diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/garage/default.nix | 28 | ||||
| -rw-r--r-- | modules/git/default.nix | 130 | ||||
| -rw-r--r-- | modules/users/default.nix | 2 |
3 files changed, 126 insertions, 34 deletions
diff --git a/modules/garage/default.nix b/modules/garage/default.nix index 595b004..56a38c2 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -1,4 +1,10 @@ -{ self, config, lib, pkgs, ... }: +{ + self, + config, + lib, + pkgs, + ... +}: with self.lib.nginx; { @@ -56,8 +62,24 @@ with self.lib.nginx; "s3.vapor.systems" = (proxyDomain "vapor.systems" "http://127.0.0.1:3900/"); "web.vapor.systems" = (proxyDomain "vapor.systems" "http://127.0.0.1:3902/"); "gnulag.net" = (proxyDomain "gnulag.net" "http://127.0.0.1:3902/"); - # "linuxmasterrace.org" = (proxyDomain "linuxmasterrace.org" "http://127.0.0.1:3902/"); - # "dash.linuxmasterrace.org" = (proxyDomain "linuxmasterrace.org" "http://127.0.0.1:3902/"); + + "cdn.vapor.systems" = { + forceSSL = true; + useACMEHost = "vapor.systems"; + locations."/" = { + proxyPass = "http://127.0.0.1:3902/"; + extraConfig = '' + proxy_pass_header Authorization; + + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + + add_header 'access-control-allow-origin' '*'; + ''; + }; + }; }; }; } diff --git a/modules/git/default.nix b/modules/git/default.nix index d5cae6a..a0b2573 100644 --- a/modules/git/default.nix +++ b/modules/git/default.nix @@ -1,50 +1,118 @@ -{ self, config, lib, pkgs, ... }: +{ + self, + config, + lib, + pkgs, + ... +}: { environment.systemPackages = [ pkgs.gitea ]; - services.gitea = { - enable = true; - stateDir = "/var/lib/gitea"; - - appName = "Vapor Git: producing vaporware since 1999"; - database = { - type = "postgres"; - name = "gitea"; - user = "gitea"; - createDatabase = true; - }; + services.cgit = + let + settings = { + css = "https://cdn.vapor.systems/cgit/cgit.css"; + + head-include = "${pkgs.writeText "cgit-head.html" '' + <script> + /*to prevent Firefox FOUC, this must be here*/ + let FF_FOUC_FIX; + </script> + ''}"; + + cache-root = "/var/cache/cgit"; + cache-size = 50; + + enable-follow-links = true; + enable-commit-graph = true; + enable-git-config = true; + enable-http-clone = true; + enable-index-links = true; + enable-index-owner = true; + enable-log-linecount = true; + enable-subject-links = true; + + max-repodesc-length = 120; - settings = { - server = { - DOMAIN = "git.vapor.systems"; - ROOT_URL = "https://git.vapor.systems"; - PROTOCOL = "http+unix"; - HTTP_ADDR = "/run/gitea/http.sock"; + clone-url = "https://$HTTP_HOST/$CGIT_REPO_URL"; + + source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; + # about-filter = "${pkgs.asciidoctor}" }; + in + { + audron = { + inherit settings; + enable = true; + repos = { + "dotfiles.git" = { + desc = "Fully Managed NixOS System Dotfiles"; + path = "/home/audron/dotfiles.git"; + }; + }; - oauth2_client = { - REGISTER_EMAIL_CONFIRM = false; - OPENID_CONNECT_SCOPES = "email profile"; - ENABLE_AUTO_REGISTRATION = true; - ACCOUNT_LINKING = "auto"; + nginx.virtualHost = "git.audron.dev"; }; - service = { - DISABLE_REGISTRATION = true; + "vapor-systems" = { + inherit settings; + enable = true; + scanPath = "/var/lib/git"; + + nginx.virtualHost = "git.vapor.systems"; }; }; + + services.nginx.virtualHosts = { + "git.audron.dev" = { + forceSSL = true; + useACMEHost = "audron.dev"; + }; + + "git.vapor.systems" = { + forceSSL = true; + useACMEHost = "vapor.systems"; + }; }; - security.acme.certs = { - "vapor.systems" = { - extraDomainNames = [ "*.vapor.systems" ]; + users.users = { + cgit.extraGroups = [ "users" ]; + + git = { + isSystemUser = true; + group = "git"; + home = "/var/lib/git"; + createHome = true; + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = lib.flatten ( + lib.map (user: user.openssh.authorizedKeys.keys or [ ]) ( + lib.filter (user: user.isNormalUser) (lib.attrValues config.users.users) + ) + ); }; }; - services.nginx = { + users.groups.git = { }; + + services.openssh = { enable = true; - virtualHosts."git.vapor.systems" = - self.lib.nginx.proxyDomain "vapor.systems" "http://unix:/run/gitea/http.sock"; + extraConfig = '' + Match user git + AllowTcpForwarding no + AllowAgentForwarding no + PasswordAuthentication no + PermitTTY no + X11Forwarding no + ''; + }; + + security.acme.certs = { + "vapor.systems" = { + extraDomainNames = [ "*.vapor.systems" ]; + }; + "audron.dev" = { + extraDomainNames = [ "*.audron.dev" ]; + }; }; } diff --git a/modules/users/default.nix b/modules/users/default.nix index 69afd95..6d189c1 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -4,6 +4,7 @@ users.users = { audron = { isNormalUser = true; + homeMode = "750"; extraGroups = [ "wheel" "docker" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2eIUtbt7RM75ThjKfUjm24QkzkzCSj7hs+GLaaxMeH cardno:15 505 339" @@ -11,6 +12,7 @@ }; magin = { isNormalUser = true; + homeMode = "750"; extraGroups = [ "wheel" "docker" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDa+AtVF5PuUOi30it7EuI79mfYvAWyqkoJQ/RS3LpXBGLqXt2VrpTmYnfonDhn2/nBlwnV5p/65l8g0lIZJ8TQOdMCxOMSsIPlC24q4xY2ov1ljboznmtmdxlPWRMoWqMKCp6kjCkVfEQ5pznnbOH+unvX5nLc4eG3QVfpKeaiz3JV6EZen1+jr/iLQP3KpdUylbnEO2ziHayUgZTdP6u5i6OvrcWS7lRA7yWIQyor92Rl6P/eby2jKVl9KMG0R5wCkUOAtgGRAT2XINmw0OZTj39hxxRToCXpilwjXkRUjPeD2SLmLOjhufJg1upbiGekqe5aOltg+3VoLtsIet6Im0RzjHuPHF4QAfBOv6ZfxREVbm5ODFkKP+2HdlIbYZhD5Rp16dgJTDGVPNiSRo7de2j/8RKG3gHAw1sPWhhTGONrL0t+7a0L3ijAn6NxjyyxA15JocVImPu/WtwcIfRsqxdtOYiaUXC8j+R6HK/q9PPDJyKGHYk6mU7V2KQ53ZR20Kl5YH9uLVHX0sSRXVWU0fZGDIGFpmy8uxccOS2zZYkSpQWmpWZdR0mg1zwOd6/rpTZ5mEJI/PYwi9Xuhfev3S3PD2StbFLzyFTVqzUdZ59nAmgh+jco8ylfzZTcMaTkYpznm9v59EnNmCBqTCde7MWTU4swhWal41EHMODJJQ== cardno:14 237 808" |