about summary refs log tree commit diff stats
path: root/modules/by-name
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/by-name/co/constants/module.nix2
-rw-r--r--modules/by-name/gi/git-server/module.nix6
-rw-r--r--modules/by-name/ro/rocie/module.nix59
-rw-r--r--modules/by-name/sy/system-info/module.nix1
4 files changed, 68 insertions, 0 deletions
diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix
index 3de9608..b94020b 100644
--- a/modules/by-name/co/constants/module.nix
+++ b/modules/by-name/co/constants/module.nix
@@ -55,6 +55,7 @@
       grocy = 341;
       anubis = 342;
       postfix-tlspol = 343;
+      rocie = 344;
 
       # As per the NixOS file, the uids should not be greater or equal to 400;
     };
@@ -94,6 +95,7 @@
         systemd-coredump # matches systemd-coredump user
         resolvconf # This group is not matched to an user?
         stalwart-mail-certificates # This group is used to connect nginx and stalwart-mail
+        rocie
         ;
 
       # The gid should match the uid. Thus should not be >= 400;
diff --git a/modules/by-name/gi/git-server/module.nix b/modules/by-name/gi/git-server/module.nix
index db35897..4ddfca4 100644
--- a/modules/by-name/gi/git-server/module.nix
+++ b/modules/by-name/gi/git-server/module.nix
@@ -88,6 +88,12 @@ in {
         scanPath = "${config.services.gitolite.dataDir}/repositories";
         user = "git";
         group = "git";
+
+        # Don't bypass `cgit` when performing a http only clone.
+        # This is slightly slower, but we don't need to worry about the access
+        # restrictions also being by-passed.
+        gitHttpBackend.enable = false;
+
         settings = {
           branch-sort = "age";
 
diff --git a/modules/by-name/ro/rocie/module.nix b/modules/by-name/ro/rocie/module.nix
new file mode 100644
index 0000000..1e419b8
--- /dev/null
+++ b/modules/by-name/ro/rocie/module.nix
@@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.rocie;
+  data = "/var/lib/rocie";
+in {
+  options.vhack.rocie = {
+    enable = lib.mkEnableOption "Rocie integration into vhack.eu";
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The domain where to deploy rocie";
+    };
+
+    loginSecret = lib.mkOption {
+      type = lib.types.path;
+      description = "The age encrypted secret file for rocie, passed to agenix";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    rocie = {
+      enable = true;
+      inherit (cfg) domain;
+
+      dbPath = "${data}/database.db";
+
+      secretKeyFile = config.age.secrets.rocie_secret.path;
+    };
+
+    vhack.persist.directories = [
+      {
+        directory = data;
+        user = "rocie";
+        group = "rocie";
+        mode = "0700";
+      }
+    ];
+
+    users = {
+      groups.rocie = {
+        gid = config.vhack.constants.ids.gids.rocie;
+      };
+      users.rocie = {
+        group = "rocie";
+        uid = config.vhack.constants.ids.uids.rocie;
+      };
+    };
+
+    age.secrets.rocie_secret = {
+      file = cfg.loginSecret;
+      mode = "700";
+      owner = "rocie";
+      group = "rocie";
+    };
+  };
+}
diff --git a/modules/by-name/sy/system-info/module.nix b/modules/by-name/sy/system-info/module.nix
index 8136ae5..21d901f 100644
--- a/modules/by-name/sy/system-info/module.nix
+++ b/modules/by-name/sy/system-info/module.nix
@@ -39,6 +39,7 @@
       # TODO(@bpeetz): Check which service opens these ports: <2025-01-28>
       "64738" = "???";
       "4190" = "???";
+      "8112" = "???";
     };
   in ''
     ${mode} ${builtins.toString port}: ${
generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-04-29 18:06:31 +0000