diff options
| author | Christoph Heiss <christoph@c8h4.io> | 2023-04-19 23:43:58 +0200 |
|---|---|---|
| committer | Christoph Heiss <christoph@c8h4.io> | 2023-11-11 13:01:30 +0100 |
| commit | c123a37be6b224a48466f6e4329927f366a72efd (patch) | |
| tree | 05463fd26830ad29b215cd154573ec7d1b03e6c4 /nixos/modules/services | |
| parent | 869781c2f43acdf917479941aa21983a69af3ddf (diff) | |
sourcehut.gitsrht: 0.78.20 -> 0.84.2
Newer version of the gitsrht-api service call setrlimit() on startup,
thus allow it in the `SystemCallFilter` definition for the service.
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
Diffstat (limited to 'nixos/modules/services')
| -rw-r--r-- | nixos/modules/services/misc/sourcehut/default.nix | 19 | ||||
| -rw-r--r-- | nixos/modules/services/misc/sourcehut/service.nix | 2 |
2 files changed, 12 insertions, 9 deletions
diff --git a/nixos/modules/services/misc/sourcehut/default.nix b/nixos/modules/services/misc/sourcehut/default.nix index 5506e262107f..524e4a9b3770 100644 --- a/nixos/modules/services/misc/sourcehut/default.nix +++ b/nixos/modules/services/misc/sourcehut/default.nix @@ -803,6 +803,9 @@ in systemd.services.sshd = { #path = optional cfg.git.enable [ cfg.git.package ]; serviceConfig = { + BindPaths = optionals cfg.git.enable [ + "/var/log:/var/log" + ]; BindReadOnlyPaths = # Note that those /usr/bin/* paths are hardcoded in multiple places in *.sr.ht, # for instance to get the user from the [git.sr.ht::dispatch] settings. @@ -834,14 +837,13 @@ in set -e cd /run/sourcehut/gitsrht/subdir set -x + export PATH="${cfg.git.package}/bin:$PATH" + export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-shell "$@" ''}:/usr/bin/gitsrht-shell" "${pkgs.writeShellScript "gitsrht-update-hook" '' set -e - test -e "''${PWD%/*}"/config.ini || - # Git hooks are run relative to their repository's directory, - # but gitsrht-update-hook looks up ../config.ini - ln -s /run/sourcehut/gitsrht/config.ini "''${PWD%/*}"/config.ini + export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini # hooks/post-update calls /usr/bin/gitsrht-update-hook as hooks/stage-3 # but this wrapper being a bash script, it overrides $0 with /usr/bin/gitsrht-update-hook # hence this hack to put hooks/stage-3 back into gitsrht-update-hook's $0 @@ -1068,10 +1070,11 @@ in }; }) ]; - extraServices.gitsrht-api = { - serviceConfig.Restart = "always"; - serviceConfig.RestartSec = "5s"; - serviceConfig.ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}"; + extraServices.gitsrht-api.serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}"; + BindPaths = [ "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/gitsrht/repos" ]; }; extraServices.gitsrht-fcgiwrap = mkIf cfg.nginx.enable { serviceConfig = { diff --git a/nixos/modules/services/misc/sourcehut/service.nix b/nixos/modules/services/misc/sourcehut/service.nix index 72c273d3452b..26fbb3a11362 100644 --- a/nixos/modules/services/misc/sourcehut/service.nix +++ b/nixos/modules/services/misc/sourcehut/service.nix @@ -108,7 +108,7 @@ let #SocketBindDeny = "any"; SystemCallFilter = [ "@system-service" - "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@timer" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@timer" "@chown" "@setuid" ]; SystemCallArchitectures = "native"; |