From fe7eb4c36dc64616b0c18683fc2f3c941bbb0c81 Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Sat, 7 Jun 2025 10:39:32 +0200
Subject: modules/git-back: Init with the out-of-tree back

---
 modules/by-name/ba/back/module.nix     | 92 ----------------------------------
 modules/by-name/gi/git-back/module.nix | 41 +++++++++++++++
 2 files changed, 41 insertions(+), 92 deletions(-)
 delete mode 100644 modules/by-name/ba/back/module.nix
 create mode 100644 modules/by-name/gi/git-back/module.nix

(limited to 'modules')

diff --git a/modules/by-name/ba/back/module.nix b/modules/by-name/ba/back/module.nix
deleted file mode 100644
index d47ffce..0000000
--- a/modules/by-name/ba/back/module.nix
+++ /dev/null
@@ -1,92 +0,0 @@
-{
-  config,
-  lib,
-  vhackPackages,
-  pkgs,
-  ...
-}: let
-  cfg = config.vhack.back;
-in {
-  options.vhack.back = {
-    enable = lib.mkEnableOption "Back issue tracker (inspired by tvix's panettone)";
-
-    domain = lib.mkOption {
-      type = lib.types.str;
-      description = "The domain to host this `back` instance on.";
-    };
-
-    settings = {
-      scan_path = lib.mkOption {
-        type = lib.types.path;
-        description = "The path to the directory under which all the repositories reside";
-      };
-      project_list = lib.mkOption {
-        type = lib.types.path;
-        description = "The path to the `projects.list` file.";
-      };
-
-      source_code_repository_url = lib.mkOption {
-        description = "The url to the source code of this instance of back";
-        default = "https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/pkgs/by-name/ba/back";
-        type = lib.types.str;
-      };
-
-      root_url = lib.mkOption {
-        type = lib.types.str;
-        description = "The url to this instance of back.";
-        default = "https://${cfg.domain}";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services."back" = {
-      description = "Back issue tracking system.";
-      requires = ["network-online.target"];
-      after = ["network-online.target"];
-      wantedBy = ["default.target"];
-
-      serviceConfig = {
-        ExecStart = "${lib.getExe vhackPackages.back} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";
-
-        # Ensure that the service can read the repository
-        # FIXME(@bpeetz): This has the implied assumption, that all the exposed git
-        # repositories are readable for the git group. This should not be necessary. <2024-12-23>
-        User = "git";
-        Group = "git";
-
-        DynamicUser = true;
-        Restart = "always";
-
-        # Sandboxing
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        PrivateTmp = true;
-        PrivateDevices = true;
-        ProtectHostname = true;
-        ProtectClock = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectKernelLogs = true;
-        ProtectControlGroups = true;
-        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
-        RestrictNamespaces = true;
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        RemoveIPC = true;
-        PrivateMounts = true;
-        # System Call Filtering
-        SystemCallArchitectures = "native";
-        SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
-      };
-    };
-    services.nginx.virtualHosts."${cfg.domain}" = {
-      locations."/".proxyPass = "http://127.0.0.1:8000";
-
-      enableACME = true;
-      forceSSL = true;
-    };
-  };
-}
diff --git a/modules/by-name/gi/git-back/module.nix b/modules/by-name/gi/git-back/module.nix
new file mode 100644
index 0000000..96f4913
--- /dev/null
+++ b/modules/by-name/gi/git-back/module.nix
@@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.git-back;
+in {
+  options.vhack.git-back = {
+    enable = lib.mkEnableOption "Back integration into git-server";
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The domain where to deploy back";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    vhack.back = {
+      enable = true;
+
+      user = "git";
+      group = "git";
+
+      settings = {
+        scan_path = "${config.services.gitolite.dataDir}/repositories";
+        project_list = "${config.services.gitolite.dataDir}/projects.list";
+        root_url = "https://${cfg.domain}";
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts."${cfg.domain}" = {
+        locations."/".proxyPass = "http://127.0.0.1:8000";
+
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+}
-- 
cgit 1.4.1