From f77e28d83df6ac53ac44156e06203d152ec5f667 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 30 Jul 2020 23:44:43 +0300 Subject: [PATCH 1/7] nixos/gitea: enable data access only for 'gitea' group --- nixos/modules/services/misc/gitea.nix | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index f8bcedc94fe..15aeb191f57 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -357,12 +357,20 @@ in }; systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/conf' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/custom' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/custom/conf' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/log' - ${cfg.user} gitea - -" - "d '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" + "d '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" + "z '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" + "Z '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -" "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" # If we have a folder or symlink with gitea locales, remove it @@ -440,7 +448,8 @@ in ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; - ReadWritePaths = cfg.stateDir; + ReadWritePaths = [ cfg.repositoryRoot cfg.stateDir ]; + UMask = "0027"; # Caps CapabilityBoundingSet = ""; NoNewPrivileges = true; From 4e68da6337638e49af9a17b0857196a60934c13f Mon Sep 17 00:00:00 2001 From: Izorkin Date: Fri, 31 Jul 2020 00:04:23 +0300 Subject: [PATCH 2/7] nixos/gitea: add 'backupDir' option --- nixos/modules/services/misc/gitea.nix | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 15aeb191f57..28609f8ec8a 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -162,6 +162,12 @@ in 7. ''; }; + + backupDir = mkOption { + type = types.str; + default = "${cfg.stateDir}/dump"; + description = "Path to the dump files."; + }; }; appName = mkOption { @@ -357,6 +363,9 @@ in }; systemd.tmpfiles.rules = [ + "d '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -" + "z '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -" + "Z '${cfg.dump.backupDir}' - ${cfg.user} gitea - -" "d '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" "z '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" "Z '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" @@ -448,7 +457,7 @@ in ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; - ReadWritePaths = [ cfg.repositoryRoot cfg.stateDir ]; + ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ]; UMask = "0027"; # Caps CapabilityBoundingSet = ""; @@ -513,7 +522,7 @@ in Type = "oneshot"; User = cfg.user; ExecStart = "${gitea}/bin/gitea dump"; - WorkingDirectory = cfg.stateDir; + WorkingDirectory = cfg.dump.backupDir; }; }; From 1a0e633c600805cae48e09f2ecae5201fa369ba0 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Fri, 31 Jul 2020 00:20:27 +0300 Subject: [PATCH 3/7] nixos/gitea: enable pid file --- nixos/modules/services/misc/gitea.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 28609f8ec8a..e672440564a 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -448,8 +448,11 @@ in User = cfg.user; Group = "gitea"; WorkingDirectory = cfg.stateDir; - ExecStart = "${gitea}/bin/gitea web"; + ExecStart = "${gitea}/bin/gitea web --pid /run/gitea/gitea.pid"; Restart = "always"; + # Runtime directory and mode + RuntimeDirectory = "gitea"; + RuntimeDirectoryMode = "0755"; # Filesystem ProtectHome = true; From 6a0fd33b4c15d7e0e0b0cdad5ef280eba32ccdcc Mon Sep 17 00:00:00 2001 From: Izorkin Date: Fri, 31 Jul 2020 01:16:53 +0300 Subject: [PATCH 4/7] nixos/gitea: add support socket connection --- nixos/modules/services/misc/gitea.nix | 30 ++++++++++++++++++++------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index e672440564a..734bf79ddf6 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -206,6 +206,12 @@ in description = "HTTP listen port."; }; + enableUnixSocket = mkOption { + type = types.bool; + default = false; + description = "Configure Gitea to listen on a unix socket instead of the default TCP port."; + }; + cookieSecure = mkOption { type = types.bool; default = false; @@ -306,14 +312,22 @@ in ROOT = cfg.repositoryRoot; }; - server = { - DOMAIN = cfg.domain; - HTTP_ADDR = cfg.httpAddress; - HTTP_PORT = cfg.httpPort; - ROOT_URL = cfg.rootUrl; - STATIC_ROOT_PATH = cfg.staticRootPath; - LFS_JWT_SECRET = "#jwtsecret#"; - }; + server = mkMerge [ + { + DOMAIN = cfg.domain; + STATIC_ROOT_PATH = cfg.staticRootPath; + LFS_JWT_SECRET = "#jwtsecret#"; + ROOT_URL = cfg.rootUrl; + } + (mkIf cfg.enableUnixSocket { + PROTOCOL = "unix"; + HTTP_ADDR = "/run/gitea/gitea.sock"; + }) + (mkIf (!cfg.enableUnixSocket) { + HTTP_ADDR = cfg.httpAddress; + HTTP_PORT = cfg.httpPort; + }) + ]; session = { COOKIE_NAME = "session"; From dfd32f11f3ff1da571e499ed993dff99037e73bd Mon Sep 17 00:00:00 2001 From: Izorkin Date: Fri, 31 Jul 2020 15:53:48 +0300 Subject: [PATCH 5/7] nixos/gitea: update sandboxing options --- nixos/modules/services/misc/gitea.nix | 35 ++++++++++++++++----------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 734bf79ddf6..6c6541b9369 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -467,27 +467,34 @@ in # Runtime directory and mode RuntimeDirectory = "gitea"; RuntimeDirectoryMode = "0755"; - - # Filesystem - ProtectHome = true; - PrivateDevices = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; + # Access write directories ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ]; UMask = "0027"; - # Caps + # Capabilities CapabilityBoundingSet = ""; + # Security NoNewPrivileges = true; - # Misc. - LockPersonality = true; - RestrictRealtime = true; - PrivateMounts = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + LockPersonality = true; MemoryDenyWriteExecute = true; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering SystemCallArchitectures = "native"; - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; }; environment = { From 6c258a7c212fed4b4cdf13f5a2957f98989675ff Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 1 Aug 2020 12:03:38 +0300 Subject: [PATCH 6/7] nixos/gitea: add ssh options --- nixos/modules/services/misc/gitea.nix | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 6c6541b9369..7fb6be5ea84 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -170,6 +170,25 @@ in }; }; + ssh = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable external SSH feature."; + }; + + clonePort = mkOption { + type = types.int; + default = 22; + example = 2222; + description = '' + SSH port displayed in clone URL. + The option is required to configure a service when the external visible port + differs from the local listening port i.e. if port forwarding is used. + ''; + }; + }; + appName = mkOption { type = types.str; default = "gitea: Gitea Service"; @@ -327,6 +346,13 @@ in HTTP_ADDR = cfg.httpAddress; HTTP_PORT = cfg.httpPort; }) + (mkIf cfg.ssh.enable { + DISABLE_SSH = false; + SSH_PORT = cfg.ssh.clonePort; + }) + (mkIf (!cfg.ssh.enable) { + DISABLE_SSH = true; + }) ]; session = { From 31ce2636a4219123c05e63e5a20221453ee5ca42 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sun, 2 Aug 2020 20:32:17 +0300 Subject: [PATCH 7/7] nixos/gitea: add lfs options --- nixos/modules/services/misc/gitea.nix | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 7fb6be5ea84..af80e99746b 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -189,6 +189,20 @@ in }; }; + lfs = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enables git-lfs support."; + }; + + contentDir = mkOption { + type = types.str; + default = "${cfg.stateDir}/data/lfs"; + description = "Where to store LFS files."; + }; + }; + appName = mkOption { type = types.str; default = "gitea: Gitea Service"; @@ -353,6 +367,11 @@ in (mkIf (!cfg.ssh.enable) { DISABLE_SSH = true; }) + (mkIf cfg.lfs.enable { + LFS_START_SERVER = true; + LFS_CONTENT_PATH = cfg.lfs.contentDir; + }) + ]; session = { @@ -406,6 +425,9 @@ in "d '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -" "z '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -" "Z '${cfg.dump.backupDir}' - ${cfg.user} gitea - -" + "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -" + "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -" + "Z '${cfg.lfs.contentDir}' - ${cfg.user} gitea - -" "d '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" "z '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" "Z '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" @@ -494,7 +516,7 @@ in RuntimeDirectory = "gitea"; RuntimeDirectoryMode = "0755"; # Access write directories - ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ]; + ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ]; UMask = "0027"; # Capabilities CapabilityBoundingSet = "";