services: forgejo: simplify sshd setup
All checks were successful
flake / build (push) Successful in 2m59s
All checks were successful
flake / build (push) Successful in 2m59s
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
parent
dfeffdf041
commit
be9bb3843c
|
@ -145,15 +145,6 @@ in {
|
||||||
inherit (cfg) user group;
|
inherit (cfg) user group;
|
||||||
mode = "0750";
|
mode = "0750";
|
||||||
};
|
};
|
||||||
"/run/forgejo-dispatch/authorized-keys"."f+" = {
|
|
||||||
# sshd_config(5): The program must be owned by root, not writable by group or others
|
|
||||||
mode = "0755";
|
|
||||||
argument = builtins.concatStringsSep "\\n" [
|
|
||||||
"#!${lib.getExe pkgs.bash}"
|
|
||||||
''
|
|
||||||
exec ${pkgs.toybox}/bin/cat "${config.services.forgejo.stateDir}/.ssh/authorized_keys"''
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${fqdn} =
|
services.nginx.virtualHosts.${fqdn} =
|
||||||
|
@ -182,14 +173,7 @@ in {
|
||||||
extraGroups = [ "restic-backup" ];
|
extraGroups = [ "restic-backup" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh.settings.AllowUsers = [ cfg.user ];
|
||||||
settings.AllowUsers = [ cfg.user ];
|
|
||||||
extraConfig = ''
|
|
||||||
Match User ${cfg.user}
|
|
||||||
AuthorizedKeysCommand /run/forgejo-dispatch/authorized-keys
|
|
||||||
AuthorizedKeysCommandUser ${cfg.user}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
services.restic.backups.forgejo = {
|
services.restic.backups.forgejo = {
|
||||||
environmentFile = secrets."restic/rest-env".path;
|
environmentFile = secrets."restic/rest-env".path;
|
||||||
|
|
Loading…
Reference in a new issue