From e91ebb24f09f74d68bd271ea2d3245e17de5976b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 5 Nov 2021 15:31:59 +0100
Subject: [PATCH 1/3] modules: secrets: lohr: add 'ssh-key'

---
 modules/secrets/lohr/ssh-key.age | Bin 0 -> 839 bytes
 modules/secrets/secrets.nix      |   1 +
 2 files changed, 1 insertion(+)
 create mode 100644 modules/secrets/lohr/ssh-key.age

diff --git a/modules/secrets/lohr/ssh-key.age b/modules/secrets/lohr/ssh-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..30a5e254eb0031110173e2d83b1ad9fba44a8255
GIT binary patch
literal 839
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn_Ri1BO;^ZrPl*UC
z4+#wlNe!vWEOE=%FDppSON_E~$_&mdD>IHtbagb1(#|i)GU2jF&d)c`E^>AaGV%5Z
zj`GWJFD~)RGWSh3Fo`N~^-0ey3C#)gjtX&fD@M01D<Ho-FI^$U#njX^AlS*p+($d9
zC^5{pBET@)s4B#z%qPIeIM5@?%s9j-Jtd&rD4DC+C(I=)H9Oxa#jUi+$t&H>DJ7%C
zB+;`tG%zyVC)7Bv%-1cVB&E{3Dj#H<fo^(HYGQG!f`)sMa+;?BSGu`jrjcJ(T27UA
zhEZ05V|JorsgXrVS-Mk-drC=oYKduhp1H9{sH<aARf(yEc5*~&c~EkZx1+X`V{&4I
zK9{FSMMaKbVQ5)SQfgYHV`OMbW*(QWuC79{sdutVK%l#4p-G~TpG$;+iFdGvM^vSe
zetJ%3X0W4Yah9o@Z)l34aXHtW2LDU8C+@5`HmRFc?)o{N>Aw#Z--|l7uGrwtFXwf_
zIqP3v)H1%E!)<#e^o%@L*DIUJxBSd}qqUr7I6R&CDY5p<-1W@==F2=h7WMC8Cs*><
z-S0A(^(-H9Y+5_Lr{u}`9pNAEEt~gwR{M?M;ukfsa&8T_E*HP69y_?MK6CSjuTkq>
z{(4;ODDdrig^hTPT~EAIyu)mZc>9Y12DY;l&dc4&SlLyeztjJ^pm&p3;`hEd&G)k>
zEV0h#s@2!`^j`TpcB`<bjG$on0V@w9f47ad+s>R6NNM`OU-69h(HSS12H8Dww&%7f
zKYwSD7Q5fB{_CeKcWIBEZB{&IcjkWgZhOQlXEN)x`Mp0YwE~t%YPVeFYUUNN64unL
z5MngiZueSsyWb6k$jFQi|7X=^2R2LzpS5Ar_e@=veuI_I@Air6Zogq?zx*?sR@mOp
zY&xQON9QUO>s6dFRQ!`Hrf|SODo`+`W$k$-Q-v(i7Y6+t58u7bo4|6V%uXjq#CY4K
z;01rzuHLsw^1PlugRRape+My%bzW!P0~Xv@nO&5&uQtxWpujaKAfwChQRElvElP@;
Uz4P{QuWxOxb-r#rr7DdN0H8=xJpcdz

literal 0
HcmV?d00001

diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index ee5aba5..d8e289e 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -19,6 +19,7 @@ in
   "drone/ssh/private-key.age".publicKeys = all;
 
   "lohr/secret.age".publicKeys = all;
+  "lohr/ssh-key.age".publicKeys = all;
 
   "matrix/mail.age" = {
     owner = "matrix-synapse";

From 7c1f379d82df8947ccc995164bf3720429af6834 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 5 Nov 2021 16:31:22 +0100
Subject: [PATCH 2/3] modules: services: lohr: declarative ssh key

---
 modules/services/lohr/default.nix | 35 +++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/modules/services/lohr/default.nix b/modules/services/lohr/default.nix
index 45ae3d7..af218ac 100644
--- a/modules/services/lohr/default.nix
+++ b/modules/services/lohr/default.nix
@@ -5,6 +5,9 @@ let
   settingsFormat = pkgs.formats.yaml { };
 
   lohrPkg = pkgs.ambroisie.lohr;
+
+  lohrStateDirectory = "lohr";
+  lohrHome = "/var/lib/lohr/";
 in
 {
   options.my.services.lohr = with lib; {
@@ -34,6 +37,15 @@ in
       example = "/run/secrets/lohr.env";
       description = "Shared secret between lohr and Gitea hook";
     };
+
+    sshKeyFile = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      example = "/run/secrets/lohr/ssh-key";
+      description = ''
+        The ssh key that should be used by lohr to mirror repositories
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -46,16 +58,31 @@ in
         Environment = [
           "ROCKET_PORT=${toString cfg.port}"
           "ROCKET_LOG_LEVEL=normal"
-          "LOHR_HOME=/var/lib/lohr/"
+          "LOHR_HOME=${lohrHome}"
           "LOHR_CONFIG="
         ];
+        ExecStartPre = lib.mkIf (cfg.sshKeyFile != null) ''+${
+          pkgs.writeScript "copy-ssh-key" ''
+            #!${pkgs.bash}/bin/bash
+            # Ensure the key is not there
+            mkdir -p '${lohrHome}/.ssh'
+            rm -f '${lohrHome}/.ssh/id_ed25519'
+
+            # Move the key into place
+            cp ${cfg.sshKeyFile} '${lohrHome}/.ssh/id_ed25519'
+
+            # Fix permissions
+            chown -R lohr:lohr '${lohrHome}/.ssh'
+            chmod -R 0700 '${lohrHome}/.ssh'
+          ''
+        }'';
         ExecStart =
           let
             configFile = settingsFormat.generate "lohr-config.yaml" cfg.setting;
           in
           "${lohrPkg}/bin/lohr --config ${configFile}";
-        StateDirectory = "lohr";
-        WorkingDirectory = "/var/lib/lohr";
+        StateDirectory = lohrStateDirectory;
+        WorkingDirectory = lohrHome;
         User = "lohr";
         Group = "lohr";
       };
@@ -66,7 +93,7 @@ in
 
     users.users.lohr = {
       isSystemUser = true;
-      home = "/var/lib/lohr";
+      home = lohrHome;
       createHome = true;
       group = "lohr";
     };

From 21f0199791c1dacecefa633db1e1834b06a4dda7 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 5 Nov 2021 16:56:45 +0100
Subject: [PATCH 3/3] machines: porthos: services: use 'lohr.sshKeyFile'

---
 machines/porthos/services.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/machines/porthos/services.nix b/machines/porthos/services.nix
index 07cf8eb..5661773 100644
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@@ -52,6 +52,7 @@ in
     lohr = {
       enable = true;
       sharedSecretFile = secrets."lohr/secret".path;
+      sshKeyFile = secrets."lohr/ssh-key".path;
     };
     # Matrix backend and Element chat front-end
     matrix = {