57 lines
1.5 KiB
Nix
57 lines
1.5 KiB
Nix
{ my, pkgs, secrets, ... }:
|
|
|
|
let
|
|
remoteExecCmd = builtins.concatStringsSep " " [
|
|
"${pkgs.openssh}/bin/ssh"
|
|
"-q"
|
|
"-i${secrets."git-ingress/sshkey".path}"
|
|
"-oBatchMode=yes"
|
|
"-oStrictHostKeyChecking=no"
|
|
"-oUserKnownHostsFile=/dev/null"
|
|
"forgejo@forgejo.${my.domain}"
|
|
];
|
|
in {
|
|
users.groups.git = { };
|
|
users.users.git = {
|
|
createHome = false;
|
|
group = "git";
|
|
isSystemUser = true;
|
|
# Disable login for `git` user
|
|
password = "*";
|
|
shell = pkgs.writeShellApplication {
|
|
name = "git-ingress-shell";
|
|
runtimeInputs = with pkgs; [ openssh ];
|
|
derivationArgs.shellPath = "/bin/git-ingress-shell";
|
|
text = ''
|
|
sshcmd="''${SSH_ORIGINAL_COMMAND:-}"
|
|
shift
|
|
exec ${remoteExecCmd} "export SSH_ORIGINAL_COMMAND='$sshcmd'; $*"
|
|
'';
|
|
};
|
|
};
|
|
|
|
services.openssh = {
|
|
settings.AllowUsers = [ "git" ];
|
|
extraConfig = ''
|
|
Match User git
|
|
AuthorizedKeysCommandUser git
|
|
AuthorizedKeysCommand /var/lib/git-ingress/authorized-keys-dispatch
|
|
'';
|
|
};
|
|
|
|
sops.secrets."git-ingress/sshkey" = {
|
|
sopsFile = ../secrets/sops/git-ingress.yaml;
|
|
owner = "git";
|
|
};
|
|
|
|
systemd.tmpfiles.settings."70-git-ingress"."/var/lib/git-ingress/authorized-keys-dispatch"."f+" =
|
|
{
|
|
# sshd_config(5): The program must be owned by root, not writable by group or others
|
|
mode = "0755";
|
|
argument = builtins.concatStringsSep "\\n" [
|
|
"#!/bin/sh"
|
|
"exec ${remoteExecCmd} 'cat $HOME/.ssh/authorized_keys'"
|
|
];
|
|
};
|
|
}
|