ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-09-22 04:57:56 +03:00
Code Issues Projects Releases Wiki Activity

sourcehut.gitsrht: 0.78.20 -> 0.84.2

Browse Source 
Newer version of the gitsrht-api service call setrlimit() on startup,
thus allow it in the `SystemCallFilter` definition for the service.

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
Christoph Heiss 2023-04-19 23:43:58 +02:00
parent 869781c2f4
commit c123a37be6
No known key found for this signature in database
GPG Key ID: 73D5E7FDEE3DE49A
3 changed files with 21 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
nixos/modules/services/misc/sourcehut/default.nix
View File

@ -803,6 +803,9 @@ in
systemd.services.sshd = {
#path = optional cfg.git.enable [ cfg.git.package ];
serviceConfig = {
BindPaths = optionals cfg.git.enable [
"/var/log:/var/log"
];
BindReadOnlyPaths =
# Note that those /usr/bin/* paths are hardcoded in multiple places in *.sr.ht,
# for instance to get the user from the [git.sr.ht::dispatch] settings.
@ -834,14 +837,13 @@ in
set -e
cd /run/sourcehut/gitsrht/subdir
set -x
export PATH="${cfg.git.package}/bin:$PATH"
export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini
exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-shell "$@"
''}:/usr/bin/gitsrht-shell"
"${pkgs.writeShellScript "gitsrht-update-hook" ''
set -e
test -e "''${PWD%/*}"/config.ini ||
# Git hooks are run relative to their repository's directory,
# but gitsrht-update-hook looks up ../config.ini
ln -s /run/sourcehut/gitsrht/config.ini "''${PWD%/*}"/config.ini
export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini
# hooks/post-update calls /usr/bin/gitsrht-update-hook as hooks/stage-3
# but this wrapper being a bash script, it overrides $0 with /usr/bin/gitsrht-update-hook
# hence this hack to put hooks/stage-3 back into gitsrht-update-hook's $0
@ -1068,10 +1070,11 @@ in
};
})
];
extraServices.gitsrht-api = {
serviceConfig.Restart = "always";
serviceConfig.RestartSec = "5s";
serviceConfig.ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}";
extraServices.gitsrht-api.serviceConfig = {
Restart = "always";
RestartSec = "5s";
ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}";
BindPaths = [ "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/gitsrht/repos" ];
};
extraServices.gitsrht-fcgiwrap = mkIf cfg.nginx.enable {
serviceConfig = {

2
nixos/modules/services/misc/sourcehut/service.nix
View File

@ -108,7 +108,7 @@ let
#SocketBindDeny = "any";
SystemCallFilter = [
"@system-service"
"~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@timer"
"~@aio" "~@keyring" "~@memlock" "~@privileged" "~@timer"
"@chown" "@setuid"
];
SystemCallArchitectures = "native";

16
pkgs/applications/version-management/sourcehut/git.nix
View File

@ -4,32 +4,33 @@
, buildPythonPackage
, python
, srht
, pygit2
, scmsrht
, pygit2
, minio
, unzip
}:
let
version = "0.78.20";
version = "0.84.2";
src = fetchFromSourcehut {
owner = "~sircmpwn";
repo = "git.sr.ht";
rev = version;
sha256 = "sha256-rZsTtHobsgRVmMOjPa1fiKrPsNyFu/gOsmO0cTl5MqQ=";
sha256 = "sha256-sAkTsQlWtNDQ5vAhA2EeOvuJcj9A6AG8pgDyIKtr65s=";
};
gitApi = buildGoModule ({
inherit src version;
pname = "gitsrht-api";
modRoot = "api";
vendorHash = "sha256-cCs9FUBusaAou9w4TDOg8GKxhRcsPbSNcQpxvFH/+so=";
} // import ./fix-gqlgen-trimpath.nix { inherit unzip; });
vendorHash = "sha256-LAYp0zgosZnFEbtxzjuTH9++0lbxhACr705HqXJz3D0=";
} // import ./fix-gqlgen-trimpath.nix { inherit unzip; gqlgenVersion = "0.17.20"; });
gitDispatch = buildGoModule {
inherit src version;
pname = "gitsrht-dispatch";
modRoot = "gitsrht-dispatch";
vendorHash = "sha256-qWXPHo86s6iuRBhRMtmD5jxnAWKdrWHtA/iSUkdw89M=";
vendorHash = "sha256-EDvSZ3/g0xDSohrsAIpNhk+F0yy8tbnTW/3tURTonMc=";
};
gitKeys = buildGoModule {
@ -65,8 +66,9 @@ buildPythonPackage rec {
propagatedBuildInputs = [
srht
pygit2
scmsrht
pygit2
minio
];
preBuild = ''