blob: d47ffce31fa0f06c6494b7f9d7fe34b2e32042fc (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
{
config,
lib,
vhackPackages,
pkgs,
...
}: let
cfg = config.vhack.back;
in {
options.vhack.back = {
enable = lib.mkEnableOption "Back issue tracker (inspired by tvix's panettone)";
domain = lib.mkOption {
type = lib.types.str;
description = "The domain to host this `back` instance on.";
};
settings = {
scan_path = lib.mkOption {
type = lib.types.path;
description = "The path to the directory under which all the repositories reside";
};
project_list = lib.mkOption {
type = lib.types.path;
description = "The path to the `projects.list` file.";
};
source_code_repository_url = lib.mkOption {
description = "The url to the source code of this instance of back";
default = "https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/pkgs/by-name/ba/back";
type = lib.types.str;
};
root_url = lib.mkOption {
type = lib.types.str;
description = "The url to this instance of back.";
default = "https://${cfg.domain}";
};
};
};
config = lib.mkIf cfg.enable {
systemd.services."back" = {
description = "Back issue tracking system.";
requires = ["network-online.target"];
after = ["network-online.target"];
wantedBy = ["default.target"];
serviceConfig = {
ExecStart = "${lib.getExe vhackPackages.back} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";
# Ensure that the service can read the repository
# FIXME(@bpeetz): This has the implied assumption, that all the exposed git
# repositories are readable for the git group. This should not be necessary. <2024-12-23>
User = "git";
Group = "git";
DynamicUser = true;
Restart = "always";
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
};
};
services.nginx.virtualHosts."${cfg.domain}" = {
locations."/".proxyPass = "http://127.0.0.1:8000";
enableACME = true;
forceSSL = true;
};
};
}
|
