diff options
author | lassulus <lass@aidsballs.de> | 2015-06-18 22:27:45 +0200 |
---|---|---|
committer | lassulus <lass@aidsballs.de> | 2015-06-18 22:27:45 +0200 |
commit | 5a2de716078f25df47d552c7eca1c0d39446320e (patch) | |
tree | debad5b3b6f2fa97a997caab7cf8f39acb73bbe4 /modules | |
parent | 4c2d2eaa1172bc9b210dac5f5eaf6cd4831925f6 (diff) | |
parent | c868cff63b120e034e5bd418959039ccb210ca52 (diff) |
Merge branch 'master' of nomic:config into tv
Diffstat (limited to 'modules')
-rw-r--r-- | modules/cd/default.nix | 37 | ||||
-rw-r--r-- | modules/cd/iptables.nix | 1 | ||||
-rw-r--r-- | modules/tv/git/cgit.nix | 110 | ||||
-rw-r--r-- | modules/tv/git/default.nix (renamed from modules/tv/git.nix) | 33 | ||||
-rw-r--r-- | modules/wu/default.nix | 2 | ||||
-rw-r--r-- | modules/wu/users.nix | 5 |
6 files changed, 167 insertions, 21 deletions
diff --git a/modules/cd/default.nix b/modules/cd/default.nix index 1d621e0..7223203 100644 --- a/modules/cd/default.nix +++ b/modules/cd/default.nix @@ -11,7 +11,7 @@ ../tv/base-cac-CentOS-7-64bit.nix ../tv/ejabberd.nix # XXX echtes modul ../tv/exim-smarthost.nix - ../tv/git.nix + ../tv/git ../tv/retiolum.nix ../tv/sanitize.nix ]; @@ -48,7 +48,7 @@ let inherit (builtins) readFile; # TODO lib should already include our stuff - inherit (import ../../lib { inherit lib; }) addNames git; + inherit (import ../../lib { inherit lib pkgs; }) addNames git; in rec { enable = true; @@ -59,31 +59,38 @@ makefu = { pubkey = "xxx"; }; }; - # TODO warn about stale repodirs repos = addNames { + shitment = { + desc = "shitment repository"; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; # TODO make this the default + channel = "#retiolum"; + server = "ire.retiolum"; + }; + }; + public = true; + }; testing = { + desc = "testing repository"; hooks = { - update = '' - #! /bin/sh - set -euf - echo update hook: $* >&2 - ''; - post-update = '' - #! /bin/sh - set -euf - echo post-update hook: $* >&2 - ''; + post-receive = git.irc-announce { + nick = config.networking.hostName; # TODO make this the default + channel = "#repository"; + server = "ire.retiolum"; + }; }; + public = true; }; }; rules = with git; with users; with repos; [ { user = tv; - repo = testing; + repo = [ testing shitment ]; perm = push master [ non-fast-forward create delete merge ]; } { user = [ lass makefu ]; - repo = testing; + repo = [ testing shitment ]; perm = fetch; } ]; diff --git a/modules/cd/iptables.nix b/modules/cd/iptables.nix index 48425e8..950aa84 100644 --- a/modules/cd/iptables.nix +++ b/modules/cd/iptables.nix @@ -63,6 +63,7 @@ ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request + ipXtables -A Retiolum -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset diff --git a/modules/tv/git/cgit.nix b/modules/tv/git/cgit.nix new file mode 100644 index 0000000..edee199 --- /dev/null +++ b/modules/tv/git/cgit.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: + +let + inherit (builtins) attrValues filter getAttr; + inherit (lib) concatMapStringsSep mkIf optionalString; + + cfg = config.services.git; + + isPublicRepo = getAttr "public"; # TODO this is also in ./default.nix +in + +{ + config = mkIf cfg.cgit { + + users.extraUsers = lib.singleton { + name = "fcgiwrap"; + uid = 2851179180; # genid fcgiwrap + group = "fcgiwrap"; + home = "/var/empty"; + }; + + users.extraGroups = lib.singleton { + name = "fcgiwrap"; + gid = 2851179180; # genid fcgiwrap + }; + + services.fcgiwrap = { + enable = true; + user = "fcgiwrap"; + group = "fcgiwrap"; + # socketAddress = "/run/fcgiwrap.sock" (default) + # socketType = "unix" (default) + }; + + environment.etc."cgitrc".text = '' + css=/cgit-static/cgit.css + logo=/cgit-static/cgit.png + + # if you do not want that webcrawler (like google) index your site + robots=noindex, nofollow + + virtual-root=/cgit + + # TODO make this nicer + cache-root=/tmp/cgit + + cache-size=1000 + enable-commit-graph=1 + enable-index-links=1 + enable-index-owner=0 + enable-log-filecount=1 + enable-log-linecount=1 + enable-remote-branches=1 + + root-title=repositories at ${config.networking.hostName} + root-desc=keep calm and engage + + snapshots=0 + max-stats=year + + ${concatMapStringsSep "\n" (repo: '' + repo.url=${repo.name} + repo.path=${cfg.dataDir}/${repo.name} + ${optionalString (repo.desc != null) "repo.desc=${repo.desc}"} + '') (filter isPublicRepo (attrValues cfg.repos))} + ''; + + # TODO modular nginx configuration + services.nginx = + let + name = config.networking.hostName; + qname = "${name}.retiolum"; + in + { + enable = true; + httpConfig = '' + include ${pkgs.nginx}/conf/mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + gzip on; + server { + listen 80; + server_name ${name} ${qname} localhost; + root ${pkgs.cgit}/cgit; + + location /cgit-static { + rewrite ^/cgit-static(/.*)$ $1 break; + #expires 30d; + } + + location /cgit { + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; + #fastcgi_param PATH_INFO $uri; + fastcgi_split_path_info ^(/cgit/?)(.+)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + } + + location / { + return 404; + } + } + ''; + }; + }; +} diff --git a/modules/tv/git.nix b/modules/tv/git/default.nix index d264125..50e2f92 100644 --- a/modules/tv/git.nix +++ b/modules/tv/git/default.nix @@ -2,8 +2,8 @@ let inherit (builtins) - attrNames attrValues concatLists filter hasAttr head lessThan removeAttrs - tail toJSON typeOf; + attrNames attrValues concatLists getAttr filter hasAttr head lessThan + removeAttrs tail toJSON typeOf; inherit (lib) concatMapStringsSep concatStringsSep escapeShellArg hasPrefix literalExample makeSearchPath mapAttrsToList mkIf mkOption optionalString @@ -16,6 +16,8 @@ let getName = x: x.name; + isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix + makeAuthorizedKey = command-script: user@{ name, pubkey }: # TODO assert name # TODO assert pubkey @@ -78,12 +80,21 @@ in # (or kill already connected users somehow) { + imports = [ + ./cgit.nix + ]; + options.services.git = { enable = mkOption { type = types.bool; default = false; description = "Enable Git repository hosting."; }; + cgit = mkOption { + type = types.bool; + default = true; + description = "Enable cgit."; # TODO better desc; talk about nginx + }; dataDir = mkOption { type = types.str; default = "/var/lib/git"; @@ -99,6 +110,13 @@ in repos = mkOption { type = types.attrsOf (types.submodule ({ options = { + desc = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Repository description. + ''; + }; name = mkOption { type = types.str; description = '' @@ -111,6 +129,14 @@ in Repository-specific hooks. ''; }; + public = mkOption { + type = types.bool; + default = false; + description = '' + Allow everybody to read the repository via HTTP if cgit enabled. + ''; + # TODO allow every configured user to fetch the repository via SSH. + }; }; })); @@ -230,8 +256,9 @@ in '' reponame=${escapeShellArg repo.name} repodir=$dataDir/$reponame + mode=${toString (if isPublicRepo repo then 0711 else 0700)} if ! test -d "$repodir"; then - mkdir -m 0700 "$repodir" + mkdir -m "$mode" "$repodir" git init --bare --template=/var/empty "$repodir" chown -R git: "$repodir" fi diff --git a/modules/wu/default.nix b/modules/wu/default.nix index 84a8361..68475ad 100644 --- a/modules/wu/default.nix +++ b/modules/wu/default.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: let - lib = import ../../lib { inherit pkgs; }; + lib = import ../../lib { lib = pkgs.lib; inherit pkgs; }; inherit (lib) majmin; in diff --git a/modules/wu/users.nix b/modules/wu/users.nix index 88f2b65..4c86314 100644 --- a/modules/wu/users.nix +++ b/modules/wu/users.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: let inherit (builtins) attrValues; @@ -194,7 +194,8 @@ let sudoers = let inherit (builtins) filter hasAttr; - inherit (import ../../lib { inherit pkgs; }) concat isSuffixOf removeSuffix setToList; + inherit (import ../../lib { inherit lib pkgs; }) + concat isSuffixOf removeSuffix setToList; hasMaster = { group ? "", ... }: isSuffixOf "-sub" group; |