about summary refs log tree commit diff stats
path: root/modules/by-name/ba/back/module.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/by-name/ba/back/module.nix')
-rw-r--r--modules/by-name/ba/back/module.nix92
1 files changed, 0 insertions, 92 deletions
diff --git a/modules/by-name/ba/back/module.nix b/modules/by-name/ba/back/module.nix
deleted file mode 100644
index d47ffce..0000000
--- a/modules/by-name/ba/back/module.nix
+++ /dev/null
@@ -1,92 +0,0 @@
-{
-  config,
-  lib,
-  vhackPackages,
-  pkgs,
-  ...
-}: let
-  cfg = config.vhack.back;
-in {
-  options.vhack.back = {
-    enable = lib.mkEnableOption "Back issue tracker (inspired by tvix's panettone)";
-
-    domain = lib.mkOption {
-      type = lib.types.str;
-      description = "The domain to host this `back` instance on.";
-    };
-
-    settings = {
-      scan_path = lib.mkOption {
-        type = lib.types.path;
-        description = "The path to the directory under which all the repositories reside";
-      };
-      project_list = lib.mkOption {
-        type = lib.types.path;
-        description = "The path to the `projects.list` file.";
-      };
-
-      source_code_repository_url = lib.mkOption {
-        description = "The url to the source code of this instance of back";
-        default = "https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/pkgs/by-name/ba/back";
-        type = lib.types.str;
-      };
-
-      root_url = lib.mkOption {
-        type = lib.types.str;
-        description = "The url to this instance of back.";
-        default = "https://${cfg.domain}";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services."back" = {
-      description = "Back issue tracking system.";
-      requires = ["network-online.target"];
-      after = ["network-online.target"];
-      wantedBy = ["default.target"];
-
-      serviceConfig = {
-        ExecStart = "${lib.getExe vhackPackages.back} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";
-
-        # Ensure that the service can read the repository
-        # FIXME(@bpeetz): This has the implied assumption, that all the exposed git
-        # repositories are readable for the git group. This should not be necessary. <2024-12-23>
-        User = "git";
-        Group = "git";
-
-        DynamicUser = true;
-        Restart = "always";
-
-        # Sandboxing
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        PrivateTmp = true;
-        PrivateDevices = true;
-        ProtectHostname = true;
-        ProtectClock = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectKernelLogs = true;
-        ProtectControlGroups = true;
-        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
-        RestrictNamespaces = true;
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        RemoveIPC = true;
-        PrivateMounts = true;
-        # System Call Filtering
-        SystemCallArchitectures = "native";
-        SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
-      };
-    };
-    services.nginx.virtualHosts."${cfg.domain}" = {
-      locations."/".proxyPass = "http://127.0.0.1:8000";
-
-      enableACME = true;
-      forceSSL = true;
-    };
-  };
-}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-06-09 00:48:37 +0000