nixos-dotfiles
nixos-dotfiles
https://git.tonybtw.com/nixos-dotfiles.git
git://git.tonybtw.com/nixos-dotfiles.git
Added git btw, deploy hooks, etc.
Diff
diff --git a/server/default.nix b/server/default.nix
index 5d43281..d98f273 100644
--- a/server/default.nix
+++ b/server/default.nix
@@ -6,6 +6,7 @@
./znc.nix
./guandanbtw.nix
./matrix.nix
- ./git.nix
+ ./git-btw.nix
+ ./deploy-hooks.nix
];
}
diff --git a/server/deploy-hooks.nix b/server/deploy-hooks.nix
new file mode 100644
index 0000000..e7b46c8
--- /dev/null
+++ b/server/deploy-hooks.nix
@@ -0,0 +1,35 @@
+{pkgs, ...}: let
+ deploy_hook = pkgs.writeShellScript "post-receive-deploy" ''
+ REPO=$(basename $(pwd) .git)
+ SITE=/www/sites/$REPO
+
+ if [ -d "$SITE" ]; then
+ GIT_WORK_TREE=$SITE git checkout -f
+ echo "deployed $REPO → $SITE"
+ else
+ echo "no deploy target for $REPO (no $SITE directory)"
+ fi
+ '';
+in {
+ systemd.tmpfiles.rules = [
+ "d /www/sites 0755 root root -"
+ "L+ /srv/git/.deploy-hook - - - - ${deploy_hook}"
+ ];
+
+ environment.systemPackages = [
+ (pkgs.writeShellScriptBin "git-enable-deploy" ''
+ if [ -z "$1" ]; then
+ echo "usage: git-enable-deploy <repo.git>"
+ exit 1
+ fi
+ REPO="/srv/git/$1"
+ if [ ! -d "$REPO" ]; then
+ echo "repo not found: $REPO"
+ exit 1
+ fi
+ ln -sf /srv/git/.deploy-hook "$REPO/hooks/post-receive"
+ chmod +x "$REPO/hooks/post-receive"
+ echo "enabled deploy hook for $1"
+ '')
+ ];
+}
diff --git a/server/git-btw.nix b/server/git-btw.nix
new file mode 100644
index 0000000..334a6ce
--- /dev/null
+++ b/server/git-btw.nix
@@ -0,0 +1,115 @@
+{
+ config,
+ pkgs,
+ ...
+}: let
+ domain = "git.tonybtw.com";
+ git_root = "/srv/git";
+ app_root = "/www/sites/git-btw";
+ php_user = "git-btw";
+ php_group = "git-btw";
+in {
+ services.phpfpm.pools.git-btw = {
+ user = php_user;
+ group = php_group;
+ settings = {
+ "listen.owner" = config.services.nginx.user;
+ "listen.group" = config.services.nginx.group;
+ "pm" = "ondemand";
+ "pm.max_children" = 8;
+ "pm.process_idle_timeout" = "10s";
+ };
+ };
+
+ services.nginx.virtualHosts.${domain} = {
+ enableACME = true;
+ forceSSL = true;
+
+ root = "${app_root}/public";
+ index = "index.php";
+
+ locations."/" = {
+ tryFiles = "$uri $uri/ /index.php?$query_string";
+ };
+
+ locations."~ \\.php$" = {
+ extraConfig = ''
+ fastcgi_pass unix:${config.services.phpfpm.pools.git-btw.socket};
+ fastcgi_index index.php;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param GIT_ROOT ${git_root};
+ '';
+ };
+
+ locations."/css/" = {
+ root = "${app_root}/public";
+ };
+
+ locations."/js/" = {
+ root = "${app_root}/public";
+ };
+
+ locations."~ ^/([^/]+\\.git)/(HEAD|info/refs|objects|git-upload-pack)$" = {
+ fastcgiParams = {
+ GIT_HTTP_EXPORT_ALL = "";
+ GIT_PROJECT_ROOT = git_root;
+ PATH_INFO = "$uri";
+ };
+ extraConfig = ''
+ fastcgi_pass unix:${config.services.fcgiwrap.instances.git.socket.path};
+ '';
+ };
+
+ locations."~ ^/([^/]+\\.git)/git-receive-pack$" = {
+ fastcgiParams = {
+ GIT_HTTP_EXPORT_ALL = "";
+ GIT_PROJECT_ROOT = git_root;
+ PATH_INFO = "$uri";
+ };
+ extraConfig = ''
+ auth_basic "git push";
+ auth_basic_user_file /srv/git/.htpasswd;
+ fastcgi_pass unix:${config.services.fcgiwrap.instances.git.socket.path};
+ '';
+ };
+ };
+
+ services.fcgiwrap.instances.git = {
+ process.user = "git";
+ process.group = "git";
+ socket = {inherit (config.services.nginx) user group;};
+ };
+
+ systemd.services.git-daemon = {
+ description = "Git daemon";
+ wantedBy = ["multi-user.target"];
+ after = ["network.target"];
+ serviceConfig = {
+ ExecStart = "${pkgs.git}/bin/git daemon --reuseaddr --base-path=${git_root} --export-all --verbose ${git_root}";
+ User = "git";
+ Group = "git";
+ };
+ };
+
+ users.users.git = {
+ isSystemUser = true;
+ group = "git";
+ home = git_root;
+ shell = "${pkgs.git}/bin/git-shell";
+ };
+ users.groups.git = {};
+
+ users.users.${php_user} = {
+ isSystemUser = true;
+ group = php_group;
+ extraGroups = ["git"];
+ };
+ users.groups.${php_group} = {};
+
+ systemd.tmpfiles.rules = [
+ "d ${git_root} 0755 git git -"
+ ];
+
+ networking.firewall.allowedTCPPorts = [9418];
+}