services: sourcehut: Clean up a bit
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
parent
14b2ae4b06
commit
550d2e8097
|
@ -68,17 +68,25 @@ in {
|
|||
group = "nginx";
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
metasrht.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
||||
metasrht-api.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
||||
metasrht-webhooks.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
||||
gitsrht.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
||||
gitsrht-api.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
||||
gitsrht-periodic.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
||||
gitsrht-webhooks.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
||||
};
|
||||
# Binds the sourcehut secrets path read-only into services that require them
|
||||
systemd.services = let
|
||||
services = [
|
||||
"metasrht"
|
||||
"metasrht-api"
|
||||
"metasrht-webhooks"
|
||||
"gitsrht"
|
||||
"gitsrht-api"
|
||||
"gitsrht-periodic"
|
||||
"gitsrht-webhooks"
|
||||
];
|
||||
in builtins.listToAttrs (map (name: {
|
||||
inherit name;
|
||||
value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
||||
}) services);
|
||||
|
||||
services.openssh.settings = { AllowUsers = lib.mkForce "christoph git"; };
|
||||
# TODO: Do properly once https://github.com/NixOS/nixpkgs/pull/227442 is merged
|
||||
services.openssh.settings.AllowUsers = lib.mkForce "christoph git";
|
||||
|
||||
# Disable login for `git` user
|
||||
users.users.git.password = "*";
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue