From 62e62c70e17f51b7e3a68fc116350cfd2f0e7224 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 5 Nov 2021 16:31:22 +0100
Subject: [PATCH] modules: services: lohr: declarative ssh key

---
 modules/services/lohr/default.nix | 35 +++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/modules/services/lohr/default.nix b/modules/services/lohr/default.nix
index 45ae3d7..af218ac 100644
--- a/modules/services/lohr/default.nix
+++ b/modules/services/lohr/default.nix
@@ -5,6 +5,9 @@ let
   settingsFormat = pkgs.formats.yaml { };
 
   lohrPkg = pkgs.ambroisie.lohr;
+
+  lohrStateDirectory = "lohr";
+  lohrHome = "/var/lib/lohr/";
 in
 {
   options.my.services.lohr = with lib; {
@@ -34,6 +37,15 @@ in
       example = "/run/secrets/lohr.env";
       description = "Shared secret between lohr and Gitea hook";
     };
+
+    sshKeyFile = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      example = "/run/secrets/lohr/ssh-key";
+      description = ''
+        The ssh key that should be used by lohr to mirror repositories
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -46,16 +58,31 @@ in
         Environment = [
           "ROCKET_PORT=${toString cfg.port}"
           "ROCKET_LOG_LEVEL=normal"
-          "LOHR_HOME=/var/lib/lohr/"
+          "LOHR_HOME=${lohrHome}"
           "LOHR_CONFIG="
         ];
+        ExecStartPre = lib.mkIf (cfg.sshKeyFile != null) ''+${
+          pkgs.writeScript "copy-ssh-key" ''
+            #!${pkgs.bash}/bin/bash
+            # Ensure the key is not there
+            mkdir -p '${lohrHome}/.ssh'
+            rm -f '${lohrHome}/.ssh/id_ed25519'
+
+            # Move the key into place
+            cp ${cfg.sshKeyFile} '${lohrHome}/.ssh/id_ed25519'
+
+            # Fix permissions
+            chown -R lohr:lohr '${lohrHome}/.ssh'
+            chmod -R 0700 '${lohrHome}/.ssh'
+          ''
+        }'';
         ExecStart =
           let
             configFile = settingsFormat.generate "lohr-config.yaml" cfg.setting;
           in
           "${lohrPkg}/bin/lohr --config ${configFile}";
-        StateDirectory = "lohr";
-        WorkingDirectory = "/var/lib/lohr";
+        StateDirectory = lohrStateDirectory;
+        WorkingDirectory = lohrHome;
         User = "lohr";
         Group = "lohr";
       };
@@ -66,7 +93,7 @@ in
 
     users.users.lohr = {
       isSystemUser = true;
-      home = "/var/lib/lohr";
+      home = lohrHome;
       createHome = true;
       group = "lohr";
     };