diff options
| -rw-r--r-- | krebs/0tests/data/secrets/gollum.id_ed25519 | 0 | ||||
| -rw-r--r-- | krebs/2configs/wiki.nix | 83 | ||||
| -rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/gollum.nix | 112 | ||||
| -rw-r--r-- | krebs/3modules/secret.nix | 2 | ||||
| -rw-r--r-- | lass/1systems/blue/config.nix | 8 | ||||
| -rw-r--r-- | lass/2configs/default.nix | 1 | ||||
| -rw-r--r-- | lass/5pkgs/deploy/default.nix | 6 |
8 files changed, 202 insertions, 11 deletions
diff --git a/krebs/0tests/data/secrets/gollum.id_ed25519 b/krebs/0tests/data/secrets/gollum.id_ed25519 new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/krebs/0tests/data/secrets/gollum.id_ed25519 diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index 2350e711e..e4f05a6e6 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -1,9 +1,41 @@ -{ config, ... }: +{ config, pkgs, ... }: +with import <stockholm/lib>; +let + setupGit = '' + export PATH=${makeBinPath [ pkgs.git ]} + export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i ${config.krebs.gollum.stateDir}/.ssh/id_ed25519' + repo='git@localhost:wiki' + cd ${config.krebs.gollum.stateDir} + if ! url=$(git config remote.origin.url); then + git remote add origin "$repo" + elif test "$url" != "$repo"; then + git remote set-url origin "$repo" + fi + ''; + + pushGollum = pkgs.writeDash "push_gollum" '' + ${setupGit} + git fetch origin + git merge --ff-only origin/master + ''; + + pushCgit = pkgs.writeDash "push_cgit" '' + ${setupGit} + git push origin master + ''; + +in { - services.gollum = { + krebs.gollum = { enable = true; + extraConfig = '' + Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1| + system('${pushCgit}') + end + ''; }; + networking.firewall.allowedTCPPorts = [ 80 ]; services.nginx = { enable = true; @@ -16,4 +48,51 @@ ''; }; }; + + krebs.git = { + enable = true; + cgit.settings = { + root-title = "krebs repos"; + }; + rules = with git; [ + { + user = [ + { + name = "gollum"; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXbjDnQWg8EECsNRZZWezocMIiuENhCSQFcFUXcsOQ6"; + } + ] ++ (attrValues config.krebs.users); + repo = [ config.krebs.git.repos.wiki ]; + perm = push ''refs/heads/master'' [ create merge ]; + } + ]; + repos.wiki = { + public = true; + name = "wiki"; + hooks = { + post-receive = '' + ${pkgs.git-hooks.irc-announce { + channel = "#xxx"; + refs = [ + "refs/heads/master" + ]; + nick = config.networking.hostName; + server = "irc.r"; + verbose = true; + }} + /run/wrappers/bin/sudo -S -u gollum ${pushGollum} + ''; + }; + }; + }; + + krebs.secret.files.gollum = { + path = "${config.krebs.gollum.stateDir}/.ssh/id_ed25519"; + owner = { name = "gollum"; }; + source-path = "${<secrets/gollum.id_ed25519>}"; + }; + + security.sudo.extraConfig = '' + git ALL=(gollum) NOPASSWD: ${pushGollum} + ''; } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index f3180722d..2772bf986 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -27,6 +27,7 @@ let ./github-known-hosts.nix ./git.nix ./go.nix + ./gollum.nix ./hidden-ssh.nix ./hosts.nix ./htgen.nix diff --git a/krebs/3modules/gollum.nix b/krebs/3modules/gollum.nix new file mode 100644 index 000000000..4b4e04d16 --- /dev/null +++ b/krebs/3modules/gollum.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.krebs.gollum; +in + +{ + options.krebs.gollum = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the Gollum service."; + }; + + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address on which the web server will listen."; + }; + + port = mkOption { + type = types.int; + default = 4567; + description = "Port on which the web server will run."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Content of the configuration file"; + }; + + mathjax = mkOption { + type = types.bool; + default = false; + description = "Enable support for math rendering using MathJax"; + }; + + allowUploads = mkOption { + type = types.nullOr (types.enum [ "dir" "page" ]); + default = null; + description = "Enable uploads of external files"; + }; + + emoji = mkOption { + type = types.bool; + default = false; + description = "Parse and interpret emoji tags"; + }; + + branch = mkOption { + type = types.str; + default = "master"; + example = "develop"; + description = "Git branch to serve"; + }; + + stateDir = mkOption { + type = types.path; + default = "/var/lib/gollum"; + description = "Specifies the path of the repository directory. If it does not exist, Gollum will create it on startup."; + }; + + }; + + config = mkIf cfg.enable { + + users.users.gollum = { + group = config.users.users.gollum.name; + description = "Gollum user"; + home = cfg.stateDir; + createHome = false; + isSystemUser = true; + }; + + users.groups.gollum = { }; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -" + ]; + + systemd.services.gollum = { + description = "Gollum wiki"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.git ]; + + preStart = '' + # This is safe to be run on an existing repo + git init ${cfg.stateDir} + ''; + + serviceConfig = { + User = config.users.users.gollum.name; + Group = config.users.groups.gollum.name; + ExecStart = '' + ${pkgs.gollum}/bin/gollum \ + --port ${toString cfg.port} \ + --host ${cfg.address} \ + --config ${pkgs.writeText "gollum-config.rb" cfg.extraConfig} \ + --ref ${cfg.branch} \ + ${optionalString cfg.mathjax "--mathjax"} \ + ${optionalString cfg.emoji "--emoji"} \ + ${optionalString (cfg.allowUploads != null) "--allow-uploads ${cfg.allowUploads}"} \ + ${cfg.stateDir} + ''; + }; + }; + }; +} diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index bf2c62cc9..67454d1f7 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -22,7 +22,7 @@ in { wantedBy = ["multi-user.target"]; serviceConfig = { Type = "oneshot"; - ExecStart = "${pkgs.systemd}/bin/systemctl restart ${file.service}"; + ExecStart = "${pkgs.systemd}/bin/systemctl restart ${shell.escape file.service}"; }; }) cfg.files diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix index 14f4971f7..c46bb351e 100644 --- a/lass/1systems/blue/config.nix +++ b/lass/1systems/blue/config.nix @@ -15,14 +15,6 @@ with import <stockholm/lib>; krebs.build.host = config.krebs.hosts.blue; - environment.shellAliases = { - deploy = pkgs.writeDash "deploy" '' - set -eu - export SYSTEM="$1" - $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) - ''; - }; - networking.nameservers = [ "1.1.1.1" ]; services.restic.backups = genAttrs [ diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index b0d7ff23b..ae2754c96 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -93,6 +93,7 @@ with import <stockholm/lib>; environment.systemPackages = with pkgs; [ #stockholm + deploy git gnumake jq diff --git a/lass/5pkgs/deploy/default.nix b/lass/5pkgs/deploy/default.nix new file mode 100644 index 000000000..c07cf20d1 --- /dev/null +++ b/lass/5pkgs/deploy/default.nix @@ -0,0 +1,6 @@ +{ writers }: +writers.writeDashBin "deploy" '' + set -eu + export SYSTEM="$1" + $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) +'' |