homepage: allow deployment via gitea actions runner (#15)

closes clan/clan-homepage#1

Co-authored-by: DavHau <hsngrmpf+github@gmail.com>
Reviewed-on: #15

flake.lock

@@ -82,16 +82,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1689247091,
-        "narHash": "sha256-sg6yVZGU4yQ8vx/u/jeR7etUIQZhcc4Ss6PHNHAFZjU=",
-        "owner": "Mic92",
+        "lastModified": 1689638193,
+        "narHash": "sha256-7SCl/TEswRCtVSFD9p2SXKH4iWbXDmly2O1oYsxidDc=",
+        "owner": "DavHau",
         "repo": "nixpkgs",
-        "rev": "dc54601ce60a6e7b427d124550d43067ee605b53",
+        "rev": "2ab9f837047affd23ebf27b0175aff34d6b9e7e3",
         "type": "github"
       },
       "original": {
-        "owner": "Mic92",
-        "ref": "daemon",
+        "owner": "DavHau",
+        "ref": "gitea",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -8,7 +8,7 @@
 
   inputs = {
     # https://github.com/NixOS/nixpkgs/pull/243252
-    nixpkgs.url = "github:Mic92/nixpkgs/daemon";
+    nixpkgs.url = "github:DavHau/nixpkgs/gitea";
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
     treefmt-nix.url = "github:numtide/treefmt-nix";

modules/web01/homepage.nix

@@ -2,6 +2,20 @@
   security.acme.defaults.email = "admins@clan.lol";
   security.acme.acceptTerms = true;
 
+  # www user to push website artifacts via ssh
+  users.users.www = {
+    openssh.authorizedKeys.keys = [
+      # ssh-homepage-key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
+    ];
+    isNormalUser = true;
+  };
+
+  # ensure /var/www can be accessed by nginx and www user
+  systemd.tmpfiles.rules = [
+    "d /var/www 0755 www nginx"
+  ];
+
   services.nginx = {
     virtualHosts."clan.lol" = {
       forceSSL = true;