blob: 82a6bd3ab16e3edbdc0d3bf86c61169c000d12a5 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
# Back - An extremely simple git bug visualization system. Inspired by TVL's
# panettone.
#
# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# This file is part of Back.
#
# You should have received a copy of the License along with this program.
# If not, see <https://www.gnu.org/licenses/agpl.txt>.
{extraPackages}: {
config,
lib,
pkgs,
...
}: let
cfg = config.vhack.back;
in {
options.vhack.back = {
enable = lib.mkEnableOption "Back";
package = lib.mkPackageOption extraPackages "back" {};
group = lib.mkOption {
type = lib.types.str;
description = ''
The group to run back under.
This group needs read and write access to the git repositories.
'';
};
user = lib.mkOption {
type = lib.types.str;
description = ''
The user to run back under.
This user needs read and write access to the git repositories.
'';
};
settings = {
scan_path = lib.mkOption {
type = lib.types.path;
description = "The path to the directory under which all the repositories reside";
};
project_list = lib.mkOption {
type = lib.types.path;
description = "The path to the `projects.list` file.";
};
source_code_repository_url = lib.mkOption {
description = "The url to the source code of this instance of back";
default = "https://git.foss-syndicate.org/vhack.eu/git_bug/back";
type = lib.types.str;
};
root_url = lib.mkOption {
type = lib.types.str;
description = "The url to this instance of back.";
};
};
};
config = lib.mkIf cfg.enable {
systemd.services."back" = {
description = "Back issue tracking system.";
requires = ["network-online.target"];
after = ["network-online.target"];
wantedBy = ["default.target"];
serviceConfig = {
ExecStart = "${lib.getExe cfg.package} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";
# Ensure that the service can read the repository
# FIXME(@bpeetz): This has the implied assumption, that all the exposed git
# repositories are readable for the git group. This should not be necessary. <2024-12-23>
Group = cfg.group;
User = cfg.user;
Restart = "always";
# Sandboxing
ProtectSystem = "strict";
ReadWritePaths = ["${cfg.settings.scan_path}"];
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [];
};
};
};
}
|
