blob: e08503a23c5d1e6d26e59206cd26c2ddc20e6b0c (
plain) (
tree)
|
|
{ config, lib, inputs, pkgs, ... }: with lib; let
cfg = config.santi-modules.services;
git-repo-path = "/server/git-repos";
cgit-config = mkIf cfg.cgit.enable {
environment.systemPackages = [
pkgs.git
];
users.users = {
git = {
description = "git user";
isNormalUser = true;
home = git-repo-path;
openssh.authorizedKeys.keys = [ (builtins.readFile ../secrets/user-ssh-key.pub)] ++ builtins.attrValues (import ../secrets/host-pub-keys.nix);
};
};
systemd.tmpfiles.rules = [
"d ${git-repo-path} 0755 git users"
];
services.cgit.santi = let
org2html = pkgs.writeShellScript "org2md" ''
${pkgs.pandoc}/bin/pandoc \
--from org \
--to html5 \
--sandbox=true \
--html-q-tags \
--ascii \
--standalone \
--wrap=auto \
--embed-resources \
-M document-css=false
'';
in {
enable = true;
scanPath = git-repo-path;
nginx.virtualHost = "git.santi.net.br";
settings = {
readme = ":README.org";
root-title = "index";
root-desc = "public repositories for santi.net.br";
about-filter = toString org2html;
source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
enable-git-config = true;
enable-html-cache = false;
enable-blame = true;
enable-log-linecount = true;
enable-index-links = true;
enable-index-owner = false;
enable-commit-graph = true;
remove-suffix = true;
};
};
};
blog-config = let
blog-public-path = "/server/blog";
env = pkgs.buildEnv {
name = "post-receive-env";
paths = [
pkgs.git
pkgs.coreutils
pkgs.gnutar
pkgs.xz
];
};
post-receive = pkgs.writeShellScript "post-receive" ''
export PATH=${env}/bin
set -ex
GIT_DIR=$(${pkgs.git}/bin/git rev-parse --git-dir 2>/dev/null)
if [ -z "$GIT_DIR" ]; then
echo >&2 "fatal: post-receive: GIT_DIR not set"
exit 1
fi
TMPDIR=$(mktemp -d)
function cleanup() {
rm -rf "$TMPDIR"
}
trap cleanup EXIT
${pkgs.git}/bin/git clone "$GIT_DIR" "$TMPDIR"
unset GIT_DIR
cd "$TMPDIR"
${pkgs.hugo}/bin/hugo --destination ${blog-public-path}
'';
in mkIf cfg.blog.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
# TODO: enable SSL
services.nginx = {
enable = true;
virtualHosts.${cfg.blog.url} = {
addSSL = true;
enableACME = true;
root = blog-public-path;
};
};
security.acme = {
acceptTerms = true;
certs.${cfg.blog.url}.email = "[email protected]";
};
systemd.tmpfiles.rules = [
"d ${blog-public-path} 0755 git users"
];
systemd.services."blog-prepare-git-repo" = {
wantedBy = [ "multi-user.target" ];
path = [
pkgs.git
];
script = ''
set -ex
cd ${git-repo-path}
chmod +rX ${blog-public-path}
test -e blog || git init --bare blog
ln -nsf ${post-receive} blog/hooks/post-receive
'';
serviceConfig = {
Kind = "one-shot";
User = "git";
};
};
};
ddns-config = mkIf cfg.ddns.enable {
networking.enableIPv6 = true;
services.cloudflared = {
enable = true;
tunnels.iori = {
default = "http_status:404";
credentialsFile = "/var/lib/cloudflared/iori.json";
ingress = {
"santi.net.br" = "http://localhost:80";
"git.santi.net.br" = "http://localhost:80";
};
};
};
services.inadyn = {
enable = true;
user = "leonardo";
group = "users";
settings.provider."cloudflare.com" = {
hostname="ssh.santi.net.br";
username="santi.net.br";
proxied = false;
include = config.age.secrets.cloudflare.path;
};
};
};
in {
options.santi-modules.services = {
blog = {
enable = mkEnableOption "Enable blog hosting";
url = mkOption {
type = types.str;
default = "santi.net.br";
description = "Url to serve blog on";
};
};
cgit.enable = mkEnableOption "Enable cgit instance";
ddns.enable = mkEnableOption "Enable ddns service";
};
config = mkMerge [
cgit-config
blog-config
ddns-config
];
}
|