2 files changed,
37 insertions(+),
17 deletions(-)
Author:
Oleksandr Smirnov
olexsmir@gmail.com
Committed at:
2026-01-25 22:40:29 +0200
Change ID:
vzzvmmskyrotolzrvxzronkwylpomlsz
Parent:
6c88a61
M
nix/hosts/thought/configuration.nix
@@ -31,6 +31,7 @@ interfaces = { };
firewall = { enable = true; allowedTCPPorts = [ + 22 80 443 2222
M
nix/modules/mugit.nix
@@ -1,41 +1,60 @@
{ pkgs, ... }: let configFile = "/var/lib/mugit/config.yaml"; - version = "a49f890"; - mugit = pkgs.buildGoModule { - pname = "mugit"; - inherit version; - vendorHash = "sha256-FJuWIYvuidIJOSrihYbaimclrd+dfmWx10Fs6HqtYsI="; - src = pkgs.fetchFromGitHub { - owner = "olexsmir"; - repo = "mugit"; - rev = version; - hash = "sha256-aaCTH6LN/LdYe2QWQeKWO+AKiU5uJEOHQGm0Utpa+uc="; - }; + mugitSrc = builtins.fetchGit { + url = "https://github.com/olexsmir/mugit.git"; + ref = "main"; }; + buildScript = pkgs.writeShellScript "build-mugit" '' + set -e + + BUILD_DIR="/tmp/mugit-build-$$" + + export GOCACHE="$BUILD_DIR/.cache" + export GOPATH="$BUILD_DIR/.go" + export HOME="$BUILD_DIR" + + mkdir -p "$BUILD_DIR" + + cp -r ${mugitSrc}/* "$BUILD_DIR/" + chmod -R u+w "$BUILD_DIR" + + cd "$BUILD_DIR" + ${pkgs.go}/bin/go build -o /var/lib/mugit/mugit . + chmod -R u+w "$BUILD_DIR" 2>/dev/null || true + rm -rf "$BUILD_DIR" + ''; in { services.caddy.virtualHosts."git.olexsmir.xyz".extraConfig = '' reverse_proxy localhost:8008 ''; + systemd.tmpfiles.rules = [ "d /var/lib/mugit 0755 git git -" ]; + systemd.services.mugit = { wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; - + path = [ + pkgs.git + pkgs.go + pkgs.gcc + ]; serviceConfig = { Type = "simple"; User = "git"; + WorkingDirectory = "/var/lib/mugit"; Restart = "on-failure"; RestartSec = 2; - ExecStart = "${mugit}/bin/mugit --config ${configFile} serve"; - path = [ pkgs.git ]; + ExecStartPre = "${buildScript}"; + ExecStart = "/var/lib/mugit/mugit --config ${configFile} serve"; + ReadOnlyPaths = [ configFile ]; NoNewPrivileges = true; - ProtectSystem = "strict"; - ReadOnlyPaths = [ configFile ]; ReadWritePaths = [ "/var/lib/mugit" ]; - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; # Allow binding to port 22 + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + TimeoutStartSec = "5min"; ProtectHome = true; }; };