fix: cant push via git ssh
This commit is contained in:
parent
e2ef9e0519
commit
00e904cde9
1 changed files with 64 additions and 30 deletions
|
|
@ -6,21 +6,35 @@
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
gitUser = config.services.forgejo.settings.server.BUILTIN_SSH_SERVER_USER;
|
gitUser = config.services.forgejo.settings.server.BUILTIN_SSH_SERVER_USER;
|
||||||
|
forgejoUser = config.services.forgejo.user;
|
||||||
forgejo = config.services.forgejo.package;
|
forgejo = config.services.forgejo.package;
|
||||||
stateDir = config.services.forgejo.stateDir;
|
stateDir = config.services.forgejo.stateDir;
|
||||||
|
forgejoExe = lib.getExe forgejo;
|
||||||
|
|
||||||
forgejoKeysScript = pkgs.writeShellScript "forgejo-keys" ''
|
separateUsers = gitUser != forgejoUser;
|
||||||
FORGEJO_WORK_DIR=${stateDir} ${lib.getExe forgejo} keys -e git -u "$1" -t "$2" -k "$3"
|
|
||||||
'';
|
forgejoKeysCmd = "FORGEJO_WORK_DIR=${stateDir} ${forgejoExe} keys -e git -u \"$1\" -t \"$2\" -k \"$3\"";
|
||||||
|
|
||||||
|
# When the SSH user differs from the forgejo service user, rewrite
|
||||||
|
# the command= wrapper to use sudo so forgejo serv runs as the user
|
||||||
|
# that owns the repository data.
|
||||||
|
forgejoKeysScript = pkgs.writeShellScript "forgejo-keys" (
|
||||||
|
if separateUsers
|
||||||
|
then ''
|
||||||
|
${forgejoKeysCmd} \
|
||||||
|
| ${pkgs.gnused}/bin/sed 's|command="${forgejoExe}|command="/run/wrappers/bin/sudo -u ${forgejoUser} --preserve-env=SSH_ORIGINAL_COMMAND ${forgejoExe}|'
|
||||||
|
''
|
||||||
|
else forgejoKeysCmd
|
||||||
|
);
|
||||||
|
|
||||||
forgejoKeysPath = "/run/forgejo-keys";
|
forgejoKeysPath = "/run/forgejo-keys";
|
||||||
in {
|
in {
|
||||||
config = lib.mkIf config.services.forgejo.enable {
|
config = lib.mkIf config.services.forgejo.enable (lib.mkMerge [
|
||||||
|
{
|
||||||
# sshd rejects connections for users with nologin shell before
|
# sshd rejects connections for users with nologin shell before
|
||||||
# processing authorized_keys, so we need a valid shell even though
|
# processing authorized_keys, so we need a valid shell even though
|
||||||
# the command= wrapper in Forgejo's keys prevents actual shell access.
|
# the command= wrapper in Forgejo's keys prevents actual shell access.
|
||||||
users.users.${gitUser}.shell = pkgs.bash;
|
users.users.${gitUser}.shell = pkgs.bash;
|
||||||
users.groups.${config.services.forgejo.group}.members = [gitUser];
|
|
||||||
|
|
||||||
services.openssh.settings.AllowUsers = [gitUser];
|
services.openssh.settings.AllowUsers = [gitUser];
|
||||||
|
|
||||||
|
|
@ -44,6 +58,26 @@
|
||||||
X11Forwarding no
|
X11Forwarding no
|
||||||
PermitTTY no
|
PermitTTY no
|
||||||
'';
|
'';
|
||||||
};
|
}
|
||||||
|
|
||||||
|
(lib.mkIf separateUsers {
|
||||||
|
# Give the git user read access to forgejo's config and data
|
||||||
|
users.groups.${config.services.forgejo.group}.members = [gitUser];
|
||||||
|
|
||||||
|
# Allow the git user to run forgejo serv as the forgejo user
|
||||||
|
security.sudo.extraRules = [
|
||||||
|
{
|
||||||
|
users = [gitUser];
|
||||||
|
runAs = forgejoUser;
|
||||||
|
commands = [
|
||||||
|
{
|
||||||
|
command = "${forgejoExe} --config=${stateDir}/custom/conf/app.ini serv *";
|
||||||
|
options = ["NOPASSWD" "SETENV"];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
})
|
||||||
|
]);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue