c8h4/nixos-config
1
0
Fork 0
Code Issues Actions Activity

services: sourcehut: Clean up a bit

Browse source 
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
Christoph Heiss 2023-05-02 22:56:16 +02:00
parent 14b2ae4b06
commit 550d2e8097
Signed by: c8h4
GPG key ID: 6817E9C75C0785D7
1 changed files with 18 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
services/sourcehut.nix
View file

@ -68,17 +68,25 @@ in {
group = "nginx";
};
systemd.services = {
metasrht.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
metasrht-api.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
metasrht-webhooks.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
gitsrht.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
gitsrht-api.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
gitsrht-periodic.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
gitsrht-webhooks.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
};
# Binds the sourcehut secrets path read-only into services that require them
systemd.services = let
services = [
"metasrht"
"metasrht-api"
"metasrht-webhooks"
"gitsrht"
"gitsrht-api"
"gitsrht-periodic"
"gitsrht-webhooks"
];
in builtins.listToAttrs (map (name: {
inherit name;
value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
}) services);
services.openssh.settings = { AllowUsers = lib.mkForce "christoph git"; };
# TODO: Do properly once https://github.com/NixOS/nixpkgs/pull/227442 is merged
services.openssh.settings.AllowUsers = lib.mkForce "christoph git";
# Disable login for `git` user
users.users.git.password = "*";
}