoen kan peke på et eget script som først gjør `rrsync` og deretter `chown` og/eller annen opprydding? Da slipper vi timere i hytt og pine, og filene blir umiddelbart fikset etter de er lagt på plass.
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/default.nix Outdated
@@ -0,0 +143,4 @@
};
};
systemd.targets.timers.wants = lib.mapCartesianProduct ({ timer, org }: "${timer}@${org}.timer") {
felixalb commented 2024-08-18 03:43:41 +02:00
Owner
Copy Link

hurr durr https://media.tenor.com/aVz01e5TJUAAAAAM/big-brain.gif

<small>hurr durr</small> https://media.tenor.com/aVz01e5TJUAAAAAM/big-brain.gif
👍 1
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py Outdated
@@ -0,0 +26,4 @@
result = requests.put(
f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
json = { 'data': secret },
headers = { 'Authorization': 'token ' + token },
felixalb commented 2024-08-18 03:47:13 +02:00
Owner
Copy Link

"token" ser ikke ut til å være en gyldig auth schema, skal dette være Bearer?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_schemes

"token" ser ikke ut til å være en gyldig auth schema, skal dette være Bearer? https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_schemes
felixalb commented 2024-08-18 04:07:56 +02:00
Owner
Copy Link

https://docs.gitea.com/next/development/api-usage er tullerusk og påstår at det stå token her.

https://docs.gitea.com/next/development/api-usage er tullerusk og påstår at det _må_ stå token her.
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py Outdated
@@ -0,0 +48,4 @@
[
"ssh-keygen",
*("-t", "ed25519"),
*("-b", "4096"),
felixalb commented 2024-08-18 03:48:41 +02:00
Owner
Copy Link

Fra man ssh-keygen:

ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the -b flag will be ignored.

Fra `man ssh-keygen`: > ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the -b flag will be ignored.
oysteikt marked this conversation as resolved
hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py Outdated
@@ -0,0 +55,4 @@
],
check=True,
stdin=subprocess.DEVNULL,
stdout=subprocess.DEVNULL,
felixalb commented 2024-08-18 03:55:56 +02:00
Owner
Copy Link

Disse er sus, og fjerner alle nyttige feilmeldinger

Disse er sus, og fjerner alle nyttige feilmeldinger
oysteikt marked this conversation as resolved
oysteikt force-pushed setup-gitea-web from 74a2b1970e to 1ac43cdb72 2024-08-20 20:40:28 +02:00 Compare
oysteikt force-pushed setup-gitea-web from 1ac43cdb72 to 50fd7ccee2 2024-08-20 20:55:00 +02:00 Compare
oysteikt requested review from felixalb 2024-08-20 20:55:14 +02:00
oysteikt commented 2024-08-20 21:03:50 +02:00
Author
Owner
Copy Link

👉👈🥺

# 👉👈🥺
felixalb approved these changes 2024-08-21 12:28:03 +02:00
Dismissed
felixalb left a comment
Owner
Copy Link

I haven't tried building and running this, but if it works, it looks good!
I would probably move a lot of the tmpdir generation into systemd using StateDirectory or WorkingDirectory or something to clean up the module, but this is just personal preference, no problem.
It might be a bit of work, as you want to separate it away from User=gitea to accomplish this, as it should be nginx or an entirely separate service user.

Otherwise, LGTM if you want to merge it either way 🚀

I haven't tried building and running this, but if it works, it looks good! I would probably move a lot of the tmpdir generation into systemd using StateDirectory or WorkingDirectory or something to clean up the module, but this is just personal preference, no problem. It might be a bit of work, as you want to separate it away from User=gitea to accomplish this, as it should be nginx or an entirely separate service user. Otherwise, LGTM if you want to merge it either way 🚀
oysteikt force-pushed setup-gitea-web from 50fd7ccee2 to 4e18642c14 2024-08-26 17:48:56 +02:00 Compare
oysteikt force-pushed setup-gitea-web from 4e18642c14 to 4665456620 2024-08-26 17:51:53 +02:00 Compare
oysteikt force-pushed setup-gitea-web from 4665456620 to f45b70594d 2024-08-26 18:06:29 +02:00 Compare
oysteikt force-pushed setup-gitea-web from f45b70594d to 4800c506c2 2024-08-26 18:13:16 +02:00 Compare
oysteikt force-pushed setup-gitea-web from 4800c506c2 to 1f8692c36f 2024-08-26 18:15:15 +02:00 Compare
felixalb commented 2024-08-26 18:38:10 +02:00
Owner
Copy Link

Do we need users.users.nginx.extraGroups = [ "gitea-web" ]; when we have /chown -R gitea-web:nginx "$1"?
If we remove nginx from the gitea-web-group, other things running under nginx will not be able to read the SSH keys, but will still be able to serve the web files, if I understand it correctly?

Do we need ` users.users.nginx.extraGroups = [ "gitea-web" ];` when we have `/chown -R gitea-web:nginx "$1"`? If we remove nginx from the gitea-web-group, other things running under `nginx` will not be able to read the SSH keys, but will still be able to serve the web files, if I understand it correctly?
oysteikt commented 2024-08-26 18:40:21 +02:00
Author
Owner
Copy Link

The private keys will still be private, and the rest is just public keys. Is it reasonable to change it to chown -R gitea-web:gitea-web?

I'm a bit worried about changing the inner web group to nginx, when the state directory is 0750 gitea-web:gitea-web

The private keys will still be private, and the rest is just public keys. Is it reasonable to change it to `chown -R gitea-web:gitea-web`? I'm a bit worried about changing the inner web group to nginx, when the state directory is `0750 gitea-web:gitea-web`
felixalb commented 2024-08-26 18:45:13 +02:00
Owner
Copy Link

Ah, yes they're 0600, oops. Well, why does nginx have to be in the gitea-web group? I believe gitea-web:nginx and no extra groups is better if that works?

Edit after your edit: Okay, if you change it to gitea-web:gitea-web, I guess it's fine.

Ah, yes they're 0600, oops. Well, why does nginx have to be in the gitea-web group? I believe `gitea-web:nginx` and no extra groups is better if that works? Edit after your edit: Okay, if you change it to gitea-web:gitea-web, I guess it's fine.
oysteikt force-pushed setup-gitea-web from 1f8692c36f to acf46cb576 2024-08-26 20:32:21 +02:00 Compare
oysteikt requested review from felixalb 2024-08-26 20:33:05 +02:00
felixalb approved these changes 2024-08-26 20:34:39 +02:00
felixalb left a comment
Owner
Copy Link

Let's Get This Militarized 🚀

Let's Get This Militarized 🚀
oysteikt merged commit 3fa7f67027 into main 2024-08-26 20:36:03 +02:00
oysteikt deleted branch setup-gitea-web 2024-08-26 20:36:03 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
pederbs
danio
felixalb
Labels
Clear labels
art
The issue needs someone to be creative
 backup
big
No, not bug, **big** - this is gonna take a while
 blocked
This issue/PR depends on one or more other issues/PRs
 bug
Something is not working, and it's not the shield hero
 crash report
Report an oopsie
 disputed
kranglefanter
 documentation
Documentation changes required
 duplicate
This issue or pull request already exists
 enhancement
New feature
 good first issue
Get your hands dirty with a new project here
 logging
networking
TTM4100
 nixos
Requires changes to our nixos setup
 question
More information is needed
 salt
Requires changes to our salt setup
 security
Skommel
 servers n' hardware
Regards hardware, servers or VMs
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
adriangl albertba alfhj amalieem bjornoka chrisfjo chrivi danio davidk dungby eirikwit felixalb frero jonmro jovre karolds knuta krisleri larshhan oysteikt pederbs root torsteno yorinad
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Drift/pvv-nixos-config#65
Delete Branch "setup-gitea-web"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?