services: forgejo: simplify ssh setup by renaming user
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
parent
738a05aec0
commit
981fe69bf5
|
@ -10,7 +10,7 @@ keys:
|
|||
- &machine_zero age1xdd0mzt7mhr30rzvt34ygxurlvdvs53svg7lxd6843lx83vy0guqew578d
|
||||
|
||||
creation_rules:
|
||||
- path_regex: secrets/sops/(acme|git-ingress|restic)\.yaml
|
||||
- path_regex: secrets/sops/(acme|restic)\.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *christoph_trek
|
||||
|
|
|
@ -20,7 +20,6 @@ in {
|
|||
../services/alertmanager.nix
|
||||
../services/conduit.nix
|
||||
../services/fail2ban.nix
|
||||
../services/git-ingress.nix
|
||||
../services/matrix-hookshot.nix
|
||||
../services/nginx.nix
|
||||
../services/node-exporter.nix
|
||||
|
|
|
@ -4,7 +4,6 @@
|
|||
imports = [
|
||||
../secrets/machines/tank.nix
|
||||
../services/forgejo.nix
|
||||
../services/git-ingress.nix
|
||||
../services/grafana.nix
|
||||
../services/home-assistant.nix
|
||||
../services/navidrome.nix
|
||||
|
|
|
@ -1,58 +0,0 @@
|
|||
git-ingress:
|
||||
sshkey: ENC[AES256_GCM,data:HLQ7sy0TfoUe+wUhIdTRBEG0CcpFhpukGPNJMDklYUXkt93ypouo/lS2EIxIUVxgkD+MTDYHkPgtEFRI9waZaPk4UaO7zprdoRDIenE3uZqt5tos5mzN+lBgHM0tu6XKUUYOaNNG54Ko3S7HhtqIqakq78tXSsCYPGR/lnJ7J8hPX3OS5CR8VvNyw+AwXRTjKu4h6HhlP2ynFU9XZtUwNB/D3NlyBTg59f7/Z1+ieGyrIO4n8QUP2ticDSbaIXNfCb44ub4tl1e4NvCxnwB6mdX15JreHFPEK7RRjBRo2odf+mfaR7woHjyV3N5fO7o2itriqNhny4WgJKqSrL08IAkMWV2z2wPJxnemW9fCONHpjS92zTLXB5QSJ4uy3xzEW9I4Tj9ECwOSkGJfPbUUk71ZbGbR4aCKiKN37YFH5eW4BmDZ7J2KLIrcg3JoM62D9jsckyCLT2u6GtkW8BHvQgjujfpvNdMPZ7jiK/cW/GdfeP67F9LpP7FG9Wm3BnW0V3tcVQ2+MEmBq+Ytsr5p7Y7z5ne80c/JdFHm,iv:qyLrx6asr1+thTwA3nbyQS/lXzEAdTBCCGDleGLWlew=,tag:REHmJh3UV8Ia4SrNlk9VIw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSk5TYjJjRDRyUVpXeGZo
|
||||
QmhiaXhldFl1eDNZNnIyTXEyb0hDZ2FXSDJJCkdObG5KQkZ1eDMxTE9sY1VNSVpS
|
||||
RHFENmpoSUF1RGozSXdvNXpsQVRTVXMKLS0tIEpVa0pyVVVkNWh0K29CWHNUMEhk
|
||||
K1B4Wmhadjc4TW1BdEVUTkxQMUFYbVkK1pYtfhEk0oLXv/AMgE4sNvOVnXIUjoy1
|
||||
PBF2VB7+OCdVesC5Mkw0Q6B04AcuyLDE5mN0ePrz9TWhfkYbWLXvAQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBR0lQalQyemxLUEM0ajg1
|
||||
RXZCK2s3TGt5a2I5VEhaM3pqY1I1UnFxWGlZCm9zQmZGY3k0ckx6MStVVzdMWnZI
|
||||
a0p2OTdPL0h4NEVCblNKS1BNR21aMlkKLS0tIDlzenpVRGRQcWV6V0ppOHkzV2FR
|
||||
V1V0VkhHOFJHam5xYTdycTJLVm0reHcK3PNanNHAsTcP8/3/VCN6HIv5t72RLXRo
|
||||
W7/7CS4fjUAUlktZrBpGJeYL4V7nTY2JEUnzTvF00WaB90UTKYpGSw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOR3JFMGowUVYrcktvVmFJ
|
||||
WWUxSzlOcFV5VGdLVzh5ckQyNk1IeXJQd2owCm9RTG1XTHFPYXJmV0pFRGNzTUlj
|
||||
RU10ODJMNmpPZEpydWVuYWNBdEJJUncKLS0tIGlxTGlzSXU4UndKNWU5RVNTUUNa
|
||||
NkU1VWx6dTFmaE9PTE0wdGlqRlYyOUUKQYbhp5H7Jbv6ECjPiH4epnWXLX0xP8mK
|
||||
bExDsYXTlwqf7yFXPBbT5R03ehDtVgX6zytuheb1V98SBWh0c3w5kg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTnVERXJ1NVhuYWFOUGNY
|
||||
NC8zMWdFY2lFNUtWdnpTYzM1a1RvRUJvVVg0ClNTOUtWdnFrVkJzYnBhYk1QNHpy
|
||||
Wm1pN3NsNU4vWERuQlhmNTVsMmFBc3MKLS0tIHdZYis3KzRuaHdLLzQ5YzN2Nkpi
|
||||
V2FPcDJDWVFGS0VrR2Z2eHBxalk4Yk0KMpck3LRIJCFSrTVOBlZ5BzdwtpKQDnco
|
||||
HAlgR1BX2Oyk9OcQ/LxyDdf5XSSZxWbjDlAMchuBgv9cfXCM5rxd+A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMjZmVmNpMndxUTFzL09z
|
||||
UUQ1VGY1WlczeDNPZmZKREhtTWFkcE5Td2dFClM1M0lsa2g5c3IxeGV3dC9qcTFC
|
||||
NHZ4eExiY1NIRnNpNG5vZW10R0s4bzAKLS0tIGErU2Vac3BLTTNUL3VlTFgrMmRJ
|
||||
bjd6N0k3WmZyeXFYSHdoNXBYbHBCTkEKFgIsNLOwVkgyeJM7FxGJEs2JQ+KvvtrB
|
||||
VpqT8bg3dbprdpr8C8QRQ+eK4AQdsm2hQ9h+PmF74Be2mK8+WWJp3w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-24T19:05:38Z"
|
||||
mac: ENC[AES256_GCM,data:s8h9CitPTS8VJHikqVYlGhhLZODFWrm/7Gj3XFrk6WllmrtbA8jGy1GHKig1jBTKhGrNuFj1qaZ/0lrcrgva8PwwlaQa4MqcGMYRmxfW1Z5OHbek2Sf//CJL2xjQEsyCO5y9nWD37Oa2JFEE6oh/m4j0To/5fKMFrbYV+xnF07c=,iv:9WY4SmS8f+eIg6vfmIWq3iPRzDlsrG7pnXv6aeC7lZ8=,tag:yofMh4ktsFh/vtUzQAGf8Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -1,6 +1,8 @@
|
|||
{ config, my, pkgs, secrets, ... }:
|
||||
{ config, lib, my, pkgs, secrets, ... }:
|
||||
|
||||
let fqdn = "git.${my.domain}";
|
||||
let
|
||||
cfg = config.services.forgejo;
|
||||
fqdn = "git.${my.domain}";
|
||||
in {
|
||||
sops.secrets."forgejo/mail/host" = {
|
||||
sopsFile = ../secrets/sops/forgejo.yaml;
|
||||
|
@ -13,6 +15,8 @@ in {
|
|||
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
user = "git";
|
||||
group = "git";
|
||||
lfs.enable = true;
|
||||
database = {
|
||||
type = "sqlite3";
|
||||
|
@ -59,7 +63,7 @@ in {
|
|||
ROOT_URL = "https://${fqdn}";
|
||||
HTTP_ADDR = "::1";
|
||||
HTTP_PORT = 3110;
|
||||
SSH_USER = "git";
|
||||
SSH_USER = cfg.user;
|
||||
};
|
||||
repository = {
|
||||
ENABLE_PUSH_CREATE_USER = true;
|
||||
|
@ -102,6 +106,18 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings."75-forgejo" = {
|
||||
"/run/forgejo-dispatch/authorized-keys"."f+" = {
|
||||
# sshd_config(5): The program must be owned by root, not writable by group or others
|
||||
mode = "0755";
|
||||
argument = builtins.concatStringsSep "\\n" [
|
||||
"#!${lib.getExe pkgs.bash}"
|
||||
''
|
||||
exec ${pkgs.toybox}/bin/cat "${config.services.forgejo.stateDir}/.ssh/authorized_keys"''
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${fqdn} =
|
||||
let serverCfg = config.services.forgejo.settings.server;
|
||||
in {
|
||||
|
@ -118,14 +134,24 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.openssh.settings.AllowUsers = [ "forgejo" ];
|
||||
|
||||
users.users.forgejo = {
|
||||
users.groups.${cfg.group} = { };
|
||||
users.users.${cfg.user} = {
|
||||
inherit (cfg) group;
|
||||
createHome = false;
|
||||
home = config.services.forgejo.stateDir;
|
||||
isSystemUser = true;
|
||||
shell = pkgs.bash;
|
||||
packages = with pkgs; [ forgejo ];
|
||||
extraGroups = [ "restic-backup" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINVZ8zYHz1pUFzM8AKwMTWTTTvQTw10RyZJUVwXMt0FS"
|
||||
];
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
settings.AllowUsers = [ cfg.user ];
|
||||
extraConfig = ''
|
||||
Match User ${cfg.user}
|
||||
AuthorizedKeysCommand /run/forgejo-dispatch/authorized-keys
|
||||
AuthorizedKeysCommandUser ${cfg.user}
|
||||
'';
|
||||
};
|
||||
|
||||
services.restic.backups.forgejo = {
|
||||
|
|
|
@ -1,56 +0,0 @@
|
|||
{ my, pkgs, secrets, ... }:
|
||||
|
||||
let
|
||||
remoteExecCmd = builtins.concatStringsSep " " [
|
||||
"${pkgs.openssh}/bin/ssh"
|
||||
"-q"
|
||||
"-i${secrets."git-ingress/sshkey".path}"
|
||||
"-oBatchMode=yes"
|
||||
"-oStrictHostKeyChecking=no"
|
||||
"-oUserKnownHostsFile=/dev/null"
|
||||
"forgejo@forgejo.${my.domain}"
|
||||
];
|
||||
in {
|
||||
users.groups.git = { };
|
||||
users.users.git = {
|
||||
createHome = false;
|
||||
group = "git";
|
||||
isSystemUser = true;
|
||||
# Disable login for `git` user
|
||||
password = "*";
|
||||
shell = pkgs.writeShellApplication {
|
||||
name = "git-ingress-shell";
|
||||
runtimeInputs = with pkgs; [ openssh ];
|
||||
derivationArgs.shellPath = "/bin/git-ingress-shell";
|
||||
text = ''
|
||||
sshcmd="''${SSH_ORIGINAL_COMMAND:-}"
|
||||
shift
|
||||
exec ${remoteExecCmd} "export SSH_ORIGINAL_COMMAND='$sshcmd'; $*"
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
settings.AllowUsers = [ "git" ];
|
||||
extraConfig = ''
|
||||
Match User git
|
||||
AuthorizedKeysCommandUser git
|
||||
AuthorizedKeysCommand /var/lib/git-ingress/authorized-keys-dispatch
|
||||
'';
|
||||
};
|
||||
|
||||
sops.secrets."git-ingress/sshkey" = {
|
||||
sopsFile = ../secrets/sops/git-ingress.yaml;
|
||||
owner = "git";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings."70-git-ingress"."/var/lib/git-ingress/authorized-keys-dispatch"."f+" =
|
||||
{
|
||||
# sshd_config(5): The program must be owned by root, not writable by group or others
|
||||
mode = "0755";
|
||||
argument = builtins.concatStringsSep "\\n" [
|
||||
"#!/bin/sh"
|
||||
"exec ${remoteExecCmd} 'cat $HOME/.ssh/authorized_keys'"
|
||||
];
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue