From 276fde836f8fe010afee53e1c7e5743138b41f3a Mon Sep 17 00:00:00 2001
From: DavHau <d.hauer.it@gmail.com>
Date: Wed, 19 Jul 2023 18:28:03 +0000
Subject: [PATCH] homepage: allow deployment via gitea actions runner (#15)

closes https://git.clan.lol/clan/clan-homepage/issues/1

Co-authored-by: DavHau <hsngrmpf+github@gmail.com>
Reviewed-on: https://git.clan.lol/clan/clan-infra/pulls/15
---
 flake.lock                 | 12 ++++++------
 flake.nix                  |  2 +-
 modules/web01/homepage.nix | 14 ++++++++++++++
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 2da7a9e..06a5250 100644
--- a/flake.lock
+++ b/flake.lock
@@ -82,16 +82,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1689247091,
-        "narHash": "sha256-sg6yVZGU4yQ8vx/u/jeR7etUIQZhcc4Ss6PHNHAFZjU=",
-        "owner": "Mic92",
+        "lastModified": 1689638193,
+        "narHash": "sha256-7SCl/TEswRCtVSFD9p2SXKH4iWbXDmly2O1oYsxidDc=",
+        "owner": "DavHau",
         "repo": "nixpkgs",
-        "rev": "dc54601ce60a6e7b427d124550d43067ee605b53",
+        "rev": "2ab9f837047affd23ebf27b0175aff34d6b9e7e3",
         "type": "github"
       },
       "original": {
-        "owner": "Mic92",
-        "ref": "daemon",
+        "owner": "DavHau",
+        "ref": "gitea",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index e457ba1..a224d37 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,7 +8,7 @@
 
   inputs = {
     # https://github.com/NixOS/nixpkgs/pull/243252
-    nixpkgs.url = "github:Mic92/nixpkgs/daemon";
+    nixpkgs.url = "github:DavHau/nixpkgs/gitea";
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
     treefmt-nix.url = "github:numtide/treefmt-nix";
diff --git a/modules/web01/homepage.nix b/modules/web01/homepage.nix
index 66c0a94..6ede065 100644
--- a/modules/web01/homepage.nix
+++ b/modules/web01/homepage.nix
@@ -2,6 +2,20 @@
   security.acme.defaults.email = "admins@clan.lol";
   security.acme.acceptTerms = true;
 
+  # www user to push website artifacts via ssh
+  users.users.www = {
+    openssh.authorizedKeys.keys = [
+      # ssh-homepage-key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
+    ];
+    isNormalUser = true;
+  };
+
+  # ensure /var/www can be accessed by nginx and www user
+  systemd.tmpfiles.rules = [
+    "d /var/www 0755 www nginx"
+  ];
+
   services.nginx = {
     virtualHosts."clan.lol" = {
       forceSSL = true;