From 03939b14e1d5820bee8c43d63b34c6e3e0e5eac4 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 12 Aug 2020 22:52:37 +0200
Subject: wiki: allow push to git

---
 krebs/2configs/wiki.nix | 70 +++++++++++++++++++++++++++++++------------------
 1 file changed, 44 insertions(+), 26 deletions(-)

(limited to 'krebs/2configs/wiki.nix')

diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix
index ad88d666..e4f05a6e 100644
--- a/krebs/2configs/wiki.nix
+++ b/krebs/2configs/wiki.nix
@@ -1,23 +1,37 @@
 { config, pkgs, ... }:
 with import <stockholm/lib>;
+let
 
+  setupGit = ''
+    export PATH=${makeBinPath [ pkgs.git ]}
+    export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i ${config.krebs.gollum.stateDir}/.ssh/id_ed25519'
+    repo='git@localhost:wiki'
+    cd ${config.krebs.gollum.stateDir}
+    if ! url=$(git config remote.origin.url); then
+      git remote add origin "$repo"
+    elif test "$url" != "$repo"; then
+      git remote set-url origin "$repo"
+    fi
+  '';
+
+  pushGollum = pkgs.writeDash "push_gollum" ''
+    ${setupGit}
+    git fetch origin
+    git merge --ff-only origin/master
+  '';
+
+  pushCgit = pkgs.writeDash "push_cgit" ''
+    ${setupGit}
+    git push origin master
+  '';
+
+in
 {
   krebs.gollum = {
     enable = true;
     extraConfig = ''
       Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1|
-        system('${toString (pkgs.writers.writeDash "push_cgit" ''
-          export PATH=${makeBinPath [ pkgs.git ]}
-          export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i ${config.krebs.gollum.stateDir}/.ssh/id_ed25519'
-          repo='git@localhost:wiki'
-          cd ${config.krebs.gollum.stateDir}
-          if ! url=$(git config remote.origin.url); then
-            git remote add origin "$repo"
-          elif test "$url" != "$repo"; then
-            git remote set-url origin "$repo"
-          fi
-          git push origin master
-        '')}')
+        system('${pushCgit}')
       end
     '';
   };
@@ -47,27 +61,27 @@ with import <stockholm/lib>;
             name = "gollum";
             pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXbjDnQWg8EECsNRZZWezocMIiuENhCSQFcFUXcsOQ6";
           }
-          config.krebs.users.lass-mors
-        ];
+        ] ++ (attrValues config.krebs.users);
         repo = [ config.krebs.git.repos.wiki ];
-        perm = push ''refs/*'' [ create merge ];
+        perm = push ''refs/heads/master'' [ create merge ];
       }
     ];
     repos.wiki = {
       public = true;
       name = "wiki";
       hooks = {
-        post-receive = pkgs.git-hooks.irc-announce {
-          channel = "#xxx";
-          refs = [
-            "refs/heads/master"
-            "refs/heads/newest"
-            "refs/tags/*"
-          ];
-          nick = config.networking.hostName;
-          server = "irc.r";
-          verbose = true;
-        };
+        post-receive = ''
+          ${pkgs.git-hooks.irc-announce {
+            channel = "#xxx";
+            refs = [
+              "refs/heads/master"
+            ];
+            nick = config.networking.hostName;
+            server = "irc.r";
+            verbose = true;
+          }}
+          /run/wrappers/bin/sudo -S -u gollum ${pushGollum}
+        '';
       };
     };
   };
@@ -77,4 +91,8 @@ with import <stockholm/lib>;
     owner = { name = "gollum"; };
     source-path = "${<secrets/gollum.id_ed25519>}";
   };
+
+  security.sudo.extraConfig = ''
+    git ALL=(gollum) NOPASSWD: ${pushGollum}
+  '';
 }
-- 
cgit v1.2.3