From 3c3e4531dac7f4ab591bf391be72a11121b45673 Mon Sep 17 00:00:00 2001 From: tzlil Date: Fri, 17 Feb 2023 16:50:09 +0200 Subject: cgit works, added git user to ssh AllowUser, added uid/gid maps to persist --- hosts/vps/git.nix | 64 ++++++++++++++++++++++++++++++++++++++----------------- profiles/core.nix | 3 +++ profiles/ssh.nix | 2 +- 3 files changed, 48 insertions(+), 21 deletions(-) diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix index 3ad26c0..fcf8cfb 100644 --- a/hosts/vps/git.nix +++ b/hosts/vps/git.nix @@ -2,10 +2,13 @@ { config = { + users.groups.git = {}; users.users.git = { isSystemUser = true; - description = "git"; + description = "tzlil"; + group = "git"; home = "/home/git"; + packages = [pkgs.git]; shell = "${pkgs.git}/bin/git-shell"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDyzrs9sbstv3KFK5FV8qYlSknnEy8Cn+qch4dJLmHA" @@ -14,27 +17,48 @@ services = { fcgiwrap.enable = true; caddy = { - virtualHosts."http://localhost".extraConfig = '' - reverse_proxy localhost:5678 { - transport fastcgi { - env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi - env CGIT_CONFIG ${pkgs.writeText "cgitrc" (lib.generators.toKeyValue { } { - clone-url = (lib.concatStringsSep " " [ - "http://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL" - "ssh://git@git.example.com:$CGIT_REPO_URL" - ]); - enable-log-filecount = 1; - enable-log-linecount = 1; - enable-git-config = 1; - root-title = "git.example.com"; - root-desc = "Tzlil's Git Repositories"; - scan-path = "/home/git"; - })} - } + virtualHosts."http://100.67.217.90".extraConfig = '' + bind 100.67.217.90 + handle /cgit.png { + root * ${pkgs.cgit}/cgit + file_server + } + handle /cgit.css { + root * ${pkgs.cgit}/cgit + file_server + } + handle /favicon.ico { + root * ${pkgs.cgit}/cgit + file_server + } + handle { + reverse_proxy unix//run/fcgiwrap.sock { + transport fastcgi { + env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi + env CGIT_CONFIG ${pkgs.writeText "cgitrc" (pkgs.lib.generators.toKeyValue { } { + css = "/cgit.css"; + logo = "/cgit.png"; + favicon = "/favicon.ico"; + clone-url = (pkgs.lib.concatStringsSep " " [ + "http://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL" + "ssh://git@git.example.com:$CGIT_REPO_URL" + ]); + enable-log-filecount = 1; + enable-log-linecount = 1; + enable-git-config = 1; + root-title = "git.example.com"; + root-desc = "Tzlil's Git Repositories"; + scan-path = "/home/git"; + about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh"; + source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; + logo-link = "/"; + })} + } + } } ''; - } + }; }; - environment.persistence."/nix/persist".directories = [ "/home/git" ]; + environment.persistence."/nix/persist".directories = [ { directory = "/home/git"; user = "git"; group = "git"; } ]; }; } \ No newline at end of file diff --git a/profiles/core.nix b/profiles/core.nix index 17d64e2..5f48baa 100644 --- a/profiles/core.nix +++ b/profiles/core.nix @@ -25,5 +25,8 @@ age.identityPaths = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ]; programs.command-not-found.dbPath = inputs.programsdb.packages.${pkgs.system}.programs-sqlite; + + # save uid/guid + environment.persistence."/nix/persist".directories = [ "/var/lib/nixos" ]; }; } \ No newline at end of file diff --git a/profiles/ssh.nix b/profiles/ssh.nix index 4c12cc7..49917f9 100644 --- a/profiles/ssh.nix +++ b/profiles/ssh.nix @@ -15,7 +15,7 @@ AuthenticationMethods publickey StreamLocalBindUnlink yes - AllowUsers tzlil + AllowUsers tzlil git ''; settings = { permitRootLogin = "no"; -- cgit 1.4.1