1 files changed,
23 insertions(+),
48 deletions(-)
Author:
Oleksandr Smirnov
olexsmir@gmail.com
Committed at:
2026-03-22 18:38:48 +0200
Authored at:
2026-03-21 23:59:28 +0200
Change ID:
pwssknzzosnknwvmuvyxvnkskwlvxsvm
Parent:
c00f9a8
M
flake.nix
路路路 22 22 license = licenses.mit; 23 23 }; 24 24 }; 25 - }); 25 + } 26 + ); 26 27 27 28 nixosModules.default = { config, lib, pkgs, ... }: 28 29 with lib; 路路路 40 41 default = self.packages.${pkgs.stdenv.hostPlatform.system}.mugit; 41 42 defaultText = literalExpression "self.packages.\${pkgs.stdenv.hostPlatform.system}.mugit"; 42 43 description = "The mugit package to use."; 43 - }; 44 - 45 - openFirewall = mkOption { 46 - type = types.bool; 47 - default = false; 48 - description = "Whether to open the firewall for mugit. Can only be used with `config`, not `configFile`."; 49 44 }; 50 45 51 46 exposeCli = mkOption { 路路路 195 190 }; 196 191 }; 197 192 198 - 199 193 config = mkIf cfg.enable { 200 - networking.firewall = mkIf cfg.openFirewall { 201 - allowedTCPPorts = 202 - let 203 - serverPort = cfg.config.server.port or 8080; 204 - sshPort = cfg.config.ssh.port or 2222; 205 - sshEnabled = cfg.config.ssh.enable or false; 206 - in 207 - [ serverPort ] ++ lib.optional sshEnabled sshPort; 208 - }; 209 - 210 194 users.users.${cfg.user} = { 211 195 isSystemUser = true; 212 196 group = cfg.group; 路路路 238 222 exec ${cfg.package}/bin/mugit --config ${resolvedConfig} "$@" 239 223 ''; 240 224 in 241 - "${mugitWrapped}/bin/mugit"; 225 + "${mugitWrapped}/bin/mugit"; 242 226 owner = cfg.user; 243 227 group = cfg.group; 244 228 setuid = true; 路路路 252 236 wantedBy = [ "multi-user.target" ]; 253 237 after = [ "network.target" ]; 254 238 path = [ pkgs.git ]; 255 - 256 - serviceConfig = 257 - let 258 - serverPort = cfg.config.server.port or 8080; 259 - sshPort = cfg.config.ssh.port or 2222; 260 - sshEnabled = cfg.config.ssh.enable or false; 261 - needsPrivPort = serverPort < 1024 || (sshEnabled && sshPort < 1024); 262 - in 263 - { 264 - Type = "simple"; 265 - User = cfg.user; 266 - Group = cfg.group; 267 - WorkingDirectory = cfg.config.repo.dir; 268 - StateDirectory = "mugit"; 269 - ExecStart = "${cfg.package}/bin/mugit serve --config ${configFile}"; 270 - Restart = "on-failure"; 271 - RestartSec = "5s"; 272 - NoNewPrivileges = true; 273 - PrivateTmp = true; 274 - ProtectSystem = "strict"; 275 - ProtectHome = true; 276 - ReadWritePaths = [ cfg.config.repo.dir ]; 277 - ProtectKernelTunables = true; 278 - ProtectKernelModules = true; 279 - ProtectControlGroups = true; 280 - } 281 - // lib.optionalAttrs needsPrivPort { 282 - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; 283 - }; 239 + serviceConfig = { 240 + Type = "simple"; 241 + User = cfg.user; 242 + Group = cfg.group; 243 + WorkingDirectory = cfg.config.repo.dir; 244 + StateDirectory = "mugit"; 245 + ExecStart = "${cfg.package}/bin/mugit serve --config ${configFile}"; 246 + Restart = "on-failure"; 247 + RestartSec = "5s"; 248 + NoNewPrivileges = true; 249 + PrivateTmp = true; 250 + ProtectSystem = "strict"; 251 + ProtectHome = true; 252 + ReadWritePaths = [ cfg.config.repo.dir ]; 253 + ProtectKernelTunables = true; 254 + ProtectKernelModules = true; 255 + ProtectControlGroups = true; 256 + } // lib.optionalAttrs (cfg.config.ssh.enable && cfg.config.ssh.port < 1024) { 257 + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; 258 + }; 284 259 }; 285 260 }; 286 261 };