modules/services/git.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

{
  flake.modules.nixos.git =
    {
      config,
      lib,
      pkgs,
      ...
    }:
    {
      users.users.git = {
        isSystemUser = true;
        group = "git";
        home = "/var/lib/git-server";
        createHome = true;
        shell = "${pkgs.git}/bin/git-shell";
      };
      users.groups.git = { };

      systemd.services.github-mirror = {
        description = "Mirror GitHub repositories for schererleander";
        after = [ "network-online.target" ];
        wants = [ "network-online.target" ];
        script = ''
          set -euo pipefail

          echo "Fetching repository list for schererleander..."

          cd /var/lib/git-server

          DEFAULT_DESC="Unnamed repository; edit this file 'description' to name the repository."

          ${pkgs.curl}/bin/curl -s "https://api.github.com/users/schererleander/repos?per_page=100" \
            | ${pkgs.jq}/bin/jq -r --arg def "$DEFAULT_DESC" \
              '.[] | "\(.clone_url)\t\(.description | if . == null or . == "" then $def else . end | gsub("[\n\t]"; " "))"' \
            | while IFS=$'\t' read -r REPO_URL REPO_DESC; do
            
            REPO_NAME=$(basename -s .git "$REPO_URL")
            TARGET_DIR="$REPO_NAME.git"

            if [ ! -d "$TARGET_DIR" ]; then
              echo "Cloning $REPO_NAME..."
              ${pkgs.git}/bin/git clone --mirror "$REPO_URL" "$TARGET_DIR"
            else
              echo "Updating $REPO_NAME..."
              ${pkgs.git}/bin/git -C "$TARGET_DIR" fetch --prune origin
            fi
            
            echo "$REPO_DESC" > "$TARGET_DIR/description"
          done
        '';

        serviceConfig = {
          Type = "oneshot";
          User = "git";
          Group = "git";

          # Security hardening
          CapabilityBoundingSet = "";
          ProtectSystem = "strict";
          ProtectHome = true;
          ReadWritePaths = "/var/lib/git-server";
        };
      };

      systemd.timers.github-mirror = {
        description = "Timer to mirror GitHub repositories for schererleander";
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnCalendar = "hourly";
          Persistent = true;
        };
      };

      services.borgbackup.jobs.git = {
        paths = [
          "/var/lib/git-server"
        ];
        repo = "ssh://e5e496ni@e5e496ni.repo.borgbase.com/./repo";
        encryption.mode = "none";
        environment = {
          BORG_RSH = "ssh -i ${
            config.sops.secrets."borgbase_ssh_key".path
          } -o StrictHostKeyChecking=accept-new";
        };
        compression = "auto,lzma";
        startAt = "daily";
      };
    };
}