fix: cant push via git ssh
This commit is contained in:
parent
e2ef9e0519
commit
00e904cde9
1 changed files with 64 additions and 30 deletions
|
|
@ -6,44 +6,78 @@
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
gitUser = config.services.forgejo.settings.server.BUILTIN_SSH_SERVER_USER;
|
gitUser = config.services.forgejo.settings.server.BUILTIN_SSH_SERVER_USER;
|
||||||
|
forgejoUser = config.services.forgejo.user;
|
||||||
forgejo = config.services.forgejo.package;
|
forgejo = config.services.forgejo.package;
|
||||||
stateDir = config.services.forgejo.stateDir;
|
stateDir = config.services.forgejo.stateDir;
|
||||||
|
forgejoExe = lib.getExe forgejo;
|
||||||
|
|
||||||
forgejoKeysScript = pkgs.writeShellScript "forgejo-keys" ''
|
separateUsers = gitUser != forgejoUser;
|
||||||
FORGEJO_WORK_DIR=${stateDir} ${lib.getExe forgejo} keys -e git -u "$1" -t "$2" -k "$3"
|
|
||||||
'';
|
forgejoKeysCmd = "FORGEJO_WORK_DIR=${stateDir} ${forgejoExe} keys -e git -u \"$1\" -t \"$2\" -k \"$3\"";
|
||||||
|
|
||||||
|
# When the SSH user differs from the forgejo service user, rewrite
|
||||||
|
# the command= wrapper to use sudo so forgejo serv runs as the user
|
||||||
|
# that owns the repository data.
|
||||||
|
forgejoKeysScript = pkgs.writeShellScript "forgejo-keys" (
|
||||||
|
if separateUsers
|
||||||
|
then ''
|
||||||
|
${forgejoKeysCmd} \
|
||||||
|
| ${pkgs.gnused}/bin/sed 's|command="${forgejoExe}|command="/run/wrappers/bin/sudo -u ${forgejoUser} --preserve-env=SSH_ORIGINAL_COMMAND ${forgejoExe}|'
|
||||||
|
''
|
||||||
|
else forgejoKeysCmd
|
||||||
|
);
|
||||||
|
|
||||||
forgejoKeysPath = "/run/forgejo-keys";
|
forgejoKeysPath = "/run/forgejo-keys";
|
||||||
in {
|
in {
|
||||||
config = lib.mkIf config.services.forgejo.enable {
|
config = lib.mkIf config.services.forgejo.enable (lib.mkMerge [
|
||||||
# sshd rejects connections for users with nologin shell before
|
{
|
||||||
# processing authorized_keys, so we need a valid shell even though
|
# sshd rejects connections for users with nologin shell before
|
||||||
# the command= wrapper in Forgejo's keys prevents actual shell access.
|
# processing authorized_keys, so we need a valid shell even though
|
||||||
users.users.${gitUser}.shell = pkgs.bash;
|
# the command= wrapper in Forgejo's keys prevents actual shell access.
|
||||||
users.groups.${config.services.forgejo.group}.members = [gitUser];
|
users.users.${gitUser}.shell = pkgs.bash;
|
||||||
|
|
||||||
services.openssh.settings.AllowUsers = [gitUser];
|
services.openssh.settings.AllowUsers = [gitUser];
|
||||||
|
|
||||||
# Copy the key lookup script to a root-owned path outside /nix/store.
|
# Copy the key lookup script to a root-owned path outside /nix/store.
|
||||||
# sshd StrictModes requires AuthorizedKeysCommand and all parent dirs
|
# sshd StrictModes requires AuthorizedKeysCommand and all parent dirs
|
||||||
# to be owned by root with no group/world writes. /nix/store and /etc
|
# to be owned by root with no group/world writes. /nix/store and /etc
|
||||||
# symlinks both fail this check.
|
# symlinks both fail this check.
|
||||||
system.activationScripts.forgejo-ssh-keys = lib.stringAfter ["etc"] ''
|
system.activationScripts.forgejo-ssh-keys = lib.stringAfter ["etc"] ''
|
||||||
install -m 0755 -o root -g root ${forgejoKeysScript} ${forgejoKeysPath}
|
install -m 0755 -o root -g root ${forgejoKeysScript} ${forgejoKeysPath}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
services.openssh.extraConfig = ''
|
services.openssh.extraConfig = ''
|
||||||
Match User ${gitUser}
|
Match User ${gitUser}
|
||||||
AuthorizedKeysCommandUser ${gitUser}
|
AuthorizedKeysCommandUser ${gitUser}
|
||||||
AuthorizedKeysCommand ${forgejoKeysPath} %u %t %k
|
AuthorizedKeysCommand ${forgejoKeysPath} %u %t %k
|
||||||
AuthenticationMethods publickey
|
AuthenticationMethods publickey
|
||||||
KbdInteractiveAuthentication no
|
KbdInteractiveAuthentication no
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
AllowAgentForwarding no
|
AllowAgentForwarding no
|
||||||
AllowTcpForwarding no
|
AllowTcpForwarding no
|
||||||
X11Forwarding no
|
X11Forwarding no
|
||||||
PermitTTY no
|
PermitTTY no
|
||||||
'';
|
'';
|
||||||
};
|
}
|
||||||
|
|
||||||
|
(lib.mkIf separateUsers {
|
||||||
|
# Give the git user read access to forgejo's config and data
|
||||||
|
users.groups.${config.services.forgejo.group}.members = [gitUser];
|
||||||
|
|
||||||
|
# Allow the git user to run forgejo serv as the forgejo user
|
||||||
|
security.sudo.extraRules = [
|
||||||
|
{
|
||||||
|
users = [gitUser];
|
||||||
|
runAs = forgejoUser;
|
||||||
|
commands = [
|
||||||
|
{
|
||||||
|
command = "${forgejoExe} --config=${stateDir}/custom/conf/app.ini serv *";
|
||||||
|
options = ["NOPASSWD" "SETENV"];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
})
|
||||||
|
]);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue