diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/hosts/sachiel/flake-parts.nix | 3 | ||||
| -rw-r--r-- | modules/services/cgit.nix | 44 | ||||
| -rw-r--r-- | modules/services/git.nix | 19 | ||||
| -rw-r--r-- | modules/services/openssh.nix | 2 | ||||
| -rw-r--r-- | modules/system/secrets.nix | 6 |
5 files changed, 74 insertions, 0 deletions
diff --git a/modules/hosts/sachiel/flake-parts.nix b/modules/hosts/sachiel/flake-parts.nix index 6f33503..e30a532 100644 --- a/modules/hosts/sachiel/flake-parts.nix +++ b/modules/hosts/sachiel/flake-parts.nix @@ -4,10 +4,13 @@ specialArgs = { inherit inputs; }; modules = [ inputs.self.modules.nixos.sachiel + inputs.self.modules.nixos.secrets inputs.self.modules.nixos.openssh inputs.self.modules.nixos.nginx inputs.self.modules.nixos.nextcloud inputs.self.modules.nixos.site + inputs.self.modules.nixos.git + inputs.self.modules.nixos.cgit ]; }; } diff --git a/modules/services/cgit.nix b/modules/services/cgit.nix new file mode 100644 index 0000000..ad99d3d --- /dev/null +++ b/modules/services/cgit.nix @@ -0,0 +1,44 @@ +{ + flake.modules.nixos.cgit = + { + config, + lib, + pkgs, + ... + }: + { + services.cgit."git-server" = { + enable = true; + + scanPath = "/var/lib/git-server"; + + user = "git"; + group = "git"; + + nginx.virtualHost = "git.schererleander.de"; + + gitHttpBackend = { + enable = true; + checkExportOkFiles = false; + }; + + settings = { + "root-title" = "My Git Repositories"; + "root-desc" = "Self-hosted NixOS Git server"; + "clone-url" = + "https://git.schererleander.de/$CGIT_REPO_URL ssh://git@git.schererleander.de/$CGIT_REPO_URL"; + "enable-http-clone" = 1; + "enable-commit-graph" = 1; + "enable-log-filecount" = 1; + "enable-log-linecount" = 1; + "branch-sort" = "age"; + }; + }; + + services.nginx.virtualHosts."git.schererleander.de" = { + forceSSL = true; + sslCertificate = config.sops.secrets."cert_fullchain".path; + sslCertificateKey = config.sops.secrets."cert_private".path; + }; + }; +} diff --git a/modules/services/git.nix b/modules/services/git.nix new file mode 100644 index 0000000..5be5d58 --- /dev/null +++ b/modules/services/git.nix @@ -0,0 +1,19 @@ +{ + flake.modules.nixos.git = + { + config, + lib, + pkgs, + ... + }: + { + users.users.git = { + isSystemUser = true; + group = "git"; + home = "/var/lib/git-server"; + createHome = true; + shell = "${pkgs.git}/bin/git-shell"; + }; + users.groups.git = { }; + }; +} diff --git a/modules/services/openssh.nix b/modules/services/openssh.nix index 68d1511..8bb530c 100644 --- a/modules/services/openssh.nix +++ b/modules/services/openssh.nix @@ -9,6 +9,8 @@ enable = true; ports = [ 8693 ]; settings = { + AllowTcpForwarding = false; + AllowAgentForwarding = false; PasswordAuthentication = false; X11Forwarding = false; PermitRootLogin = "yes"; diff --git a/modules/system/secrets.nix b/modules/system/secrets.nix index bd9c2e4..90622fb 100644 --- a/modules/system/secrets.nix +++ b/modules/system/secrets.nix @@ -36,6 +36,12 @@ owner = "root"; mode = "0600"; }; + "ssh_git_pubkey" = { + owner = "git"; + group = "git"; + mode = "0400"; + path = "/var/lib/git-server/.ssh/authorized_keys"; + }; "cert_fullchain" = { owner = "nginx"; group = "nginx"; |