c8h4/nixos-config
1
0
Fork 0
Code Issues Actions Activity

services: forgejo: simplify ssh setup by renaming user

Browse source 
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
Christoph Heiss 2024-08-24 13:17:35 +02:00
parent 738a05aec0
commit 981fe69bf5
Signed by: c8h4
GPG key ID: 6817E9C75C0785D7
6 changed files with 36 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -10,7 +10,7 @@ keys:
- &machine_zero age1xdd0mzt7mhr30rzvt34ygxurlvdvs53svg7lxd6843lx83vy0guqew578d
creation_rules:
- path_regex: secrets/sops/(acme|git-ingress|restic)\.yaml
- path_regex: secrets/sops/(acme|restic)\.yaml
key_groups:
- age:
- *christoph_trek

1
machines/fort.nix
View file

@ -20,7 +20,6 @@ in {
../services/alertmanager.nix
../services/conduit.nix
../services/fail2ban.nix
../services/git-ingress.nix
../services/matrix-hookshot.nix
../services/nginx.nix
../services/node-exporter.nix

1
machines/tank.nix
View file

@ -4,7 +4,6 @@
imports = [
../secrets/machines/tank.nix
../services/forgejo.nix
../services/git-ingress.nix
../services/grafana.nix
../services/home-assistant.nix
../services/navidrome.nix

58
secrets/sops/git-ingress.yaml
View file

@ -1,58 +0,0 @@
git-ingress:
sshkey: ENC[AES256_GCM,data:HLQ7sy0TfoUe+wUhIdTRBEG0CcpFhpukGPNJMDklYUXkt93ypouo/lS2EIxIUVxgkD+MTDYHkPgtEFRI9waZaPk4UaO7zprdoRDIenE3uZqt5tos5mzN+lBgHM0tu6XKUUYOaNNG54Ko3S7HhtqIqakq78tXSsCYPGR/lnJ7J8hPX3OS5CR8VvNyw+AwXRTjKu4h6HhlP2ynFU9XZtUwNB/D3NlyBTg59f7/Z1+ieGyrIO4n8QUP2ticDSbaIXNfCb44ub4tl1e4NvCxnwB6mdX15JreHFPEK7RRjBRo2odf+mfaR7woHjyV3N5fO7o2itriqNhny4WgJKqSrL08IAkMWV2z2wPJxnemW9fCONHpjS92zTLXB5QSJ4uy3xzEW9I4Tj9ECwOSkGJfPbUUk71ZbGbR4aCKiKN37YFH5eW4BmDZ7J2KLIrcg3JoM62D9jsckyCLT2u6GtkW8BHvQgjujfpvNdMPZ7jiK/cW/GdfeP67F9LpP7FG9Wm3BnW0V3tcVQ2+MEmBq+Ytsr5p7Y7z5ne80c/JdFHm,iv:qyLrx6asr1+thTwA3nbyQS/lXzEAdTBCCGDleGLWlew=,tag:REHmJh3UV8Ia4SrNlk9VIw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSk5TYjJjRDRyUVpXeGZo
QmhiaXhldFl1eDNZNnIyTXEyb0hDZ2FXSDJJCkdObG5KQkZ1eDMxTE9sY1VNSVpS
RHFENmpoSUF1RGozSXdvNXpsQVRTVXMKLS0tIEpVa0pyVVVkNWh0K29CWHNUMEhk
K1B4Wmhadjc4TW1BdEVUTkxQMUFYbVkK1pYtfhEk0oLXv/AMgE4sNvOVnXIUjoy1
PBF2VB7+OCdVesC5Mkw0Q6B04AcuyLDE5mN0ePrz9TWhfkYbWLXvAQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBR0lQalQyemxLUEM0ajg1
RXZCK2s3TGt5a2I5VEhaM3pqY1I1UnFxWGlZCm9zQmZGY3k0ckx6MStVVzdMWnZI
a0p2OTdPL0h4NEVCblNKS1BNR21aMlkKLS0tIDlzenpVRGRQcWV6V0ppOHkzV2FR
V1V0VkhHOFJHam5xYTdycTJLVm0reHcK3PNanNHAsTcP8/3/VCN6HIv5t72RLXRo
W7/7CS4fjUAUlktZrBpGJeYL4V7nTY2JEUnzTvF00WaB90UTKYpGSw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOR3JFMGowUVYrcktvVmFJ
WWUxSzlOcFV5VGdLVzh5ckQyNk1IeXJQd2owCm9RTG1XTHFPYXJmV0pFRGNzTUlj
RU10ODJMNmpPZEpydWVuYWNBdEJJUncKLS0tIGlxTGlzSXU4UndKNWU5RVNTUUNa
NkU1VWx6dTFmaE9PTE0wdGlqRlYyOUUKQYbhp5H7Jbv6ECjPiH4epnWXLX0xP8mK
bExDsYXTlwqf7yFXPBbT5R03ehDtVgX6zytuheb1V98SBWh0c3w5kg==
-----END AGE ENCRYPTED FILE-----
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTnVERXJ1NVhuYWFOUGNY
NC8zMWdFY2lFNUtWdnpTYzM1a1RvRUJvVVg0ClNTOUtWdnFrVkJzYnBhYk1QNHpy
Wm1pN3NsNU4vWERuQlhmNTVsMmFBc3MKLS0tIHdZYis3KzRuaHdLLzQ5YzN2Nkpi
V2FPcDJDWVFGS0VrR2Z2eHBxalk4Yk0KMpck3LRIJCFSrTVOBlZ5BzdwtpKQDnco
HAlgR1BX2Oyk9OcQ/LxyDdf5XSSZxWbjDlAMchuBgv9cfXCM5rxd+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMjZmVmNpMndxUTFzL09z
UUQ1VGY1WlczeDNPZmZKREhtTWFkcE5Td2dFClM1M0lsa2g5c3IxeGV3dC9qcTFC
NHZ4eExiY1NIRnNpNG5vZW10R0s4bzAKLS0tIGErU2Vac3BLTTNUL3VlTFgrMmRJ
bjd6N0k3WmZyeXFYSHdoNXBYbHBCTkEKFgIsNLOwVkgyeJM7FxGJEs2JQ+KvvtrB
VpqT8bg3dbprdpr8C8QRQ+eK4AQdsm2hQ9h+PmF74Be2mK8+WWJp3w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-24T19:05:38Z"
mac: ENC[AES256_GCM,data:s8h9CitPTS8VJHikqVYlGhhLZODFWrm/7Gj3XFrk6WllmrtbA8jGy1GHKig1jBTKhGrNuFj1qaZ/0lrcrgva8PwwlaQa4MqcGMYRmxfW1Z5OHbek2Sf//CJL2xjQEsyCO5y9nWD37Oa2JFEE6oh/m4j0To/5fKMFrbYV+xnF07c=,iv:9WY4SmS8f+eIg6vfmIWq3iPRzDlsrG7pnXv6aeC7lZ8=,tag:yofMh4ktsFh/vtUzQAGf8Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

44
services/forgejo.nix
View file

@ -1,6 +1,8 @@
{ config, my, pkgs, secrets, ... }:
{ config, lib, my, pkgs, secrets, ... }:
let fqdn = "git.${my.domain}";
let
cfg = config.services.forgejo;
fqdn = "git.${my.domain}";
in {
sops.secrets."forgejo/mail/host" = {
sopsFile = ../secrets/sops/forgejo.yaml;
@ -13,6 +15,8 @@ in {
services.forgejo = {
enable = true;
user = "git";
group = "git";
lfs.enable = true;
database = {
type = "sqlite3";
@ -59,7 +63,7 @@ in {
ROOT_URL = "https://${fqdn}";
HTTP_ADDR = "::1";
HTTP_PORT = 3110;
SSH_USER = "git";
SSH_USER = cfg.user;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
@ -102,6 +106,18 @@ in {
};
};
systemd.tmpfiles.settings."75-forgejo" = {
"/run/forgejo-dispatch/authorized-keys"."f+" = {
# sshd_config(5): The program must be owned by root, not writable by group or others
mode = "0755";
argument = builtins.concatStringsSep "\\n" [
"#!${lib.getExe pkgs.bash}"
''
exec ${pkgs.toybox}/bin/cat "${config.services.forgejo.stateDir}/.ssh/authorized_keys"''
];
};
};
services.nginx.virtualHosts.${fqdn} =
let serverCfg = config.services.forgejo.settings.server;
in {
@ -118,14 +134,24 @@ in {
};
};
services.openssh.settings.AllowUsers = [ "forgejo" ];
users.users.forgejo = {
users.groups.${cfg.group} = { };
users.users.${cfg.user} = {
inherit (cfg) group;
createHome = false;
home = config.services.forgejo.stateDir;
isSystemUser = true;
shell = pkgs.bash;
packages = with pkgs; [ forgejo ];
extraGroups = [ "restic-backup" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINVZ8zYHz1pUFzM8AKwMTWTTTvQTw10RyZJUVwXMt0FS"
];
};
services.openssh = {
settings.AllowUsers = [ cfg.user ];
extraConfig = ''
Match User ${cfg.user}
AuthorizedKeysCommand /run/forgejo-dispatch/authorized-keys
AuthorizedKeysCommandUser ${cfg.user}
'';
};
services.restic.backups.forgejo = {

56
services/git-ingress.nix
View file

@ -1,56 +0,0 @@
{ my, pkgs, secrets, ... }:
let
remoteExecCmd = builtins.concatStringsSep " " [
"${pkgs.openssh}/bin/ssh"
"-q"
"-i${secrets."git-ingress/sshkey".path}"
"-oBatchMode=yes"
"-oStrictHostKeyChecking=no"
"-oUserKnownHostsFile=/dev/null"
"forgejo@forgejo.${my.domain}"
];
in {
users.groups.git = { };
users.users.git = {
createHome = false;
group = "git";
isSystemUser = true;
# Disable login for `git` user
password = "*";
shell = pkgs.writeShellApplication {
name = "git-ingress-shell";
runtimeInputs = with pkgs; [ openssh ];
derivationArgs.shellPath = "/bin/git-ingress-shell";
text = ''
sshcmd="''${SSH_ORIGINAL_COMMAND:-}"
shift
exec ${remoteExecCmd} "export SSH_ORIGINAL_COMMAND='$sshcmd'; $*"
'';
};
};
services.openssh = {
settings.AllowUsers = [ "git" ];
extraConfig = ''
Match User git
AuthorizedKeysCommandUser git
AuthorizedKeysCommand /var/lib/git-ingress/authorized-keys-dispatch
'';
};
sops.secrets."git-ingress/sshkey" = {
sopsFile = ../secrets/sops/git-ingress.yaml;
owner = "git";
};
systemd.tmpfiles.settings."70-git-ingress"."/var/lib/git-ingress/authorized-keys-dispatch"."f+" =
{
# sshd_config(5): The program must be owned by root, not writable by group or others
mode = "0755";
argument = builtins.concatStringsSep "\\n" [
"#!/bin/sh"
"exec ${remoteExecCmd} 'cat $HOME/.ssh/authorized_keys'"
];
};
}