nixos-config/services/git-ingress.nix

{ my, pkgs, secrets, ... }:

let
  remoteExecCmd = builtins.concatStringsSep " " [
    "${pkgs.openssh}/bin/ssh"
    "-q"
    "-i${secrets."git-ingress/sshkey".path}"
    "-oBatchMode=yes"
    "-oStrictHostKeyChecking=no"
    "-oUserKnownHostsFile=/dev/null"
    "forgejo@forgejo.${my.domain}"
  ];
in {
  users.groups.git = { };
  users.users.git = {
    createHome = false;
    group = "git";
    isSystemUser = true;
    # Disable login for `git` user
    password = "*";
    shell = pkgs.writeShellApplication {
      name = "git-ingress-shell";
      runtimeInputs = with pkgs; [ openssh ];
      derivationArgs.shellPath = "/bin/git-ingress-shell";
      text = ''
        sshcmd="''${SSH_ORIGINAL_COMMAND:-}"
        shift
        exec ${remoteExecCmd} "export SSH_ORIGINAL_COMMAND='$sshcmd'; $*"
      '';
    };
  };

  services.openssh = {
    settings.AllowUsers = [ "git" ];
    extraConfig = ''
      Match User git
        AuthorizedKeysCommandUser git
        AuthorizedKeysCommand /var/lib/git-ingress/authorized-keys-dispatch
    '';
  };

  sops.secrets."git-ingress/sshkey" = {
    sopsFile = ../secrets/sops/git-ingress.yaml;
    owner = "git";
  };

  systemd.tmpfiles.settings."70-git-ingress"."/var/lib/git-ingress/authorized-keys-dispatch"."f+" =
    {
      # sshd_config(5): The program must be owned by root, not writable by group or others
      mode = "0755";
      argument = builtins.concatStringsSep "\\n" [
        "#!/bin/sh"
        "exec ${remoteExecCmd} 'cat $HOME/.ssh/authorized_keys'"
      ];
    };
}