Add gitolite

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-01-02 18:02:36 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-01-02 18:02:36 +0100
commit: 5566d26d9cb4f992e974ad8a8720c5970d566105 (patch)
tree: 78a20c70e3abb2e465d09d4a4ef03f3281014583 /virtual/eldiron.nix
parent: 940f18341ee8f1e86a18a3488c41b5bbef909cd1 (diff)
download: Nix-5566d26d9cb4f992e974ad8a8720c5970d566105.tar.gz
Nix-5566d26d9cb4f992e974ad8a8720c5970d566105.tar.zst
Nix-5566d26d9cb4f992e974ad8a8720c5970d566105.zip
1 files changed, 59 insertions, 0 deletions
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 36b765c..292b31a 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -86,6 +86,26 @@
      # };
    };
+    services.openssh.extraConfig = ''
+      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
+      AuthorizedKeysCommandUser nobody
+      '';
+    # FIXME: after initial install, need to
+    # (1) copy rc file (adjust gitolite_ldap_groups.sh)
+    # (2) (mark old readonly and) sync repos except gitolite-admin
+    #     rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
+    #     chown -R gitolite:gitolite /var/lib/gitolite
+    # (3) push force the gitolite-admin to new location (from external point)
+    #     Don't use an existing key, it will take precedence over
+    #     gitolite-admin
+    # (4) su -u gitolite gitolite setup
+    services.gitolite = {
+      enable = true;
+      # FIXME: key from ./ssh
+      adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
+    };
    services.ympd = mypkgs.ympd.config // { enable = true; };
    services.phpfpm = {
@@ -118,6 +138,45 @@
        mkdir -p /run/redis
        chown redis /run/redis
        '';
+      gitolite =
+        assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+        let
+        gitolite_ldap_groups = mylibs.wrap {
+          name = "gitolite_ldap_groups.sh";
+          file = ./packages/gitolite_ldap_groups.sh;
+          vars = {
+            LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+          };
+          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
+        };
+      in {
+        deps = [ "users" ];
+        text = ''
+          if [ -d /var/lib/gitolite ]; then
+            ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
+          fi
+        '';
+      };
+    };
+    environment.etc."ssh/ldap_authorized_keys" = let
+      ldap_authorized_keys =
+        assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+        mylibs.wrap {
+          name = "ldap_authorized_keys";
+          file = ./ldap_authorized_keys.sh;
+          vars = {
+            LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
+            ECHO = "${pkgs.coreutils}/bin/echo";
+          };
+          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+        };
+    in {
+      enable = true;
+      mode = "0755";
+      user = "root";
+      source = ldap_authorized_keys;
    };
    services.httpd = let
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-01-02 18:02:36 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-01-02 18:02:36 +0100
commit	5566d26d9cb4f992e974ad8a8720c5970d566105 (patch)
tree	78a20c70e3abb2e465d09d4a4ef03f3281014583 /virtual/eldiron.nix
parent	940f18341ee8f1e86a18a3488c41b5bbef909cd1 (diff)
download	Nix-5566d26d9cb4f992e974ad8a8720c5970d566105.tar.gz Nix-5566d26d9cb4f992e974ad8a8720c5970d566105.tar.zst Nix-5566d26d9cb4f992e974ad8a8720c5970d566105.zip

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 36b765c..292b31a 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix
@@ -86,6 +86,26 @@
86	# };	86	# };
87	};	87	};
88		88
		89	services.openssh.extraConfig = ''
		90	AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
		91	AuthorizedKeysCommandUser nobody
		92	'';
		93
		94	# FIXME: after initial install, need to
		95	# (1) copy rc file (adjust gitolite_ldap_groups.sh)
		96	# (2) (mark old readonly and) sync repos except gitolite-admin
		97	# rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
		98	# chown -R gitolite:gitolite /var/lib/gitolite
		99	# (3) push force the gitolite-admin to new location (from external point)
		100	# Don't use an existing key, it will take precedence over
		101	# gitolite-admin
		102	# (4) su -u gitolite gitolite setup
		103	services.gitolite = {
		104	enable = true;
		105	# FIXME: key from ./ssh
		106	adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
		107	};
		108
89	services.ympd = mypkgs.ympd.config // { enable = true; };	109	services.ympd = mypkgs.ympd.config // { enable = true; };
90		110
91	services.phpfpm = {	111	services.phpfpm = {
@@ -118,6 +138,45 @@
118	mkdir -p /run/redis	138	mkdir -p /run/redis
119	chown redis /run/redis	139	chown redis /run/redis
120	'';	140	'';
		141	gitolite =
		142	assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
		143	let
		144	gitolite_ldap_groups = mylibs.wrap {
		145	name = "gitolite_ldap_groups.sh";
		146	file = ./packages/gitolite_ldap_groups.sh;
		147	vars = {
		148	LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
		149	};
		150	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
		151	};
		152	in {
		153	deps = [ "users" ];
		154	text = ''
		155	if [ -d /var/lib/gitolite ]; then
		156	ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
		157	fi
		158	'';
		159	};
		160	};
		161
		162	environment.etc."ssh/ldap_authorized_keys" = let
		163	ldap_authorized_keys =
		164	assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
		165	mylibs.wrap {
		166	name = "ldap_authorized_keys";
		167	file = ./ldap_authorized_keys.sh;
		168	vars = {
		169	LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
		170	GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
		171	ECHO = "${pkgs.coreutils}/bin/echo";
		172	};
		173	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
		174	};
		175	in {
		176	enable = true;
		177	mode = "0755";
		178	user = "root";
		179	source = ldap_authorized_keys;
121	};	180	};
122		181
123	services.httpd = let	182	services.httpd = let