diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/misc/gitea.nix | 32 | ||||
-rw-r--r-- | nixos/tests/atuin.nix | 2 | ||||
-rw-r--r-- | nixos/tests/gitea.nix | 25 |
3 files changed, 41 insertions, 18 deletions
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 14bf6aebb681..014c5b16097c 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.gitea; opt = options.services.gitea; - gitea = cfg.package; + exe = lib.getExe cfg.package; pg = config.services.postgresql; useMysql = cfg.database.type == "mysql"; usePostgresql = cfg.database.type == "postgres"; @@ -248,7 +248,7 @@ in staticRootPath = mkOption { type = types.either types.str types.path; - default = gitea.data; + default = cfg.package.data; defaultText = literalExpression "package.data"; example = "/var/lib/gitea/data"; description = lib.mdDoc "Upper level of template and static files path."; @@ -481,14 +481,14 @@ in # If we have a folder or symlink with gitea locales, remove it # And symlink the current gitea locales in place - "L+ '${cfg.stateDir}/conf/locale' - - - - ${gitea.out}/locale" + "L+ '${cfg.stateDir}/conf/locale' - - - - ${cfg.package.out}/locale" ]; systemd.services.gitea = { description = "gitea"; after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; wantedBy = [ "multi-user.target" ]; - path = [ gitea pkgs.git pkgs.gnupg ]; + path = [ cfg.package pkgs.git pkgs.gnupg ]; # In older versions the secret naming for JWT was kind of confusing. # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET @@ -512,7 +512,7 @@ in cp -f ${configFile} ${runConfig} if [ ! -s ${secretKey} ]; then - ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} + ${exe} generate secret SECRET_KEY > ${secretKey} fi # Migrate LFS_JWT_SECRET filename @@ -521,15 +521,15 @@ in fi if [ ! -s ${oauth2JwtSecret} ]; then - ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} + ${exe} generate secret JWT_SECRET > ${oauth2JwtSecret} fi if [ ! -s ${lfsJwtSecret} ]; then - ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} + ${exe} generate secret LFS_JWT_SECRET > ${lfsJwtSecret} fi if [ ! -s ${internalToken} ]; then - ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} + ${exe} generate secret INTERNAL_TOKEN > ${internalToken} fi chmod u+w '${runConfig}' @@ -548,15 +548,15 @@ in ''} # run migrations/init the database - ${gitea}/bin/gitea migrate + ${exe} migrate # update all hooks' binary paths - ${gitea}/bin/gitea admin regenerate hooks + ${exe} admin regenerate hooks # update command option in authorized_keys if [ -r ${cfg.stateDir}/.ssh/authorized_keys ] then - ${gitea}/bin/gitea admin regenerate keys + ${exe} admin regenerate keys fi ''; @@ -565,7 +565,7 @@ in User = cfg.user; Group = "gitea"; WorkingDirectory = cfg.stateDir; - ExecStart = "${gitea}/bin/gitea web --pid /run/gitea/gitea.pid"; + ExecStart = "${exe} web --pid /run/gitea/gitea.pid"; Restart = "always"; # Runtime directory and mode RuntimeDirectory = "gitea"; @@ -597,7 +597,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; }; environment = { @@ -635,7 +635,7 @@ in systemd.services.gitea-dump = mkIf cfg.dump.enable { description = "gitea dump"; after = [ "gitea.service" ]; - path = [ gitea ]; + path = [ cfg.package ]; environment = { USER = cfg.user; @@ -646,7 +646,7 @@ in serviceConfig = { Type = "oneshot"; User = cfg.user; - ExecStart = "${gitea}/bin/gitea dump --type ${cfg.dump.type}" + optionalString (cfg.dump.file != null) " --file ${cfg.dump.file}"; + ExecStart = "${exe} dump --type ${cfg.dump.type}" + optionalString (cfg.dump.file != null) " --file ${cfg.dump.file}"; WorkingDirectory = cfg.dump.backupDir; }; }; @@ -658,5 +658,5 @@ in timerConfig.OnCalendar = cfg.dump.interval; }; }; - meta.maintainers = with lib.maintainers; [ srhb ma27 ]; + meta.maintainers = with lib.maintainers; [ srhb ma27 thehedgeh0g ]; } diff --git a/nixos/tests/atuin.nix b/nixos/tests/atuin.nix index 85213d1e53ea..2bc5494f5556 100644 --- a/nixos/tests/atuin.nix +++ b/nixos/tests/atuin.nix @@ -54,7 +54,7 @@ with lib; client.execute("echo 'sync_address = \"http://server:${toString testPort}\"' > ~/.config/atuin/config.toml") # log in to atuin server on client node - client.succeed(f"${atuin}/bin/atuin login -u ${testUser} -p ${testPass} -k {key}") + client.succeed(f"${atuin}/bin/atuin login -u ${testUser} -p ${testPass} -k \"{key}\"") # pull records from atuin server client.succeed("${atuin}/bin/atuin sync -f") diff --git a/nixos/tests/gitea.nix b/nixos/tests/gitea.nix index d856ecca9a13..da61abd84e89 100644 --- a/nixos/tests/gitea.nix +++ b/nixos/tests/gitea.nix @@ -8,6 +8,21 @@ with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let + ## gpg --faked-system-time='20230301T010000!' --quick-generate-key snakeoil ed25519 sign + signingPrivateKey = '' + -----BEGIN PGP PRIVATE KEY BLOCK----- + + lFgEY/6jkBYJKwYBBAHaRw8BAQdADXiZRV8RJUyC9g0LH04wLMaJL9WTc+szbMi7 + 5fw4yP8AAQCl8EwGfzSLm/P6fCBfA3I9znFb3MEHGCCJhJ6VtKYyRw7ktAhzbmFr + ZW9pbIiUBBMWCgA8FiEE+wUM6VW/NLtAdSixTWQt6LZ4x50FAmP+o5ACGwMFCQPC + ZwAECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEE1kLei2eMedFTgBAKQs1oGFZrCI + TZP42hmBTKxGAI1wg7VSdDEWTZxut/2JAQDGgo2sa4VHMfj0aqYGxrIwfP2B7JHO + GCqGCRf9O/hzBA== + =9Uy3 + -----END PGP PRIVATE KEY BLOCK----- + ''; + signingPrivateKeyId = "4D642DE8B678C79D"; + supportedDbTypes = [ "mysql" "postgres" "sqlite3" ]; makeGiteaTest = type: nameValuePair type (makeTest { name = "${giteaPackage.pname}-${type}"; @@ -21,8 +36,9 @@ let database = { inherit type; }; package = giteaPackage; settings.service.DISABLE_REGISTRATION = true; + settings."repository.signing".SIGNING_KEY = signingPrivateKeyId; }; - environment.systemPackages = [ giteaPackage pkgs.jq ]; + environment.systemPackages = [ giteaPackage pkgs.gnupg pkgs.jq ]; services.openssh.enable = true; }; client1 = { config, pkgs, ... }: { @@ -59,6 +75,13 @@ let server.succeed("curl --fail http://localhost:3000/") server.succeed( + "su -l gitea -c 'gpg --homedir /var/lib/gitea/data/home/.gnupg " + + "--import ${toString (pkgs.writeText "gitea.key" signingPrivateKey)}'" + ) + + assert "BEGIN PGP PUBLIC KEY BLOCK" in server.succeed("curl http://localhost:3000/api/v1/signing-key.gpg") + + server.succeed( "curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. " + "Please contact your site administrator.'" ) |