flake: update all inputs

cargo: bump time to fix compilation error

.github/workflows/cachix.yaml

@@ -0,0 +1,20 @@
+name: "Cachix build"
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - 'flake.nix'
+      - 'flake.lock'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@v24
+    - uses: cachix/cachix-action@v12
+      with:
+        name: alarsyo
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - run: |
+        nix build --verbose

.github/workflows/ci.yaml

@@ -1,4 +1,4 @@
-on: [push, pull_request]
+on: [push, pull_request, workflow_dispatch]
 
 name: CI
 
@@ -8,62 +8,34 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
-      - name: Install nightly toolchain
-        uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: nightly
-          override: true
+      - name: Install stable toolchain
+        uses: dtolnay/rust-toolchain@stable
 
-      - name: Run cargo check
-        uses: actions-rs/cargo@v1
-        with:
-          command: check
+      - run: cargo check
 
   test:
     name: Test Suite
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
-      - name: Install nightly toolchain
-        uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: nightly
-          override: true
+      - name: Install stable toolchain
+        uses: dtolnay/rust-toolchain@stable
 
-      - name: Run cargo test
-        uses: actions-rs/cargo@v1
-        with:
-          command: test
+      - run: cargo test
 
   lints:
     name: Lints
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
-      - name: Install nightly toolchain
-        uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: nightly
-          override: true
-          components: rustfmt, clippy
+      - name: Install stable toolchain
+        uses: dtolnay/rust-toolchain@stable
 
-      - name: Run cargo fmt
-        uses: actions-rs/cargo@v1
-        with:
-          command: fmt
-          args: --all -- --check
-
-      - name: Run cargo clippy
-        uses: actions-rs/clippy-check@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          args: --all-features
+      - run: cargo fmt --all -- --check
+      - run: cargo clippy --all-features -- -D warnings

Cargo.toml

@@ -1,17 +1,34 @@
 [package]
 name = "lohr"
-version = "0.2.0"
+version = "0.4.6"
 authors = ["Antoine Martin <antoine@alarsyo.net>"]
 edition = "2018"
 license = "Apache-2.0 OR MIT"
 description = "A Git mirroring daemon"
+homepage = "https://github.com/alarsyo/lohr"
+repository = "https://github.com/alarsyo/lohr"
+resolver = "2"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
 anyhow = "1.0.40"
+hex = "0.4.3"
+hmac = "0.10.1"
 log = "0.4.14"
-rocket = "0.4.7"
-rocket_contrib = { version = "0.4.7", features = [ "json" ] }
+regex = "1"
 serde = { version = "1.0.125", features = [ "derive" ] }
+serde_json = "1.0.64"
+serde_regex = "1.1.0"
 serde_yaml = "0.8.17"
+sha2 = "0.9.3"
+
+[dependencies.rocket]
+version = "0.5.0"
+# don't need private-cookies
+default-features = false
+
+[dependencies.clap]
+version = "2.33.3"
+# no need for suggestions or color with only one argument
+default-features = false

README.md

@@ -0,0 +1,138 @@
+# lohr
+
+`lohr` is a Git mirroring tool.
+
+I created it to solve a simple problem I had: I host my own git server at
+<https://git.alarsyo.net>, but want to mirror my public projects to GitHub /
+GitLab, for backup and visibility purposes.
+
+GitLab has a mirroring setting, but it doesn't allow for multiple mirrors, as
+far as I know. I also wanted my instance to be the single source of truth.
+
+## How it works
+
+Gitea is setup to send webhooks to my `lohr` server on every push update. When
+`lohr` receives a push, it clones the concerned repository, or updates it if
+already cloned. Then it pushes the update to **all remotes listed** in the
+[.lohr](.lohr) file at the repo root.
+
+### Destructive
+
+This is a very destructive process: anything removed from the single source of
+truth is effectively removed from any mirror as well.
+
+## Installing
+
+`lohr` is [published on crates.io](https://crates.io/crates/lohr), so you can
+install it with `cargo install`:
+
+    $ cargo install lohr
+
+Note: currently this method won't get you the latest version of `lohr`, as it
+depends on Rocket v0.5.0, which isn't released yet. Updated versions of `lohr`
+will be published on crates.io as soon as Rocket v0.5.0 releases.
+
+## Setup
+
+### Quickstart
+
+Setting up `lohr` should be quite simple:
+
+1.  Create a `Rocket.toml` file and [add your
+    configuration](https://rocket.rs/v0.4/guide/configuration/).
+
+2.  Export a secret variable:
+    
+        $ export LOHR_SECRET=42 # please don't use this secret
+
+3.  Run `lohr`:
+    
+        $ cargo run # or `cargo run --release` for production usage
+
+4.  Configure your favorite git server to send a webhook to `lohr`'s address on
+    every push event.
+    
+    I used [Gitea's webhooks format](https://docs.gitea.io/en-us/webhooks/), but
+    I **think** they're similar to GitHub and GitLab's webhooks, so these should
+    work too! (If they don't, **please** file an issue!)
+    
+    Don't forget to set the webhook secret to the one you chose above.
+
+5.  Add a `.lohr` file containing the remotes you want to mirror this repo to:
+    
+        git@github.com:you/your_repo
+    
+    and push it. That's it! `lohr` is mirroring your repo now.
+
+
+### Configuration
+
+#### Home directory
+
+`lohr` needs a place to clone repos and store its data. By default, it's the
+current directory, but you can set the `LOHR_HOME` environment variable to
+customize it.
+
+#### Shared secret
+
+As shown in the quickstart guide, you **must** set the `LOHR_SECRET` environment
+variable.
+
+#### Extra remote configuration
+
+You can provide `lohr` with a YAML file containing additional configuration. You
+can pass its path to the `--config` flag when launching `lohr`. If no
+configuration is provided via a CLI flag, `lohr` will check the `LOHR_CONFIG`
+environment variable. If the environment variable isn't set either, it will
+check in `LOHR_HOME` is a `lohr-config.yaml` file exists, and try to load it.
+
+This file takes the following format:
+
+``` yaml
+default_remotes:
+    - "git@github:user"
+    - "git@gitlab:user"
+
+additional_remotes:
+    - "git@git.sr.ht:~user"
+
+blacklist:
+    - "private-.*"
+```
+
+- `default_remotes` is a list of remotes to use if no `.lohr` file is found in a
+  repository.
+- `additional_remotes` is a list of remotes to add in any case, whether the
+  original set of remotes is set via `default_remotes` or via a `.lohr` file.
+- `blacklist` is a list of regular expressions to match against the full
+  repository names. Any that matches will not be mirrored, even if it contains a
+  `.lohr` file.
+
+Both settings take as input a list of "stems", i.e. incomplete remote addresses,
+to which the repo's name will be appended (so for example, if my
+`default_remotes` contains `git@github.com:alarsyo`, and a push event webhook is
+received for repository `git@gitlab.com:some/long/path/repo_name`, then the
+mirror destination will be `git@github.com:alarsyo/repo_name`.
+
+## Contributing
+
+I accept patches anywhere! Feel free to [open a GitHub Pull
+Request](https://github.com/alarsyo/lohr/pulls), [a GitLab Merge
+Request](https://gitlab.com/alarsyo/lohr/-/merge_requests), or [send me a patch
+by email](https://lists.sr.ht/~alarsyo/lohr-dev)!
+
+## Why lohr?
+
+I was looking for a cool name, and thought about the Magic Mirror in Snow White.
+Some **[furious wikipedia
+searching](https://en.wikipedia.org/wiki/Magic_Mirror_(Snow_White))** later, I
+found that the Magic Mirror was probably inspired by [the Talking Mirror in Lohr
+am Main](http://spessartmuseum.de/seiten/schneewittchen_engl.html). That's it,
+that's the story.
+
+## License
+
+`lohr` is distributed under the terms of both the MIT license and the Apache
+License (Version 2.0).
+
+See [LICENSE-APACHE](LICENSE-APACHE) and [LICENSE-MIT](LICENSE-MIT) for details.

README.org

@@ -1,103 +0,0 @@
-#+title: lohr
-
-=lohr= is a Git mirroring tool.
-
-I created it to solve a simple problem I had: I host my own git server at
-[[https://git.alarsyo.net]], but want to mirror my public projects to GitHub /
-GitLab, for backup and visibility purposes.
-
-GitLab has a mirroring setting, but it doesn't allow for multiple mirrors, as
-far as I know. I also wanted my instance to be the single source of truth.
-
-** How it works
-
-Gitea is setup to send webhooks to my =lohr= server on every push update. When
-=lohr= receives a push, it clones the concerned repository, or updates it if
-already cloned. Then it pushes the update to *all remotes listed* in the [[file:.lohr][.lohr]]
-file at the repo root.
-
-*** Destructive
-
-This is a very destructive process: anything removed from the single source of
-truth is effectively removed from any mirror as well.
-
-** Setup
-
-*** Quickstart
-
-Setting up =lohr= should be quite simple:
-
-1. Create a =Rocket.toml= file and [[https://rocket.rs/v0.4/guide/configuration/][add your configuration]].
-
-2. Run =lohr=:
-
-   #+begin_src sh
-   $ cargo run # or `cargo run --release` for production usage
-   #+end_src
-
-3. Configure your favorite git server to send a webhook to =lohr='s address on
-   every push event.
-
-   I used [[https://docs.gitea.io/en-us/webhooks/][Gitea's webhooks format]], but I *think* they're similar to GitHub and
-   GitLab's webhooks, so these should work too! (If they don't, *please* file an
-   issue!)
-
-4. Add a =.lohr= file containing the remotes you want to mirror this repo to:
-
-   #+begin_example
-   git@github.com:you/your_repo
-   #+end_example
-
-   and push it. That's it! =lohr= is mirroring your repo now.
-
-*** Configuration
-
-**** Home directory
-
-=lohr= needs a place to clone repos and store its data. By default, it's the
-current directory, but you can set the =LOHR_HOME= environment variable to
-customize it.
-
-**** Extra remote configuration
-
-=lohr= looks for a =lohr-config.yaml= file in its =LOHR_HOME= directory. This
-file takes the following format:
-
-#+begin_src yaml
-default_remotes:
-  - "git@github:user"
-  - "git@gitlab:user"
-
-additional_remotes:
-  - "git@git.sr.ht:~user"
-#+end_src
-
-- ~default_remotes~ is a list of remotes to use if no ~.lohr~ file is found in a
-  repository.
-- ~additional_remotes~ is a list of remotes to add in any case, whether the
-  original set of remotes is set via ~default_remotes~ or via a =.lohr= file.
-
-Both settings take as input a list of "stems", i.e. incomplete remote addresses,
-to which the repo's name will be appended (so for example, if my
-~default_remotes~ contains ~git@github.com:alarsyo~, and a push event webhook
-is received for repository =git@gitlab.com:some/long/path/repo_name=, then the
-mirror destination will be =git@github.com:alarsyo/repo_name=.
-
-** Contributing
-
-I accept patches anywhere! Feel free to [[https://github.com/alarsyo/lohr/pulls][open a GitHub Pull Request]], [[https://gitlab.com/alarsyo/lohr/-/merge_requests][a GitLab
-Merge Request]], or [[https://lists.sr.ht/~alarsyo/lohr-dev][send me a patch by email]]!
-
-** Why lohr?
-
-I was looking for a cool name, and thought about the Magic Mirror in Snow White.
-Some *[[https://en.wikipedia.org/wiki/Magic_Mirror_(Snow_White)][furious wikipedia searching]]* later, I found that the Magic Mirror was
-probably inspired by [[http://spessartmuseum.de/seiten/schneewittchen_engl.html][the Talking Mirror in Lohr am Main]]. That's it, that's the
-story.
-
-** License
-
-=lohr= is distributed under the terms of both the MIT license and the Apache
-License (Version 2.0).
-
-See [[file:LICENSE-APACHE][LICENSE-APACHE]] and [[file:LICENSE-MIT][LICENSE-MIT]] for details.

flake.lock

@@ -3,11 +3,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1606424373,
-        "narHash": "sha256-oq8d4//CJOrVj+EcOaSXvMebvuTkmBJuT5tzlfewUnQ=",
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "99f1c2157fba4bfe6211a321fd0ee43199025dbf",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
         "type": "github"
       },
       "original": {
@@ -17,69 +17,35 @@
       }
     },
     "flake-utils": {
-      "locked": {
-        "lastModified": 1614513358,
-        "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "mozillapkgs": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1603906276,
-        "narHash": "sha256-RsNPnEKd7BcogwkqhaV5kI/HuNC4flH/OQCC/4W5y/8=",
-        "owner": "mozilla",
-        "repo": "nixpkgs-mozilla",
-        "rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "mozilla",
-        "repo": "nixpkgs-mozilla",
-        "type": "github"
-      }
-    },
-    "naersk": {
       "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1614785451,
-        "narHash": "sha256-TPw8kQvr2UNCuvndtY+EjyXp6Q5GEW2l9UafXXh1XmI=",
-        "owner": "nmattia",
-        "repo": "naersk",
-        "rev": "e0fe990b478a66178a58c69cf53daec0478ca6f9",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
-        "owner": "nmattia",
-        "ref": "master",
-        "repo": "naersk",
+        "owner": "numtide",
+        "repo": "flake-utils",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1616670887,
-        "narHash": "sha256-wn+l9qJfR5sj5Gq4DheJHAcBDfOs9K2p9seW2f35xzs=",
+        "lastModified": 1740162160,
+        "narHash": "sha256-SSYxFhqCOb3aiPb6MmN68yEzBIltfom8IgRz7phHscM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c0e881852006b132236cbf0301bd1939bb50867e",
+        "rev": "11415c7ae8539d6292f2928317ee7a8410b28bb9",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -88,10 +54,23 @@
       "inputs": {
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
-        "mozillapkgs": "mozillapkgs",
-        "naersk": "naersk",
         "nixpkgs": "nixpkgs"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,14 +1,6 @@
 {
   inputs = {
-    naersk = {
-      url = "github:nmattia/naersk/master";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    mozillapkgs = {
-      url = "github:mozilla/nixpkgs-mozilla";
-      flake = false;
-    };
-    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
     flake-utils.url = "github:numtide/flake-utils";
     flake-compat = {
       url = "github:edolstra/flake-compat";
@@ -16,27 +8,26 @@
     };
   };
 
-  outputs = { self, naersk, mozillapkgs, nixpkgs, flake-utils, ... }:
+  outputs = { self, nixpkgs, flake-utils, ... }:
     flake-utils.lib.eachDefaultSystem (system:
       let
         pkgs = import nixpkgs { inherit system; };
-
-        mozilla = pkgs.callPackage (mozillapkgs + "/package-set.nix") { };
-        rustNightly = (mozilla.rustChannelOf {
-          date = "2021-03-29";
-          channel = "nightly";
-          sha256 = "sha256-Y94CnslybZgiZlNVV6Cg0TUPV2OeDXakPev1kqdt9Kk=";
-        }).rust;
-
-        naersk-lib = pkgs.callPackage naersk {
-          cargo = rustNightly;
-          rustc = rustNightly;
-        };
       in
       {
-        defaultPackage = naersk-lib.buildPackage {
-          src = ./.;
+        defaultPackage = pkgs.rustPlatform.buildRustPackage {
           pname = "lohr";
+          version = "0.4.6";
+
+          src = ./.;
+
+          cargoHash = "sha256-EUhyrhPe+mUgMmm4o+bxRIiSNReJRfw+/O1fPr8r7lo=";
+
+          meta = with pkgs.lib; {
+            description = "A Git mirroring tool";
+            homepage = "https://github.com/alarsyo/lohr";
+            license = with licenses; [ mit asl20 ];
+            platforms = platforms.unix;
+          };
         };
 
         defaultApp = flake-utils.lib.mkApp {
@@ -45,11 +36,14 @@
 
         devShell = pkgs.mkShell {
           buildInputs = with pkgs; [
+            cargo
+            clippy
             nixpkgs-fmt
             pre-commit
             rustPackages.clippy
-            rustNightly
+            rustc
             rustfmt
+            rust-analyzer
           ];
 
           RUST_SRC_PATH = pkgs.rustPlatform.rustLibSrc;

rust-toolchain

@@ -1 +0,0 @@
-nightly

rust-toolchain.toml

@@ -0,0 +1,2 @@
+[toolchain]
+channel = "stable"

src/gitea.rs

@@ -2,9 +2,8 @@ use serde::Deserialize;
 
 #[derive(Clone, Deserialize)]
 pub(crate) struct Repository {
-    pub(crate) name: String,
     pub(crate) full_name: String,
-    pub(crate) clone_url: String,
+    pub(crate) ssh_url: String,
 }
 
 #[derive(Deserialize)]

src/job.rs

@@ -38,7 +38,7 @@ impl Job {
         let output = Command::new("git")
             .arg("clone")
             .arg("--mirror")
-            .arg(&self.repo.clone_url)
+            .arg(&self.repo.ssh_url)
             .arg(format!("{}", self.local_path.as_ref().unwrap().display()))
             .output()?;
 
@@ -125,7 +125,13 @@ impl Job {
 
         let output = String::from_utf8(output.stdout)?;
 
-        Ok(Some(output.lines().map(String::from).collect()))
+        Ok(Some(
+            output
+                .lines()
+                .map(String::from)
+                .filter(|s| !s.is_empty())
+                .collect(),
+        ))
     }
 
     fn get_remotes(&self, config: &GlobalSettings) -> anyhow::Result<Vec<RepoUrl>> {

src/main.rs

@@ -1,18 +1,16 @@
-#![feature(proc_macro_hygiene, decl_macro)]
-
 use std::env;
 use std::fs::File;
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 use std::sync::{
     mpsc::{channel, Receiver, Sender},
     Mutex,
 };
 use std::thread;
 
+use anyhow::Context;
+use clap::{crate_version, App, Arg};
+use log::{error, info};
 use rocket::{http::Status, post, routes, State};
-use rocket_contrib::json::Json;
-
-use log::error;
 
 mod gitea;
 use gitea::GiteaWebHook;
@@ -23,11 +21,29 @@ use job::Job;
 mod settings;
 use settings::GlobalSettings;
 
+mod signature;
+use signature::SignedJson;
+
 struct JobSender(Mutex<Sender<Job>>);
+struct Secret(String);
 
 #[post("/", data = "<payload>")]
-fn gitea_webhook(payload: Json<GiteaWebHook>, sender: State<JobSender>) -> Status {
-    // TODO: validate Gitea signature
+fn gitea_webhook(
+    payload: SignedJson<GiteaWebHook>,
+    sender: &State<JobSender>,
+    config: &State<GlobalSettings>,
+) -> Status {
+    if config
+        .blacklist
+        .iter()
+        .any(|re| re.is_match(&payload.repository.full_name))
+    {
+        info!(
+            "Ignoring webhook for repo {} which is blacklisted",
+            payload.repository.full_name
+        );
+        return Status::Ok;
+    }
 
     {
         let sender = sender.0.lock().unwrap();
@@ -48,34 +64,70 @@ fn repo_updater(rx: Receiver<Job>, homedir: PathBuf, config: GlobalSettings) {
     }
 }
 
-fn parse_config(mut path: PathBuf) -> anyhow::Result<GlobalSettings> {
-    path.push("lohr-config");
-    path.set_extension("yaml");
-    let config = if let Ok(file) = File::open(path.as_path()) {
-        serde_yaml::from_reader(file)?
-    } else {
-        Default::default()
+fn parse_config(home: &Path, flags: &clap::ArgMatches) -> anyhow::Result<GlobalSettings> {
+    // prioritize CLI flag, then env var
+    let config_path = flags.value_of("config").map(PathBuf::from);
+    let config_path = config_path.or_else(|| env::var("LOHR_CONFIG").map(PathBuf::from).ok());
+
+    let file = match config_path {
+        Some(config_path) => File::open(&config_path).with_context(|| {
+            format!(
+                "could not open provided configuration file at {}",
+                config_path.display()
+            )
+        })?,
+        None => {
+            // check if file exists in lohr home
+            let config_path = home.join("lohr-config.yaml");
+            if !config_path.is_file() {
+                return Ok(Default::default());
+            }
+
+            File::open(config_path).context("failed to open configuration file in LOHR_HOME")?
+        }
     };
-    Ok(config)
+
+    serde_yaml::from_reader(file).context("could not parse configuration file")
 }
 
-fn main() -> anyhow::Result<()> {
+#[rocket::main]
+async fn main() -> anyhow::Result<()> {
+    let matches = App::new("lohr")
+        .version(crate_version!())
+        .about("Git mirroring daemon")
+        .arg(
+            Arg::with_name("config")
+                .short("c")
+                .long("config")
+                .value_name("FILE")
+                .help("Use a custom config file")
+                .takes_value(true),
+        )
+        .get_matches();
+
     let (sender, receiver) = channel();
 
     let homedir = env::var("LOHR_HOME").unwrap_or_else(|_| "./".to_string());
     let homedir: PathBuf = homedir.into();
     let homedir = homedir.canonicalize().expect("LOHR_HOME isn't valid!");
 
-    let config = parse_config(homedir.clone())?;
+    let secret = env::var("LOHR_SECRET")
+        .expect("please provide a secret, otherwise anyone can send you a malicious webhook");
+
+    let config = parse_config(&homedir, &matches)?;
+    let config_state = config.clone();
 
     thread::spawn(move || {
         repo_updater(receiver, homedir, config);
     });
 
-    rocket::ignite()
+    rocket::build()
         .mount("/", routes![gitea_webhook])
         .manage(JobSender(Mutex::new(sender)))
-        .launch();
+        .manage(Secret(secret))
+        .manage(config_state)
+        .launch()
+        .await?;
 
     Ok(())
 }

src/settings.rs

@@ -2,7 +2,7 @@ use serde::Deserialize;
 
 pub(crate) type RepoUrl = String; // FIXME: probably needs a better type than this
 
-#[derive(Default, Deserialize)]
+#[derive(Clone, Default, Deserialize)]
 pub(crate) struct GlobalSettings {
     /// List of remote stems to use when no `.lohr` file is found
     #[serde(default)]
@@ -10,4 +10,8 @@ pub(crate) struct GlobalSettings {
     /// List of remote stems to use for every repository
     #[serde(default)]
     pub additional_remotes: Vec<RepoUrl>,
+    /// List of regexes, if a repository's name matches any of the, it is not mirrored by `lohr`
+    /// even if it contains a `.lorh` file.
+    #[serde(with = "serde_regex", default)]
+    pub blacklist: Vec<regex::Regex>,
 }

src/signature.rs

@@ -0,0 +1,114 @@
+use std::{
+    io,
+    ops::{Deref, DerefMut},
+};
+
+use rocket::{
+    data::{ByteUnit, FromData, Outcome},
+    http::ContentType,
+    State,
+};
+use rocket::{http::Status, request::local_cache};
+use rocket::{Data, Request};
+
+use anyhow::{anyhow, Context};
+use serde::Deserialize;
+
+use crate::Secret;
+
+const X_GITEA_SIGNATURE: &str = "X-Gitea-Signature";
+
+fn validate_signature(secret: &str, signature: &str, data: &str) -> bool {
+    use hmac::{Hmac, Mac, NewMac};
+    use sha2::Sha256;
+
+    type HmacSha256 = Hmac<Sha256>;
+
+    let mut mac = HmacSha256::new_varkey(secret.as_bytes()).expect("this should never fail");
+
+    mac.update(data.as_bytes());
+
+    match hex::decode(signature) {
+        Ok(bytes) => mac.verify(&bytes).is_ok(),
+        Err(_) => false,
+    }
+}
+
+pub struct SignedJson<T>(pub T);
+
+impl<T> Deref for SignedJson<T> {
+    type Target = T;
+
+    fn deref(&self) -> &T {
+        &self.0
+    }
+}
+
+impl<T> DerefMut for SignedJson<T> {
+    fn deref_mut(&mut self) -> &mut T {
+        &mut self.0
+    }
+}
+
+const LIMIT: ByteUnit = ByteUnit::Mebibyte(1);
+
+impl<'r, T: Deserialize<'r>> SignedJson<T> {
+    fn from_str(s: &'r str) -> anyhow::Result<Self> {
+        serde_json::from_str(s)
+            .map(SignedJson)
+            .context("could not parse json")
+    }
+}
+
+// This is a one to one implementation of request_contrib::Json's FromData, but with HMAC
+// validation.
+//
+// Tracking issue for chaining Data guards to avoid this:
+// https://github.com/SergioBenitez/Rocket/issues/775
+#[rocket::async_trait]
+impl<'r, T> FromData<'r> for SignedJson<T>
+where
+    T: Deserialize<'r>,
+{
+    type Error = anyhow::Error;
+
+    async fn from_data(request: &'r Request<'_>, data: Data<'r>) -> Outcome<'r, Self> {
+        let json_ct = ContentType::new("application", "json");
+        if request.content_type() != Some(&json_ct) {
+            return Outcome::Error((Status::BadRequest, anyhow!("wrong content type")));
+        }
+
+        let signatures = request.headers().get(X_GITEA_SIGNATURE).collect::<Vec<_>>();
+        if signatures.len() != 1 {
+            return Outcome::Error((
+                Status::BadRequest,
+                anyhow!("request header needs exactly one signature"),
+            ));
+        }
+
+        let size_limit = request.limits().get("json").unwrap_or(LIMIT);
+        let content = match data.open(size_limit).into_string().await {
+            Ok(s) if s.is_complete() => s.into_inner(),
+            Ok(_) => {
+                let eof = io::ErrorKind::UnexpectedEof;
+                return Outcome::Error((
+                    Status::PayloadTooLarge,
+                    io::Error::new(eof, "data limit exceeded").into(),
+                ));
+            }
+            Err(e) => return Outcome::Error((Status::BadRequest, e.into())),
+        };
+
+        let signature = signatures[0];
+        let secret = request.guard::<&State<Secret>>().await.unwrap();
+
+        if !validate_signature(&secret.0, signature, &content) {
+            return Outcome::Error((Status::BadRequest, anyhow!("couldn't verify signature")));
+        }
+
+        match Self::from_str(local_cache!(request, content)) {
+            Ok(content) => Outcome::Success(content),
+            Err(e) => Outcome::Error((Status::BadRequest, e)),
+        }
+    }
+}