feat: gitea config

2024-01-12 15:47:43 +01:00 · 2024-01-12 15:47:43 +01:00 · 7efb7a9761
parent e469eab2b8
commit 7efb7a9761
9 changed files with 145 additions and 74 deletions
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -9,12 +9,33 @@
 }: let
  adguardhomedomain = "adguardhome.${config.secrets.secrets.global.domains.web}";
  nextclouddomain = "nc.${config.secrets.secrets.global.domains.web}";
+  giteadomain = "git.${config.secrets.secrets.global.domains.web}";
+  ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnet;
 in {
  services.nginx = {
    enable = true;
    recommendedSetup = true;
+    upstreams.gitea = {
+      servers."${ipOf "gitea"}:3000" = {};
+
+      extraConfig = ''
+        zone gitea 64k ;
+        keepalive 5 ;
+      '';
+    };
+    virtualHosts.${giteadomain} = {
+      forceSSL = true;
+      useACMEHost = "web";
+      locations."/" = {
+        proxyPass = "http://gitea";
+        proxyWebsockets = true;
+      };
+      extraConfig = ''
+        client_max_body_size 1G ;
+      '';
+    };
    upstreams.adguardhome = {
-      servers."TODO:3000" = {};
+      servers."${ipOf "adguardhome"}:3000" = {};

      extraConfig = ''
        zone adguardhome 64k ;
@ -34,7 +55,7 @@ in {
      '';
    };
    upstreams.nextcloud = {
-      servers."TODO:80" = {};
+      servers."${ipOf "nextcloud"}:3000" = {};

      extraConfig = ''
        zone nextcloud 64k ;
@ -80,7 +101,7 @@ in {
          node.secretsDir = ./secrets/${guestName};
          systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {
            DHCP = lib.mkForce "no";
-            address = [(lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.guests.${guestName}.nodeName} config.secrets.secrets.global.net.privateSubnet)];
+            address = [(ipOf guestName)];
            gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnet)];
          };
        }
@ -123,6 +144,9 @@ in {
    // mkContainer "nextcloud" {
      enablePanzer = true;
    }
+    // mkContainer "gitea" {
+      enablePanzer = true;
+    }
    // mkContainer "samba" {
      enablePanzer = true;
      enableRenaultFT = true;
--- a/hosts/elisabeth/secrets/gitea/gitea-passwd.age
+++ b/hosts/elisabeth/secrets/gitea/gitea-passwd.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 CMoCS3EqmXVkwSVuMB51DnV80S/H5zk8IcQeJxEqO0w
+En/MAzeFWfcLrcUO4Ukt1zNBf5uVq+v0pBjz6+Um91U
+-> piv-p256 XTQkUA A/AOwf+EXSep90xsABet03k1M+qNfxtRpRGR98Los0z0
+qid6WZum67EFiXR1hKjHrBIAnXfTqLipUpBhOAjWci4
+-> piv-p256 ZFgiIw A2QJdu+pkCF+oKjdRK6bZxESjy//RquUc8+mDoDj5fQ2
+0WqGNebppaN+RmIiDTh2j0SvmqakOt/qUhEc3mODXpU
+-> piv-p256 5vmPtQ Ahcpp40amXecurWAP9dfZ1h7v49HPj0Bz9dvt8Cj9tB+
+kA/6aHJw5/GyqUXb8t15TPYxu8ZpNzGCD6/XRCPijPk
+-> piv-p256 ZFgiIw ArryoUHlGkAM2e1BP1wfYeGceai5nKtvza3atjIxhh8B
+bUKrpqhGst+Az60k7wy5hZMUsXq7f+VTcwuce0M/7pM
+-> m\)y8qgO-grease ~N/[^ p8q(OzUj ztrT
+0aZbW62GiFb8D7hcs4NT/OwKjpBpOYNslzhZRanUZpLr9t6+E4qXjCpAMTkg8UQe
+SWw3pFmGBmaQh6rGJy1/J3VdLI0
+--- 9muabfoma9i62RxKgrGcp9bPYAjjDH3dLB3DJyjR58A
+]×Š6§ă,^śş‡=<3D>Ýĺ¤¬¤öO.<Fâ+ °$NűÁ—'ĹßľDŐłJş§»>:X”ßő7I@[0úL—¦říč">w
--- a/hosts/elisabeth/secrets/gitea/secrets.nix.age
+++ b/hosts/elisabeth/secrets/gitea/secrets.nix.age
--- a/lib/containers.nix
+++ b/lib/containers.nix
@ -1,49 +0,0 @@
-inputs: _self: super: {
-  lib =
-    super.lib
-    // {
-      containers.mkConfig = name: attrs: config:
-        super.lib.mkMerge [
-          {
-            config = {
-              imports = [
-                ../modules/config
-              ];
-              node.name = name;
-              node.secretsDir = attrs.config.node.secretsDir + "/guests/${name}";
-              nixpkgs = {
-                inherit (attrs.pkgs) overlays config;
-                inherit (attrs.config.nixpkgs) hostPlatform;
-              };
-              boot.initrd.systemd.enable = super.lib.mkForce false;
-            };
-            specialArgs = {
-              inherit (attrs) lib inputs minimal stateVersion;
-            };
-            extraFlags = [
-              "--uuid=${builtins.substring 0 32 (builtins.hashString "sha256" name)}"
-            ];
-
-            autoStart = true;
-            macvlans = [
-              "lan01:lan01-${name}"
-            ];
-            ephemeral = true;
-            bindMounts = {
-              "state" = {
-                mountPoint = "/state";
-                hostPath = "/state/containers/${name}";
-                isReadOnly = false;
-              };
-              "persist" = {
-                mountPoint = "/persist";
-                hostPath = "/containers/${name}";
-                isReadOnly = false;
-              };
-            };
-            zfs.mountpoint = super.lib.mkDefault "/containers/${name}";
-          }
-          config
-        ];
-    };
-}
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@ -21,6 +21,7 @@
    nextcloud = uidGid 213;
    redis-nextcloud = uidGid 214;
    radicale = uidGid 215;
+    gitea = uidGid 215;
    systemd-oom = uidGid 300;
    systemd-coredump = uidGid 301;
    patrick = uidGid 1000;
--- a/modules/services/adguardhome.nix
+++ b/modules/services/adguardhome.nix
@ -1,4 +1,8 @@
-{config, ...}: {
+{
+  config,
+  lib,
+  ...
+}: {
  services.adguardhome = {
    enable = true;
    mutableSettings = false;
@ -7,7 +11,7 @@
      bind_port = 3000;
      bind_host = "0.0.0.0";
      dns = {
-        bind_hosts = ["TODO"];
+        bind_hosts = ["0.0.0.0"];
        anonymize_client_ip = true;
        upstream_dns = [
          "1.0.0.1"
@ -22,9 +26,9 @@
          "2001:4860:4860::8844"
        ];
      };
-      user_rules = ''
-        ||${config.secrets.secrets.global.domains.web}^$dnsrewrite=TODO
-      '';
+      user_rules = [
+        "||${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet}"
+      ];
      dhcp.enabled = false;
      ratelimit = 60;
      users = [
--- a/modules/services/gitea.nix
+++ b/modules/services/gitea.nix
@ -0,0 +1,90 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  giteaDomain = "git.${config.secrets.secrets.global.domains.web}";
+in {
+  # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh
+  services.openssh.settings.AcceptEnv = "GIT_PROTOCOL";
+
+  environment.persistence."/panzer".directories = [
+    {
+      directory = config.services.gitea.stateDir;
+      user = "gitea";
+      group = "gitea";
+      mode = "0700";
+    }
+  ];
+  age.secrets.gitea-mailer-passwd = {
+    rekeyFile = config.node.secretsDir + "/gitea-passwd.age";
+    owner = "gitea";
+    group = "gitea";
+    mode = "0700";
+  };
+
+  services.gitea = {
+    enable = true;
+    package = pkgs.forgejo;
+    appName = "Patricks tolles git"; # tungsten inert gas?
+    stateDir = "/var/lib/forgejo";
+    # TODO db backups
+    # dump.enable = true;
+    lfs.enable = true;
+    mailerPasswordFile = config.age.secrets.gitea-mailer-passwd.path;
+    settings = {
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+      database = {
+        SQLITE_JOURNAL_MODE = "WAL";
+        LOG_SQL = false; # Leaks secrets
+      };
+      # federation.ENABLED = true;
+      mailer = {
+        ENABLED = true;
+        HOST = config.secrets.secrets.local.gitea.mail.host;
+        FROM = config.secrets.secrets.local.gitea.mail.from;
+        USER = config.secrets.secrets.local.gitea.mail.user;
+        SEND_AS_PLAIN_TEXT = true;
+      };
+      # packages.ENABLED = true;
+      repository = {
+        DEFAULT_PRIVATE = "private";
+        ENABLE_PUSH_CREATE_USER = true;
+        ENABLE_PUSH_CREATE_ORG = true;
+      };
+      server = {
+        HTTP_ADDR = "0.0.0.0";
+        HTTP_PORT = 3000;
+        DOMAIN = giteaDomain;
+        ROOT_URL = "https://${giteaDomain}/";
+        LANDING_PAGE = "login";
+        SSH_PORT = 9922;
+        # TODO
+        # port forwarding in fritz box
+        # port forwarding in elisabeth
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+        ALLOW_ONLY_INTERNAL_REGISTRATION = true;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        SHOW_REGISTRATION_BUTTON = false;
+        REGISTER_EMAIL_CONFIRM = false;
+        ENABLE_NOTIFY_MAIL = true;
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+      };
+      session.COOKIE_SECURE = true;
+      ui.DEFAULT_THEME = "forgejo-auto";
+      "ui.meta" = {
+        AUTHOR = "Patrick";
+        DESCRIPTION = "Tollstes Forgejo EU-West";
+      };
+    };
+  };
+
+  systemd.services.gitea = {
+    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  };
+}
--- a/modules/services/nextcloud.nix
+++ b/modules/services/nextcloud.nix
@ -6,18 +6,7 @@
 }: let
  hostName = "nc.${config.secrets.secrets.global.domains.web}";
 in {
-  systemd.network.networks = {
-    "TODO" = {
-      address = ["192.168.178.33/24"];
-      gateway = ["192.168.178.1"];
-      matchConfig.Name = "lan01*";
-      dns = ["192.168.178.2"];
-      networkConfig = {
-        IPv6PrivacyExtensions = "yes";
-        MulticastDNS = true;
-      };
-    };
-  };
+  # TODO mailer
  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/postgresql/";
@ -40,10 +29,6 @@ in {
    owner = "nextcloud";
  };
  services.postgresql.package = pkgs.postgresql_16;
-  services.nginx.virtualHosts.${hostName}.extraConfig = ''
-    allow TODO;
-    deny all;
-  '';

  services.nextcloud = {
    inherit hostName;
@ -61,7 +46,7 @@ in {
    phpOptions."opcache.interned_strings_buffer" = "32";
    extraOptions = {
      default_phone_region = "DE";
-      trusted_proxies = ["TODO"];
+      trusted_proxies = [(lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet)];
      overwriteprotocol = "https";
      enabledPreviewProviders = [
        "OC\\Preview\\BMP"
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age