services: forgejo: simplify sshd setup
All checks were successful
flake / build (push) Successful in 2m59s
All checks were successful
flake / build (push) Successful in 2m59s
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
parent
dfeffdf041
commit
be9bb3843c
|
@ -145,15 +145,6 @@ in {
|
|||
inherit (cfg) user group;
|
||||
mode = "0750";
|
||||
};
|
||||
"/run/forgejo-dispatch/authorized-keys"."f+" = {
|
||||
# sshd_config(5): The program must be owned by root, not writable by group or others
|
||||
mode = "0755";
|
||||
argument = builtins.concatStringsSep "\\n" [
|
||||
"#!${lib.getExe pkgs.bash}"
|
||||
''
|
||||
exec ${pkgs.toybox}/bin/cat "${config.services.forgejo.stateDir}/.ssh/authorized_keys"''
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${fqdn} =
|
||||
|
@ -182,14 +173,7 @@ in {
|
|||
extraGroups = [ "restic-backup" ];
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
settings.AllowUsers = [ cfg.user ];
|
||||
extraConfig = ''
|
||||
Match User ${cfg.user}
|
||||
AuthorizedKeysCommand /run/forgejo-dispatch/authorized-keys
|
||||
AuthorizedKeysCommandUser ${cfg.user}
|
||||
'';
|
||||
};
|
||||
services.openssh.settings.AllowUsers = [ cfg.user ];
|
||||
|
||||
services.restic.backups.forgejo = {
|
||||
environmentFile = secrets."restic/rest-env".path;
|
||||
|
|
Loading…
Reference in a new issue