Bruno BELANYI 8f120e2129
All checks were successful
ci/woodpecker/push/check Pipeline was successful
nixos: services: lohr: fix SSH key creation
In the migration to `tmpfiles.d(5)`, I used the wrong type of file.

Using `f` would write the path to the file as its content, rather than
copy it. Unfortunately `C` and `C+` do not overwrite an existing file,
so using a symlink it the correct solution here.

This means the SSH key file must have `lohr` as an owner... Perhaps I
should make it so the service can read the file itself, rather than
rely on the filesystem location, so that I don't have to contort myself
quite so much to make it work.
2024-04-02 12:25:34 +02:00

112 lines
2.7 KiB

# A simple Gitea webhook to mirror all my repositories
{ config, lib, pkgs, ... }:
cfg =;
settingsFormat = pkgs.formats.yaml { };
lohrStateDirectory = "lohr";
lohrHome = "/var/lib/lohr/";
{ = with lib; {
enable = mkEnableOption "Automatic gitea repositories mirroring";
port = mkOption {
type = types.port;
default = 9192;
example = 8080;
description = "Internal port of the Lohr service";
setting = mkOption rec {
type = settingsFormat.type;
apply = recursiveUpdate default;
default = {
default_remotes = [
description = "Global settings configuration file";
sharedSecretFile = mkOption {
type = types.str;
example = "/run/secrets/lohr.env";
description = "Shared secret between lohr and Gitea hook";
sshKeyFile = mkOption {
type = with types; nullOr str;
default = null;
example = "/run/secrets/lohr/ssh-key";
description = ''
The ssh key that should be used by lohr to mirror repositories
config = lib.mkIf cfg.enable { = {
wantedBy = [ "" ];
serviceConfig = {
EnvironmentFile = [
Environment = [
"ROCKET_PORT=${toString cfg.port}"
ExecStart =
configFile = settingsFormat.generate "lohr-config.yaml" cfg.setting;
"${lib.getExe pkgs.ambroisie.lohr} --config ${configFile}";
StateDirectory = lohrStateDirectory;
WorkingDirectory = lohrHome;
User = "lohr";
Group = "lohr";
path = with pkgs; [
users.users.lohr = {
isSystemUser = true;
home = lohrHome;
createHome = true;
group = "lohr";
users.groups.lohr = { }; = {
lohr = {
inherit (cfg) port;
# SSH key provisioning
systemd.tmpfiles.settings."10-lohr" = lib.mkIf (cfg.sshKeyFile != null) {
"${lohrHome}/.ssh" = {
d = {
user = "lohr";
group = "lohr";
mode = "0700";
"${lohrHome}/.ssh/id_ed25519" = {
"L+" = {
user = "lohr";
group = "lohr";
mode = "0700";
argument = cfg.sshKeyFile;