diff options
| -rw-r--r-- | hosts/ahmed/configuration.nix | 4 | ||||
| -rw-r--r-- | modules/nixos/default.nix | 1 | ||||
| -rw-r--r-- | modules/nixos/git.linus.onl/default.nix | 80 |
3 files changed, 85 insertions, 0 deletions
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix index 1d0f176..79b9ff9 100644 --- a/hosts/ahmed/configuration.nix +++ b/hosts/ahmed/configuration.nix @@ -57,6 +57,10 @@ enable = true; useACME = true; }; + modules."git.linus.onl" = { + enable = true; + useACME = true; + }; # Configure ACME for various HTTPS services. security.acme = { diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index c1ab502..13476b5 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -11,5 +11,6 @@ graphics = import ./graphics; "linus.onl" = import ./linus.onl; "notifications.linus.onl" = import ./nofitications.linus.onl; + "git.linus.onl" = import ./git.linus.onl; }; } diff --git a/modules/nixos/git.linus.onl/default.nix b/modules/nixos/git.linus.onl/default.nix new file mode 100644 index 0000000..e134f07 --- /dev/null +++ b/modules/nixos/git.linus.onl/default.nix @@ -0,0 +1,80 @@ +{ + lib, + config, + pkgs, + options, + metadata, + ... +}: let + inherit (lib) mkEnableOption mkOption types mkIf; + + git-shell = "${pkgs.gitMinimal}/bin/git-shell"; + + cfg = config.modules."git.linus.onl"; +in { + options.modules."git.linus.onl" = { + enable = mkEnableOption "git.linus.onl static site"; + + useACME = mkEnableOption "built-in HTTPS stuff"; + + location = mkOption { + description = "Where repositories will be stored."; + type = types.path; + default = "/srv/git"; + }; + }; + + config = mkIf cfg.enable { + # Create a user which + # See: https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server + users.users.git = { + description = "Git server user"; + isSystemUser = true; + group = "git"; + + # FIXME: Is serving the home-directory of a user (indirectly through CGit) a bad idea? + home = cfg.location; + createHome = false; + + # Restrict this user to Git-related activities. + # See: https://git-scm.com/docs/git-shell + shell = git-shell; + + # List of users who can ssh into this server and write to stuff. We add + # some restrictions on what users can do on the server. This works in + # tandem with the custom shell. + openssh.authorizedKeys.keys = + map (key: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ${key}") + [ + metadata.hosts.muhammed.sshPubKey + ]; + }; + users.groups.git = {}; + + environment.shells = [ git-shell ]; + + # Create repo directory. It must be readable to NGINX. + # See: https://git.zx2c4.com/cgit/about/faq#why-doesnt-cgit-findshow-my-repo + system.activationScripts.create-cgit-scan-path = mkIf (cfg.location == options.modules."git.linus.onl".location.default) '' + mkdir -p ${cfg.location} + chown ${toString config.users.users.git.name} ${cfg.location} + chgrp ${toString config.users.groups.git.name} ${cfg.location} + chmod 755 ${cfg.location} + ''; + + # Public git viewer. + services.cgit."git.linus.onl" = { + enable = true; + scanPath = cfg.location; + }; + + # Register domain name. + services.cloudflare-dyndns.domains = ["git.linus.onl"]; + + # The CGit service creates the virtual host, but it does not enable ACME. + services.nginx.virtualHosts."git.linus.onl" = { + enableACME = cfg.useACME; + forceSSL = cfg.useACME; + }; + }; +} |