opengist: Add config with hardened systemd setup in myLib.
Created by PlumJam on February 3, 2026
DZ7TR2QXI2AUMPUCKB3KRDDSHLPH445IXCF3OKDLFAERDO7MQSVQC Dependencies
- [2]
U37LUXWOIPX75P5KBCWXCKDDU275KONA7O7JAAVI2DLMIEE7BWAAC - [3]
QJSIQOCXRIHWFNBM3BQ4ILFK4ZQ6ALN5LNWPY6GTYRDBDB5LUV2AC - [4]
HWCVAVGHMRTGNMV7WXWM6XB6KMMZQCMZQXWHQV4MPKXZOCAOGXKAC - [5]
RTBMBSBABSGTRICJ4AWBKWO3JJHBRKV6FGOMYPDD7X6SS6X35ZIQC - [6]
2CMYRHKT4X3JQOH23IYC2MFSNZTEEWPFMQK43FDLCGYU4JWCV3FQC - [7]
WMG2YNWEKFK4DMH3AZP5WSGJ4K66OUHXGK4KPHOW2JNU57DVS42QC - [8]
UBB7TTAXVPQQCOVHACKWXSPV2NPARSHREYJB6J3RSEDZZIXPFGOAC
In channels
main
Change contents
File addition: f0406790822cd2d01c64229fe05175b2-opengistEnvironment.age
[4.2685]File addition: opengist.nix
[5.2]{flake.modules.nixos.opengist ={pkgs,config,lib,...}:letinherit (lib.lists) singleton;inherit (lib.meta) getExe;inherit (config.networking) domain hostName;inherit (config.myLib) merge systemdHardened;fqdn = "gist.${domain}";port = 8002;forgejoUrl = "git.plumj.am";user = "forgejo";workDir = "/var/lib/opengist";in{assertions = singleton {assertion = config.services.forgejo.enable;message = "The opengist module should be used on the host running Forgejo, but you're trying to enable it on '${hostName}'.";};systemd.services.opengist = {description = "OpenGist";after = ["network.target""forgejo.service"];requires = singleton "forgejo.service";wantedBy = singleton "multi-user.target";path = singleton pkgs.git;serviceConfig = systemdHardened // {Type = "notify";User = user;Group = user;ExecStart = "${getExe pkgs.opengist} --config /etc/opengist/config.yml";Restart = "always";WorkingDirectory = workDir;EnvironmentFile = singleton config.age.secrets.opengistEnvironment.path;RuntimeDirectory = "opengist";ReadWritePaths = singleton workDir;};};services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {locations."/".proxyPass = "http://0.0.0.0:${toString port}";};environment.etc."opengist/config.yml".text = # yml''log-level: warnopengist-home: ${workDir}external-url: https://${fqdn}git.default-branch: masterhttp.port: ${toString port}ssh.git-enabled: falsegitea.name: ${forgejoUrl}gitea.url: https://${forgejoUrl}/custom.name: PlumJam's Gist Servercustom.static-links:- name: <PlumJam's Git Forge>path: https://${forgejoUrl}'';};}Insertion in modules/lib.nix at line 79 [6.151]
systemdHardened = {RuntimeDirectoryMode = "0755";ProcSubset = "pid";ProtectProc = "invisible";UMask = "0027";CapabilityBoundingSet = "";NoNewPrivileges = true;ProtectSystem = "strict";ProtectHome = true;PrivateTmp = true;PrivateDevices = true;PrivateUsers = true;ProtectHostname = true;ProtectClock = true;ProtectKernelTunables = true;ProtectKernelModules = true;ProtectKernelLogs = true;ProtectControlGroups = true;RestrictAddressFamilies = ["AF_UNIX""AF_INET""AF_INET6"];RestrictNamespaces = true;LockPersonality = true;MemoryDenyWriteExecute = true;RestrictRealtime = true;RestrictSUIDSGID = true;RemoveIPC = true;PrivateMounts = true;SystemCallArchitectures = "native";SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid""setrlimit"];};Insertion in modules/hosts.nix at line 248 [8.110]
Insertion in modules/hosts.nix at line 279 [8.110]