diff options
| author | tdback <tyler@tdback.net> | 2025-01-26 11:33:52 -0500 |
|---|---|---|
| committer | tdback <tyler@tdback.net> | 2025-01-26 11:33:52 -0500 |
| commit | bc7b54af5193f8ac7333ce3f27f414f9a69a80c0 (patch) | |
| tree | ff462fe43936be54ee0e17e68e19c8ce7f8f0e32 | |
| parent | d4e6b5e506dd1e02c420807c3c3d5c975fce608f (diff) | |
customs: cleaned up cgit configuration to make it a standalone module
| -rw-r--r-- | modules/customs/cgit/default.nix | 145 |
1 files changed, 76 insertions, 69 deletions
diff --git a/modules/customs/cgit/default.nix b/modules/customs/cgit/default.nix index 2d493a7..6332044 100644 --- a/modules/customs/cgit/default.nix +++ b/modules/customs/cgit/default.nix @@ -6,7 +6,7 @@ }: with lib; let - cfg = config.services.cgit; + cfg = config.modules.customs.cgit; mkCgitrc = cfg: @@ -21,7 +21,7 @@ let enable-git-config = 1; enable-http-clone = 1; remove-suffix = 1; - clone-url = "https://${cfg.virtualHost}/$CGIT_REPO_URL"; + clone-url = "https://${cfg.url}/$CGIT_REPO_URL"; scan-path = cfg.scanPath; }; in @@ -42,52 +42,44 @@ in { disabledModules = [ "services/networking/cgit.nix" ]; - options = { - services.cgit = { - enable = mkEnableOption "cgit"; - package = mkPackageOption pkgs "cgit" { }; - user = mkOption { - default = "git"; - type = types.str; - description = "User to run cgit service as."; - }; - group = mkOption { - default = "git"; - type = types.str; - description = "Group to run cgit service as."; - }; - scanPath = mkOption { - default = "/var/lib/cgit"; - type = types.path; - description = "A path which will be scanned for repositories."; - }; - virtualHost = mkOption { - default = null; - type = types.str; - description = "Virtual host to serve cgit on."; - }; - authorizedKeys = mkOption { - default = [ ]; - type = types.listOf types.str; - description = "SSH keys for authorized git users."; - }; - settings = mkOption { - default = { }; - type = - with types; - let - settingType = oneOf [ - bool - int - str - ]; - in - attrsOf (oneOf [ - settingType - (listOf settingType) - ]); - description = "Additional cgit configuration. See cgitrc(5)."; - }; + options.modules.customs.cgit = { + enable = mkEnableOption "cgit"; + package = mkPackageOption pkgs "cgit" { }; + user = mkOption { + default = "git"; + type = types.str; + }; + group = mkOption { + default = "git"; + type = types.str; + }; + scanPath = mkOption { + default = "/var/lib/cgit"; + type = types.path; + }; + url = mkOption { + default = null; + type = types.str; + }; + authorizedKeys = mkOption { + default = [ ]; + type = types.listOf types.str; + }; + settings = mkOption { + default = { }; + type = + with types; + let + settingType = oneOf [ + bool + int + str + ]; + in + attrsOf (oneOf [ + settingType + (listOf settingType) + ]); }; }; @@ -111,12 +103,17 @@ in # Harden git user to prevent SSH port forwarding to other servers. services.openssh = { enable = true; - settings.AllowUsers = [ cfg.user ]; + openFirewall = true; + startWhenNeeded = true; + settings = { + AllowUsers = [ cfg.user ]; + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; extraConfig = '' Match user ${cfg.user} AllowTCPForwarding no AllowAgentForwarding no - PasswordAuthentication no PermitTTY no X11Forwarding no ''; @@ -129,26 +126,36 @@ in socket = { inherit (config.services.caddy) user group; }; }; - services.caddy.virtualHosts.${cfg.virtualHost}.extraConfig = - let - socket = config.services.fcgiwrap.instances.cgit.socket.address; - in - '' - encode zstd gzip + networking.firewall.allowedTCPPorts = mkIf (cfg.url != null) [ + 80 + 443 + ]; - reverse_proxy unix/${socket} { - transport fastcgi { - env SCRIPT_FILENAME ${cfg.package}/cgit/cgit.cgi - env CGIT_CONFIG ${mkCgitrc cfg} - } - } + services.caddy = mkIf (cfg.url != null) { + enable = true; + virtualHosts = { + ${cfg.url}.extraConfig = + let + socket = config.services.fcgiwrap.instances.cgit.socket.address; + in + '' + encode zstd gzip - ${mkCgitAssets cfg.package [ - "cgit.css" - "cgit.png" - "favicon.ico" - "robots.txt" - ]} - ''; + reverse_proxy unix/${socket} { + transport fastcgi { + env SCRIPT_FILENAME ${cfg.package}/cgit/cgit.cgi + env CGIT_CONFIG ${mkCgitrc cfg} + } + } + + ${mkCgitAssets cfg.package [ + "cgit.css" + "cgit.png" + "favicon.ico" + "robots.txt" + ]} + ''; + }; + }; }; } |