summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/0tests/data/secrets/gollum.id_ed255190
-rw-r--r--krebs/2configs/wiki.nix83
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/gollum.nix112
-rw-r--r--krebs/3modules/secret.nix2
-rw-r--r--lass/1systems/blue/config.nix8
-rw-r--r--lass/2configs/default.nix1
-rw-r--r--lass/5pkgs/deploy/default.nix6
8 files changed, 202 insertions, 11 deletions
diff --git a/krebs/0tests/data/secrets/gollum.id_ed25519 b/krebs/0tests/data/secrets/gollum.id_ed25519
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/gollum.id_ed25519
diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix
index 2350e711e..e4f05a6e6 100644
--- a/krebs/2configs/wiki.nix
+++ b/krebs/2configs/wiki.nix
@@ -1,9 +1,41 @@
-{ config, ... }:
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+let
+ setupGit = ''
+ export PATH=${makeBinPath [ pkgs.git ]}
+ export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i ${config.krebs.gollum.stateDir}/.ssh/id_ed25519'
+ repo='git@localhost:wiki'
+ cd ${config.krebs.gollum.stateDir}
+ if ! url=$(git config remote.origin.url); then
+ git remote add origin "$repo"
+ elif test "$url" != "$repo"; then
+ git remote set-url origin "$repo"
+ fi
+ '';
+
+ pushGollum = pkgs.writeDash "push_gollum" ''
+ ${setupGit}
+ git fetch origin
+ git merge --ff-only origin/master
+ '';
+
+ pushCgit = pkgs.writeDash "push_cgit" ''
+ ${setupGit}
+ git push origin master
+ '';
+
+in
{
- services.gollum = {
+ krebs.gollum = {
enable = true;
+ extraConfig = ''
+ Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1|
+ system('${pushCgit}')
+ end
+ '';
};
+
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
@@ -16,4 +48,51 @@
'';
};
};
+
+ krebs.git = {
+ enable = true;
+ cgit.settings = {
+ root-title = "krebs repos";
+ };
+ rules = with git; [
+ {
+ user = [
+ {
+ name = "gollum";
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXbjDnQWg8EECsNRZZWezocMIiuENhCSQFcFUXcsOQ6";
+ }
+ ] ++ (attrValues config.krebs.users);
+ repo = [ config.krebs.git.repos.wiki ];
+ perm = push ''refs/heads/master'' [ create merge ];
+ }
+ ];
+ repos.wiki = {
+ public = true;
+ name = "wiki";
+ hooks = {
+ post-receive = ''
+ ${pkgs.git-hooks.irc-announce {
+ channel = "#xxx";
+ refs = [
+ "refs/heads/master"
+ ];
+ nick = config.networking.hostName;
+ server = "irc.r";
+ verbose = true;
+ }}
+ /run/wrappers/bin/sudo -S -u gollum ${pushGollum}
+ '';
+ };
+ };
+ };
+
+ krebs.secret.files.gollum = {
+ path = "${config.krebs.gollum.stateDir}/.ssh/id_ed25519";
+ owner = { name = "gollum"; };
+ source-path = "${<secrets/gollum.id_ed25519>}";
+ };
+
+ security.sudo.extraConfig = ''
+ git ALL=(gollum) NOPASSWD: ${pushGollum}
+ '';
}
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index f3180722d..2772bf986 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -27,6 +27,7 @@ let
./github-known-hosts.nix
./git.nix
./go.nix
+ ./gollum.nix
./hidden-ssh.nix
./hosts.nix
./htgen.nix
diff --git a/krebs/3modules/gollum.nix b/krebs/3modules/gollum.nix
new file mode 100644
index 000000000..4b4e04d16
--- /dev/null
+++ b/krebs/3modules/gollum.nix
@@ -0,0 +1,112 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.krebs.gollum;
+in
+
+{
+ options.krebs.gollum = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable the Gollum service.";
+ };
+
+ address = mkOption {
+ type = types.str;
+ default = "0.0.0.0";
+ description = "IP address on which the web server will listen.";
+ };
+
+ port = mkOption {
+ type = types.int;
+ default = 4567;
+ description = "Port on which the web server will run.";
+ };
+
+ extraConfig = mkOption {
+ type = types.lines;
+ default = "";
+ description = "Content of the configuration file";
+ };
+
+ mathjax = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable support for math rendering using MathJax";
+ };
+
+ allowUploads = mkOption {
+ type = types.nullOr (types.enum [ "dir" "page" ]);
+ default = null;
+ description = "Enable uploads of external files";
+ };
+
+ emoji = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Parse and interpret emoji tags";
+ };
+
+ branch = mkOption {
+ type = types.str;
+ default = "master";
+ example = "develop";
+ description = "Git branch to serve";
+ };
+
+ stateDir = mkOption {
+ type = types.path;
+ default = "/var/lib/gollum";
+ description = "Specifies the path of the repository directory. If it does not exist, Gollum will create it on startup.";
+ };
+
+ };
+
+ config = mkIf cfg.enable {
+
+ users.users.gollum = {
+ group = config.users.users.gollum.name;
+ description = "Gollum user";
+ home = cfg.stateDir;
+ createHome = false;
+ isSystemUser = true;
+ };
+
+ users.groups.gollum = { };
+
+ systemd.tmpfiles.rules = [
+ "d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -"
+ ];
+
+ systemd.services.gollum = {
+ description = "Gollum wiki";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ path = [ pkgs.git ];
+
+ preStart = ''
+ # This is safe to be run on an existing repo
+ git init ${cfg.stateDir}
+ '';
+
+ serviceConfig = {
+ User = config.users.users.gollum.name;
+ Group = config.users.groups.gollum.name;
+ ExecStart = ''
+ ${pkgs.gollum}/bin/gollum \
+ --port ${toString cfg.port} \
+ --host ${cfg.address} \
+ --config ${pkgs.writeText "gollum-config.rb" cfg.extraConfig} \
+ --ref ${cfg.branch} \
+ ${optionalString cfg.mathjax "--mathjax"} \
+ ${optionalString cfg.emoji "--emoji"} \
+ ${optionalString (cfg.allowUploads != null) "--allow-uploads ${cfg.allowUploads}"} \
+ ${cfg.stateDir}
+ '';
+ };
+ };
+ };
+}
diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix
index bf2c62cc9..67454d1f7 100644
--- a/krebs/3modules/secret.nix
+++ b/krebs/3modules/secret.nix
@@ -22,7 +22,7 @@ in {
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
- ExecStart = "${pkgs.systemd}/bin/systemctl restart ${file.service}";
+ ExecStart = "${pkgs.systemd}/bin/systemctl restart ${shell.escape file.service}";
};
})
cfg.files
diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix
index 14f4971f7..c46bb351e 100644
--- a/lass/1systems/blue/config.nix
+++ b/lass/1systems/blue/config.nix
@@ -15,14 +15,6 @@ with import <stockholm/lib>;
krebs.build.host = config.krebs.hosts.blue;
- environment.shellAliases = {
- deploy = pkgs.writeDash "deploy" ''
- set -eu
- export SYSTEM="$1"
- $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
- '';
- };
-
networking.nameservers = [ "1.1.1.1" ];
services.restic.backups = genAttrs [
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index b0d7ff23b..ae2754c96 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -93,6 +93,7 @@ with import <stockholm/lib>;
environment.systemPackages = with pkgs; [
#stockholm
+ deploy
git
gnumake
jq
diff --git a/lass/5pkgs/deploy/default.nix b/lass/5pkgs/deploy/default.nix
new file mode 100644
index 000000000..c07cf20d1
--- /dev/null
+++ b/lass/5pkgs/deploy/default.nix
@@ -0,0 +1,6 @@
+{ writers }:
+writers.writeDashBin "deploy" ''
+ set -eu
+ export SYSTEM="$1"
+ $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
+''