2 files changed,
37 insertions(+),
17 deletions(-)
Author:
Oleksandr Smirnov
olexsmir@gmail.com
Committed at:
2026-01-25 22:40:29 +0200
Change ID:
vzzvmmskyrotolzrvxzronkwylpomlsz
Parent:
6c88a61
M
nix/modules/mugit.nix
··· 1 1 { pkgs, ... }: 2 2 let 3 3 configFile = "/var/lib/mugit/config.yaml"; 4 - version = "a49f890"; 5 - mugit = pkgs.buildGoModule { 6 - pname = "mugit"; 7 - inherit version; 8 - vendorHash = "sha256-FJuWIYvuidIJOSrihYbaimclrd+dfmWx10Fs6HqtYsI="; 9 - src = pkgs.fetchFromGitHub { 10 - owner = "olexsmir"; 11 - repo = "mugit"; 12 - rev = version; 13 - hash = "sha256-aaCTH6LN/LdYe2QWQeKWO+AKiU5uJEOHQGm0Utpa+uc="; 14 - }; 4 + mugitSrc = builtins.fetchGit { 5 + url = "https://github.com/olexsmir/mugit.git"; 6 + ref = "main"; 15 7 }; 8 + buildScript = pkgs.writeShellScript "build-mugit" '' 9 + set -e 10 + 11 + BUILD_DIR="/tmp/mugit-build-$$" 12 + 13 + export GOCACHE="$BUILD_DIR/.cache" 14 + export GOPATH="$BUILD_DIR/.go" 15 + export HOME="$BUILD_DIR" 16 + 17 + mkdir -p "$BUILD_DIR" 18 + 19 + cp -r ${mugitSrc}/* "$BUILD_DIR/" 20 + chmod -R u+w "$BUILD_DIR" 21 + 22 + cd "$BUILD_DIR" 23 + ${pkgs.go}/bin/go build -o /var/lib/mugit/mugit . 24 + chmod -R u+w "$BUILD_DIR" 2>/dev/null || true 25 + rm -rf "$BUILD_DIR" 26 + ''; 16 27 in 17 28 { 18 29 services.caddy.virtualHosts."git.olexsmir.xyz".extraConfig = '' 19 30 reverse_proxy localhost:8008 20 31 ''; 21 32 33 + systemd.tmpfiles.rules = [ "d /var/lib/mugit 0755 git git -" ]; 34 + 22 35 systemd.services.mugit = { 23 36 wantedBy = [ "multi-user.target" ]; 24 37 after = [ "network-online.target" ]; 25 38 wants = [ "network-online.target" ]; 26 - 39 + path = [ 40 + pkgs.git 41 + pkgs.go 42 + pkgs.gcc 43 + ]; 27 44 serviceConfig = { 28 45 Type = "simple"; 29 46 User = "git"; 47 + WorkingDirectory = "/var/lib/mugit"; 30 48 Restart = "on-failure"; 31 49 RestartSec = 2; 32 - ExecStart = "${mugit}/bin/mugit --config ${configFile} serve"; 33 - path = [ pkgs.git ]; 50 + ExecStartPre = "${buildScript}"; 51 + ExecStart = "/var/lib/mugit/mugit --config ${configFile} serve"; 52 + ReadOnlyPaths = [ configFile ]; 34 53 NoNewPrivileges = true; 35 - ProtectSystem = "strict"; 36 - ReadOnlyPaths = [ configFile ]; 37 54 ReadWritePaths = [ "/var/lib/mugit" ]; 38 - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; # Allow binding to port 22 55 + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; 56 + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; 57 + TimeoutStartSec = "5min"; 39 58 ProtectHome = true; 40 59 }; 41 60 };