2016-02-14 16:43:44 +01:00
|
|
|
|
{ config, lib, pkgs, ... }:
|
2015-07-11 19:59:35 +02:00
|
|
|
|
|
|
|
|
|
# TODO unify logging of shell scripts to user and journal
|
|
|
|
|
# TODO move all scripts to ${etcDir}, so ControlMaster connections
|
|
|
|
|
# immediately pick up new authenticators
|
|
|
|
|
# TODO when authorized_keys changes, then restart ssh
|
|
|
|
|
# (or kill already connected users somehow)
|
2015-07-11 16:55:22 +02:00
|
|
|
|
|
2016-10-20 20:54:38 +02:00
|
|
|
|
with import <stockholm/lib>;
|
2015-07-11 16:55:22 +02:00
|
|
|
|
let
|
2015-07-24 11:44:49 +02:00
|
|
|
|
cfg = config.krebs.git;
|
2015-07-11 16:55:22 +02:00
|
|
|
|
|
|
|
|
|
out = {
|
2015-07-24 11:44:49 +02:00
|
|
|
|
options.krebs.git = api;
|
2016-02-14 16:43:44 +01:00
|
|
|
|
config = with lib; mkIf cfg.enable (mkMerge [
|
2016-06-07 03:11:26 +02:00
|
|
|
|
(mkIf cfg.cgit.enable cgit-imp)
|
2015-07-11 19:59:35 +02:00
|
|
|
|
git-imp
|
2015-07-11 16:55:22 +02:00
|
|
|
|
]);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
api = {
|
2015-07-24 11:44:49 +02:00
|
|
|
|
enable = mkEnableOption "krebs.git";
|
2015-07-13 17:36:31 +02:00
|
|
|
|
|
2015-07-11 16:55:22 +02:00
|
|
|
|
cgit = mkOption {
|
2016-06-07 03:11:26 +02:00
|
|
|
|
type = types.submodule {
|
|
|
|
|
options = {
|
|
|
|
|
enable = mkEnableOption "krebs.git.cgit" // { default = true; };
|
2016-06-07 23:02:37 +02:00
|
|
|
|
fcgiwrap = {
|
|
|
|
|
group = mkOption {
|
|
|
|
|
type = types.group;
|
|
|
|
|
default = {
|
|
|
|
|
name = "fcgiwrap";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
user = mkOption {
|
|
|
|
|
type = types.user;
|
|
|
|
|
default = {
|
|
|
|
|
name = "fcgiwrap";
|
|
|
|
|
home = toString pkgs.empty;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2016-06-07 03:14:21 +02:00
|
|
|
|
settings = mkOption {
|
|
|
|
|
apply = flip removeAttrs ["_module"];
|
|
|
|
|
default = {};
|
|
|
|
|
type = subtypes.cgit-settings;
|
|
|
|
|
};
|
2016-06-07 03:11:26 +02:00
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
default = {};
|
2015-07-24 21:04:18 +02:00
|
|
|
|
description = ''
|
|
|
|
|
Cgit is an attempt to create a fast web interface for the git version
|
2016-02-03 11:32:58 +01:00
|
|
|
|
control system, using a built in cache to decrease pressure on the
|
2015-07-24 21:04:18 +02:00
|
|
|
|
git server.
|
|
|
|
|
cgit in this module is being served via fastcgi nginx.This module
|
|
|
|
|
deploys a http://cgit.<hostname> nginx configuration and enables nginx
|
|
|
|
|
if not yet enabled.
|
|
|
|
|
'';
|
2015-07-11 16:55:22 +02:00
|
|
|
|
};
|
|
|
|
|
dataDir = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "/var/lib/git";
|
|
|
|
|
description = "Directory used to store repositories.";
|
|
|
|
|
};
|
|
|
|
|
etcDir = mkOption {
|
2016-06-07 23:32:28 +02:00
|
|
|
|
type = mkOptionType {
|
|
|
|
|
name = "${types.absolute-pathname.name} starting with `/etc/'";
|
|
|
|
|
check = x: types.absolute-pathname.check x && hasPrefix "/etc/" x;
|
|
|
|
|
merge = mergeOneOption;
|
|
|
|
|
};
|
2015-07-11 16:55:22 +02:00
|
|
|
|
default = "/etc/git";
|
|
|
|
|
};
|
|
|
|
|
repos = mkOption {
|
2016-02-03 13:36:54 +01:00
|
|
|
|
type = types.attrsOf subtypes.repo;
|
2015-07-11 16:55:22 +02:00
|
|
|
|
default = {};
|
|
|
|
|
example = literalExample ''
|
|
|
|
|
{
|
|
|
|
|
testing = {
|
|
|
|
|
name = "testing";
|
|
|
|
|
hooks.post-update = '''
|
|
|
|
|
#! /bin/sh
|
|
|
|
|
set -euf
|
|
|
|
|
echo post-update hook: $* >&2
|
|
|
|
|
''';
|
|
|
|
|
};
|
|
|
|
|
testing2 = { name = "testing2"; };
|
|
|
|
|
}
|
|
|
|
|
'';
|
|
|
|
|
description = ''
|
|
|
|
|
Repositories.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2015-07-13 18:27:16 +02:00
|
|
|
|
rules = mkOption {
|
2016-02-03 13:36:54 +01:00
|
|
|
|
type = types.listOf subtypes.rule;
|
|
|
|
|
default = [];
|
|
|
|
|
example = literalExample ''
|
|
|
|
|
singleton {
|
|
|
|
|
user = [ config.krebs.users.tv ];
|
|
|
|
|
repo = [ testing ]; # see literal example of repos
|
2016-10-20 20:54:38 +02:00
|
|
|
|
perm = push "refs/*" (with git; [
|
2016-02-03 13:36:54 +01:00
|
|
|
|
non-fast-forward create delete merge
|
|
|
|
|
]);
|
|
|
|
|
}
|
|
|
|
|
'';
|
|
|
|
|
description = ''
|
2016-02-04 13:07:47 +01:00
|
|
|
|
access and permission rules for git repositories.
|
2016-02-03 13:36:54 +01:00
|
|
|
|
'';
|
2015-07-13 18:27:16 +02:00
|
|
|
|
};
|
2016-06-07 22:49:26 +02:00
|
|
|
|
|
|
|
|
|
user = mkOption {
|
|
|
|
|
type = types.user;
|
|
|
|
|
default = {
|
|
|
|
|
name = "git";
|
2016-06-07 23:38:33 +02:00
|
|
|
|
home = toString pkgs.empty;
|
2016-06-07 22:49:26 +02:00
|
|
|
|
};
|
|
|
|
|
};
|
2015-07-11 16:55:22 +02:00
|
|
|
|
};
|
|
|
|
|
|
2016-02-03 13:36:54 +01:00
|
|
|
|
# TODO put into krebs/4lib/types.nix?
|
|
|
|
|
subtypes = {
|
2016-06-07 03:14:21 +02:00
|
|
|
|
cgit-settings = types.submodule {
|
|
|
|
|
# A setting's value of `null` means cgit's default should be used.
|
|
|
|
|
options = {
|
|
|
|
|
cache-root = mkOption {
|
|
|
|
|
type = types.absolute-pathname;
|
|
|
|
|
default = "/tmp/cgit";
|
|
|
|
|
};
|
|
|
|
|
cache-size = mkOption {
|
|
|
|
|
type = types.uint;
|
|
|
|
|
default = 1000;
|
|
|
|
|
};
|
|
|
|
|
css = mkOption {
|
|
|
|
|
type = types.absolute-pathname;
|
|
|
|
|
default = "/static/cgit.css";
|
|
|
|
|
};
|
|
|
|
|
enable-commit-graph = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
enable-index-links = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
enable-index-owner = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
};
|
|
|
|
|
enable-log-filecount = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
enable-log-linecount = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
enable-remote-branches = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
logo = mkOption {
|
|
|
|
|
type = types.absolute-pathname;
|
|
|
|
|
default = "/static/cgit.png";
|
|
|
|
|
};
|
|
|
|
|
max-stats = mkOption {
|
|
|
|
|
type =
|
|
|
|
|
types.nullOr (types.enum ["week" "month" "quarter" "year"]);
|
|
|
|
|
default = "year";
|
|
|
|
|
};
|
|
|
|
|
robots = mkOption {
|
|
|
|
|
type = types.nullOr (types.listOf types.str);
|
|
|
|
|
default = ["nofollow" "noindex"];
|
|
|
|
|
};
|
|
|
|
|
root-desc = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
root-title = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
2016-06-07 23:23:06 +02:00
|
|
|
|
virtual-root = mkOption {
|
|
|
|
|
type = types.nullOr types.absolute-pathname;
|
|
|
|
|
default = "/";
|
|
|
|
|
};
|
2016-06-07 03:14:21 +02:00
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
repo = types.submodule ({ config, ... }: {
|
2016-02-03 13:36:54 +01:00
|
|
|
|
options = {
|
2016-06-07 03:14:21 +02:00
|
|
|
|
cgit = {
|
|
|
|
|
desc = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
Repository description.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
path = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "${cfg.dataDir}/${config.name}";
|
|
|
|
|
description = ''
|
|
|
|
|
An absolute path to the repository directory. For non-bare
|
|
|
|
|
repositories this is the .git-directory.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
section = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
Repository section.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
url = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = config.name;
|
|
|
|
|
description = ''
|
|
|
|
|
The relative url used to access the repository.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
2016-02-03 13:36:54 +01:00
|
|
|
|
collaborators = mkOption {
|
|
|
|
|
type = types.listOf types.user;
|
|
|
|
|
default = [];
|
|
|
|
|
description = ''
|
|
|
|
|
List of users that should be able to fetch from this repo.
|
|
|
|
|
|
|
|
|
|
This option is currently not used by krebs.git but instead can be
|
|
|
|
|
used to create rules. See e.g. <stockholm/tv/2configs/git.nix> for
|
|
|
|
|
an example.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
name = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
Repository name.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
hooks = mkOption {
|
|
|
|
|
type = types.attrsOf types.str;
|
|
|
|
|
default = {};
|
|
|
|
|
description = ''
|
|
|
|
|
Repository-specific hooks.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
public = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = ''
|
|
|
|
|
Allow everybody to read the repository via HTTP if cgit enabled.
|
|
|
|
|
'';
|
|
|
|
|
# TODO allow every configured user to fetch the repository via SSH.
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
rule = types.submodule ({ config, ... }: {
|
|
|
|
|
options = {
|
|
|
|
|
user = mkOption {
|
|
|
|
|
type = types.listOf types.user;
|
|
|
|
|
description = ''
|
|
|
|
|
List of users this rule should apply to.
|
|
|
|
|
Checked by authorize-command.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
repo = mkOption {
|
|
|
|
|
type = types.listOf subtypes.repo;
|
|
|
|
|
description = ''
|
|
|
|
|
List of repos this rule should apply to.
|
|
|
|
|
Checked by authorize-command.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
perm = mkOption {
|
|
|
|
|
type = types.submodule {
|
|
|
|
|
# TODO generate enum argument from krebs/4lib/git.nix
|
|
|
|
|
options = {
|
|
|
|
|
allow-commands = mkOption {
|
|
|
|
|
type = types.listOf (types.enum (with git; [
|
|
|
|
|
git-receive-pack
|
|
|
|
|
git-upload-pack
|
|
|
|
|
]));
|
|
|
|
|
default = [];
|
|
|
|
|
description = ''
|
|
|
|
|
List of commands the rule's users are allowed to execute.
|
|
|
|
|
Checked by authorize-command.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
allow-receive-ref = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
Ref that can receive objects.
|
|
|
|
|
Checked by authorize-push.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
allow-receive-modes = mkOption {
|
|
|
|
|
type = types.listOf (types.enum (with git; [
|
|
|
|
|
fast-forward
|
|
|
|
|
non-fast-forward
|
|
|
|
|
create
|
|
|
|
|
delete
|
|
|
|
|
merge
|
|
|
|
|
]));
|
|
|
|
|
default = [];
|
|
|
|
|
description = ''
|
|
|
|
|
List of allowed receive modes.
|
|
|
|
|
Checked by pre-receive hook.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
description = ''
|
|
|
|
|
Permissions granted.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
|
2015-07-11 19:59:35 +02:00
|
|
|
|
git-imp = {
|
2015-07-11 16:55:22 +02:00
|
|
|
|
system.activationScripts.git-init = "${init-script}";
|
2016-02-03 11:32:58 +01:00
|
|
|
|
|
2015-07-11 16:55:22 +02:00
|
|
|
|
# TODO maybe put all scripts here and then use PATH?
|
2016-06-07 23:32:28 +02:00
|
|
|
|
environment.etc.${removePrefix "/etc/" cfg.etcDir}.source =
|
2015-07-11 16:55:22 +02:00
|
|
|
|
scriptFarm "git-ssh-authorizers" {
|
2016-02-03 13:36:54 +01:00
|
|
|
|
authorize-command = makeAuthorizeScript (map (rule: [
|
2016-06-07 22:41:40 +02:00
|
|
|
|
(map getName (toList rule.user))
|
|
|
|
|
(map getName (toList rule.repo))
|
2016-02-03 13:36:54 +01:00
|
|
|
|
(map getName rule.perm.allow-commands)
|
2015-07-11 16:55:22 +02:00
|
|
|
|
]) cfg.rules);
|
2016-02-03 11:32:58 +01:00
|
|
|
|
|
2016-02-03 13:36:54 +01:00
|
|
|
|
authorize-push = makeAuthorizeScript (map (rule: [
|
2016-06-07 22:41:40 +02:00
|
|
|
|
(map getName (toList rule.user))
|
|
|
|
|
(map getName (toList rule.repo))
|
|
|
|
|
(toList rule.perm.allow-receive-ref)
|
2016-02-03 13:36:54 +01:00
|
|
|
|
(map getName rule.perm.allow-receive-modes)
|
|
|
|
|
]) (filter (rule: rule.perm.allow-receive-ref != null) cfg.rules));
|
2015-07-11 16:55:22 +02:00
|
|
|
|
};
|
2016-02-03 11:32:58 +01:00
|
|
|
|
|
2016-06-07 22:49:26 +02:00
|
|
|
|
users.users.${cfg.user.name} = {
|
|
|
|
|
inherit (cfg.user) home name uid;
|
2015-07-11 16:55:22 +02:00
|
|
|
|
description = "Git repository hosting user";
|
|
|
|
|
shell = "/bin/sh";
|
|
|
|
|
openssh.authorizedKeys.keys =
|
2015-07-24 20:48:00 +02:00
|
|
|
|
mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
|
2016-02-21 07:39:24 +01:00
|
|
|
|
(filterAttrs (_: user: isString user.pubkey)
|
|
|
|
|
config.krebs.users);
|
2015-07-11 16:55:22 +02:00
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2015-07-11 19:59:35 +02:00
|
|
|
|
cgit-imp = {
|
2016-06-07 23:02:37 +02:00
|
|
|
|
users = {
|
|
|
|
|
groups.${cfg.cgit.fcgiwrap.group.name} = {
|
|
|
|
|
inherit (cfg.cgit.fcgiwrap.group) name gid;
|
|
|
|
|
};
|
|
|
|
|
users.${cfg.cgit.fcgiwrap.user.name} = {
|
|
|
|
|
inherit (cfg.cgit.fcgiwrap.user) home name uid;
|
|
|
|
|
group = cfg.cgit.fcgiwrap.group.name;
|
|
|
|
|
};
|
2015-07-11 19:59:35 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.fcgiwrap = {
|
|
|
|
|
enable = true;
|
2016-06-07 23:02:37 +02:00
|
|
|
|
user = cfg.cgit.fcgiwrap.user.name;
|
|
|
|
|
group = cfg.cgit.fcgiwrap.group.name;
|
2015-07-11 19:59:35 +02:00
|
|
|
|
# socketAddress = "/run/fcgiwrap.sock" (default)
|
|
|
|
|
# socketType = "unix" (default)
|
|
|
|
|
};
|
|
|
|
|
|
2016-06-07 03:14:21 +02:00
|
|
|
|
environment.etc."cgitrc".text = let
|
|
|
|
|
repo-to-cgitrc = _: repo:
|
|
|
|
|
optionals (isPublicRepo repo) (concatLists [
|
|
|
|
|
[""] # empty line
|
|
|
|
|
[(kv-to-cgitrc "repo.url" repo.cgit.url)]
|
|
|
|
|
(mapAttrsToList kv-to-cgitrc
|
|
|
|
|
(mapAttrs' (k: nameValuePair "repo.${k}")
|
|
|
|
|
(removeAttrs repo.cgit ["url"])))
|
|
|
|
|
]);
|
2015-07-11 19:59:35 +02:00
|
|
|
|
|
2016-06-07 03:14:21 +02:00
|
|
|
|
kv-to-cgitrc = k: v: getAttr (typeOf v) {
|
|
|
|
|
bool = kv-to-cgitrc k (if v then 1 else 0);
|
|
|
|
|
null = []; # This will be removed by `flatten`.
|
|
|
|
|
list = "${k}=${concatStringsSep ", " v}";
|
|
|
|
|
int = "${k}=${toString v}";
|
|
|
|
|
string = "${k}=${v}";
|
|
|
|
|
};
|
|
|
|
|
in
|
|
|
|
|
concatStringsSep "\n"
|
|
|
|
|
(flatten (
|
|
|
|
|
mapAttrsToList kv-to-cgitrc cfg.cgit.settings
|
|
|
|
|
++
|
|
|
|
|
mapAttrsToList repo-to-cgitrc cfg.repos
|
|
|
|
|
));
|
2015-07-11 19:59:35 +02:00
|
|
|
|
|
|
|
|
|
system.activationScripts.cgit = ''
|
2016-06-07 03:14:21 +02:00
|
|
|
|
mkdir -m 0700 -p ${cfg.cgit.settings.cache-root}
|
2016-06-07 23:02:37 +02:00
|
|
|
|
chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root}
|
2015-07-11 19:59:35 +02:00
|
|
|
|
'';
|
|
|
|
|
|
2015-07-24 11:50:23 +02:00
|
|
|
|
krebs.nginx = {
|
2015-07-11 19:59:35 +02:00
|
|
|
|
enable = true;
|
2015-07-16 18:09:37 +02:00
|
|
|
|
servers.cgit = {
|
|
|
|
|
server-names = [
|
|
|
|
|
"cgit.${config.networking.hostName}"
|
2016-06-07 23:08:55 +02:00
|
|
|
|
"cgit.${config.networking.hostName}.r"
|
2015-07-16 18:09:37 +02:00
|
|
|
|
"cgit.${config.networking.hostName}.retiolum"
|
|
|
|
|
];
|
|
|
|
|
locations = [
|
|
|
|
|
(nameValuePair "/" ''
|
|
|
|
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
|
|
|
|
fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi;
|
|
|
|
|
fastcgi_param PATH_INFO $uri;
|
|
|
|
|
fastcgi_param QUERY_STRING $args;
|
|
|
|
|
fastcgi_param HTTP_HOST $server_name;
|
|
|
|
|
fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
|
|
|
|
|
'')
|
|
|
|
|
(nameValuePair "/static/" ''
|
|
|
|
|
root ${pkgs.cgit}/cgit;
|
|
|
|
|
rewrite ^/static(/.*)$ $1 break;
|
|
|
|
|
'')
|
|
|
|
|
];
|
|
|
|
|
};
|
2015-07-11 19:59:35 +02:00
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2015-07-11 16:55:22 +02:00
|
|
|
|
getName = x: x.name;
|
|
|
|
|
|
|
|
|
|
isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix
|
|
|
|
|
|
2015-07-24 20:48:00 +02:00
|
|
|
|
makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }:
|
2015-07-11 16:55:22 +02:00
|
|
|
|
# TODO assert name
|
|
|
|
|
# TODO assert pubkey
|
|
|
|
|
let
|
|
|
|
|
options = concatStringsSep "," [
|
|
|
|
|
''command="exec ${git-ssh-command} ${name}"''
|
|
|
|
|
"no-agent-forwarding"
|
|
|
|
|
"no-port-forwarding"
|
|
|
|
|
"no-pty"
|
|
|
|
|
"no-X11-forwarding"
|
|
|
|
|
];
|
|
|
|
|
in
|
|
|
|
|
"${options} ${pubkey}";
|
|
|
|
|
|
|
|
|
|
# [case-pattern] -> shell-script
|
|
|
|
|
# Create a shell script that succeeds (exit 0) when all its arguments
|
|
|
|
|
# match the case patterns (in the given order).
|
|
|
|
|
makeAuthorizeScript =
|
|
|
|
|
let
|
|
|
|
|
# TODO escape
|
2016-06-07 22:41:40 +02:00
|
|
|
|
to-pattern = x: concatStringsSep "|" (toList x);
|
2015-07-11 16:55:22 +02:00
|
|
|
|
go = i: ps:
|
|
|
|
|
if ps == []
|
|
|
|
|
then "exit 0"
|
|
|
|
|
else ''
|
|
|
|
|
case ''$${toString i} in ${to-pattern (head ps)})
|
|
|
|
|
${go (i + 1) (tail ps)}
|
|
|
|
|
esac'';
|
|
|
|
|
in
|
|
|
|
|
patterns: ''
|
|
|
|
|
#! /bin/sh
|
|
|
|
|
set -euf
|
|
|
|
|
${concatStringsSep "\n" (map (go 1) patterns)}
|
|
|
|
|
exit -1
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules));
|
|
|
|
|
|
2016-06-13 02:04:22 +02:00
|
|
|
|
# TODO use `writeOut`
|
2015-07-11 16:55:22 +02:00
|
|
|
|
scriptFarm =
|
|
|
|
|
farm-name: scripts:
|
|
|
|
|
let
|
|
|
|
|
makeScript = script-name: script-string: {
|
|
|
|
|
name = script-name;
|
|
|
|
|
path = pkgs.writeScript "${farm-name}_${script-name}" script-string;
|
|
|
|
|
};
|
|
|
|
|
in
|
|
|
|
|
pkgs.linkFarm farm-name (mapAttrsToList makeScript scripts);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
git-ssh-command = pkgs.writeScript "git-ssh-command" ''
|
|
|
|
|
#! /bin/sh
|
|
|
|
|
set -euf
|
|
|
|
|
|
2016-03-03 19:45:46 +01:00
|
|
|
|
PATH=${makeBinPath (with pkgs; [
|
2015-07-11 16:55:22 +02:00
|
|
|
|
coreutils
|
|
|
|
|
git
|
|
|
|
|
gnugrep
|
|
|
|
|
gnused
|
|
|
|
|
systemd
|
|
|
|
|
])}
|
|
|
|
|
|
|
|
|
|
abort() {
|
|
|
|
|
echo "error: $1" >&2
|
|
|
|
|
systemd-cat -p err -t git echo "error: $1"
|
|
|
|
|
exit -1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
GIT_SSH_USER=$1
|
|
|
|
|
|
|
|
|
|
systemd-cat -p info -t git echo \
|
|
|
|
|
"authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND"
|
|
|
|
|
|
|
|
|
|
# References: The Base Definitions volume of
|
|
|
|
|
# POSIX.1‐2013, Section 3.278, Portable Filename Character Set
|
|
|
|
|
portable_filename_bre="^[A-Za-z0-9._-]\\+$"
|
|
|
|
|
|
|
|
|
|
command=$(echo "$SSH_ORIGINAL_COMMAND" \
|
|
|
|
|
| sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \
|
|
|
|
|
| grep "$portable_filename_bre" \
|
|
|
|
|
|| abort 'cannot read command')
|
|
|
|
|
|
|
|
|
|
GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \
|
|
|
|
|
| sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \
|
|
|
|
|
| grep "$portable_filename_bre" \
|
|
|
|
|
|| abort 'cannot read reponame')
|
|
|
|
|
|
|
|
|
|
${cfg.etcDir}/authorize-command \
|
|
|
|
|
"$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \
|
|
|
|
|
|| abort 'access denied'
|
|
|
|
|
|
|
|
|
|
repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO
|
|
|
|
|
|
|
|
|
|
systemd-cat -p info -t git \
|
|
|
|
|
echo "authorized exec $command $repodir"
|
|
|
|
|
|
|
|
|
|
export GIT_SSH_USER
|
|
|
|
|
export GIT_SSH_REPO
|
|
|
|
|
exec "$command" "$repodir"
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
init-script = pkgs.writeScript "git-init" ''
|
|
|
|
|
#! /bin/sh
|
|
|
|
|
set -euf
|
|
|
|
|
|
2016-03-03 19:45:46 +01:00
|
|
|
|
PATH=${makeBinPath (with pkgs; [
|
2015-07-11 16:55:22 +02:00
|
|
|
|
coreutils
|
|
|
|
|
findutils
|
|
|
|
|
gawk
|
|
|
|
|
git
|
|
|
|
|
gnugrep
|
|
|
|
|
gnused
|
|
|
|
|
])}
|
|
|
|
|
|
|
|
|
|
dataDir=${escapeShellArg cfg.dataDir}
|
|
|
|
|
mkdir -p "$dataDir"
|
|
|
|
|
|
|
|
|
|
# Notice how the presence of hooks symlinks determine whether
|
|
|
|
|
# we manage a repositry or not.
|
|
|
|
|
|
|
|
|
|
# Make sure that no existing repository has hooks. We can delete
|
|
|
|
|
# symlinks because we assume we created them.
|
|
|
|
|
find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete
|
|
|
|
|
bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks)
|
|
|
|
|
if echo "$bad_hooks" | grep -q .; then
|
|
|
|
|
printf 'error: unknown hooks:\n%s\n' \
|
|
|
|
|
"$(echo "$bad_hooks" | sed 's/^/ /')" \
|
|
|
|
|
>&2
|
|
|
|
|
exit -1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Initialize repositories.
|
|
|
|
|
${concatMapStringsSep "\n" (repo:
|
|
|
|
|
let
|
|
|
|
|
hooks = scriptFarm "git-hooks" (makeHooks repo);
|
|
|
|
|
in
|
|
|
|
|
''
|
|
|
|
|
reponame=${escapeShellArg repo.name}
|
|
|
|
|
repodir=$dataDir/$reponame
|
|
|
|
|
mode=${toString (if isPublicRepo repo then 0711 else 0700)}
|
|
|
|
|
if ! test -d "$repodir"; then
|
|
|
|
|
mkdir -m "$mode" "$repodir"
|
|
|
|
|
git init --bare --template=/var/empty "$repodir"
|
|
|
|
|
chown -R git:nogroup "$repodir"
|
|
|
|
|
fi
|
|
|
|
|
ln -s ${hooks} "$repodir/hooks"
|
|
|
|
|
''
|
|
|
|
|
) (attrValues cfg.repos)}
|
|
|
|
|
|
|
|
|
|
# Warn about repositories that exist but aren't mentioned in the
|
|
|
|
|
# current configuration (and thus didn't receive a hooks symlink).
|
|
|
|
|
unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \
|
|
|
|
|
-type d \! -exec test -e '{}/hooks' \; -print)
|
|
|
|
|
if echo "$unknown_repos" | grep -q .; then
|
|
|
|
|
printf 'warning: stale repositories:\n%s\n' \
|
|
|
|
|
"$(echo "$unknown_repos" | sed 's/^/ /')" \
|
|
|
|
|
>&2
|
|
|
|
|
fi
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // {
|
|
|
|
|
pre-receive = ''
|
|
|
|
|
#! /bin/sh
|
|
|
|
|
set -euf
|
|
|
|
|
|
2016-03-03 19:45:46 +01:00
|
|
|
|
PATH=${makeBinPath (with pkgs; [
|
2015-07-11 16:55:22 +02:00
|
|
|
|
coreutils # env
|
|
|
|
|
git
|
|
|
|
|
systemd
|
|
|
|
|
])}
|
|
|
|
|
|
|
|
|
|
accept() {
|
|
|
|
|
#systemd-cat -p info -t git echo "authorized $1"
|
|
|
|
|
accept_string="''${accept_string+$accept_string
|
|
|
|
|
}authorized $1"
|
|
|
|
|
}
|
|
|
|
|
reject() {
|
|
|
|
|
#systemd-cat -p err -t git echo "denied $1"
|
|
|
|
|
#echo 'access denied' >&2
|
|
|
|
|
#exit_code=-1
|
|
|
|
|
reject_string="''${reject_string+$reject_string
|
|
|
|
|
}access denied: $1"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
empty=0000000000000000000000000000000000000000
|
|
|
|
|
|
|
|
|
|
accept_string=
|
|
|
|
|
reject_string=
|
|
|
|
|
while read oldrev newrev ref; do
|
|
|
|
|
|
|
|
|
|
if [ $oldrev = $empty ]; then
|
|
|
|
|
receive_mode=create
|
|
|
|
|
elif [ $newrev = $empty ]; then
|
|
|
|
|
receive_mode=delete
|
|
|
|
|
elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then
|
|
|
|
|
receive_mode=fast-forward
|
|
|
|
|
else
|
|
|
|
|
receive_mode=non-fast-forward
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ${cfg.etcDir}/authorize-push \
|
|
|
|
|
"$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then
|
|
|
|
|
accept "$receive_mode $ref"
|
|
|
|
|
else
|
|
|
|
|
reject "$receive_mode $ref"
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
if [ -n "$reject_string" ]; then
|
|
|
|
|
systemd-cat -p err -t git echo "$reject_string"
|
|
|
|
|
exit -1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
systemd-cat -p info -t git echo "$accept_string"
|
|
|
|
|
|
|
|
|
|
${optionalString (hasAttr "post-receive" repo.hooks) ''
|
|
|
|
|
# custom post-receive hook
|
|
|
|
|
${repo.hooks.post-receive}''}
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
in
|
|
|
|
|
out
|