diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 14c46cc..96b6b8f 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -60,11 +60,10 @@ }; in lib.genAttrs - ["kanidm" "grafana" "loki" "vaultwarden" "adguardhome" "influxdb"] + ["kanidm" "grafana" "loki" "vaultwarden" "adguardhome" "influxdb" "forgejo"] defaultConfig; #ddclient = defineVm; - #gitea/forgejo = defineVm; #samba+wsdd = defineVm; #fasten-health = defineVm; #immich = defineVm; diff --git a/hosts/ward/microvms/forgejo.nix b/hosts/ward/microvms/forgejo.nix new file mode 100644 index 0000000..f91f822 --- /dev/null +++ b/hosts/ward/microvms/forgejo.nix @@ -0,0 +1,152 @@ +{ + config, + lib, + nodes, + pkgs, + utils, + ... +}: let + sentinelCfg = nodes.sentinel.config; + forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}"; +in { + # TODO forward ssh port + meta.wireguard-proxy.sentinel.allowedTCPPorts = [ + config.services.gitea.settings.server.HTTP_PORT + ]; + + age.secrets.forgejo-mailer-password = { + rekeyFile = config.node.secretsDir + "/forgejo-mailer-password.age"; + mode = "400"; + group = "forgejo"; + }; + + nodes.sentinel = { + networking.providedDomains.forgejo = forgejoDomain; + + services.nginx = { + upstreams.forgejo = { + servers."${config.services.gitea.settings.server.HTTP_ADDR}:${toString config.services.gitea.settings.server.HTTP_PORT}" = {}; + extraConfig = '' + zone forgejo 64k; + keepalive 2; + ''; + }; + virtualHosts.${forgejoDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://forgejo"; + locations."/metrics" = { + proxyPass = "http://forgejo/metrics"; + extraConfig = '' + allow 127.0.0.0/8; + allow ::1; + deny all; + access_log off; + ''; + }; + }; + }; + }; + + # XXX: TODO ssh if not using internal + # AcceptEnv GIT_PROTOCOL + + services.gitea = { + enable = true; + package = pkgs.forgejo; + appName = "Redlew Git"; # tungsten inert gas? + stateDir = "/var/lib/forgejo"; + # TODO db backups + # dump.enable = true; + lfs.enable = true; + mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; + settings = { + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "https://gitea.com"; + }; + database = { + SQLITE_JOURNAL_MODE = "WAL"; + LOG_SQL = false; # Leaks secrets + }; + # federation.ENABLED = true; + mailer = { + ENABLED = true; + HOST = config.repo.secrets.local.forgejo.mail.host; + FROM = config.repo.secrets.local.forgejo.mail.from; + USER = config.repo.secrets.local.forgejo.mail.user; + SEND_AS_PLAIN_TEXT = true; + }; + metrics = { + # XXX: query with local telegraf + ENABLED = true; + ENABLED_ISSUE_BY_REPOSITORY = true; + ENABLED_ISSUE_BY_LABEL = true; + }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + ENABLE_AUTO_REGISTRATION = true; + OPENID_CONNECT_SCOPES = "email profile"; + REGISTER_EMAIL_CONFIRM = false; + UPDATE_AVATAR = true; + }; + # packages.ENABLED = true; + repository = { + DEFAULT_PRIVATE = false; + ENABLE_PUSH_CREATE_USER = true; + ENABLE_PUSH_CREATE_ORG = true; + }; + server = { + HTTP_ADDR = config.meta.wireguard.proxy-sentinel.ipv4; + HTTP_PORT = 3000; + DOMAIN = forgejoDomain; + ROOT_URL = "https://${forgejoDomain}/"; + LANDING_PAGE = "/explore/repos"; + SSH_PORT = 9922; + }; + service = { + DISABLE_REGISTRATION = false; + ALLOW_ONLY_INTERNAL_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + REGISTER_EMAIL_CONFIRM = false; + ENABLE_NOTIFY_MAIL = true; + REQUIRE_SIGNIN_VIEW = false; + }; + session.COOKIE_SECURE = true; + ui.DEFAULT_THEME = "forgejo-auto"; + "ui.meta" = { + AUTHOR = "Redlew Git"; + DESCRIPTION = "Tungsten Inert Gas?"; + }; + }; + }; + + systemd.services.gitea = { + after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; + serviceConfig.RestartSec = "600"; # Retry every 10 minutes + #preStart = let + # exe = lib.getExe config.services.gitea.package; + # providerName = "PrivateVoidAccount"; + # args = lib.escapeShellArgs [ + # "--name" providerName + # "--provider" "openidConnect" + # "--key" "net.privatevoid.forge1" + # "--auto-discover-url" "https://login.${domain}/auth/realms/master/.well-known/openid-configuration" + # "--group-claim-name" "groups" + # "--admin-group" "/forge_admins@${domain}" + # "--skip-local-2fa" + # ]; + #in lib.mkAfter /* bash */ '' + # provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1) + # if [[ -z "$provider_id" ]]; then + # FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth add-oauth ${args} + # else + # FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args} + # fi + #''; + }; +} diff --git a/hosts/ward/secrets/forgejo/forgejo-mailer-password.age b/hosts/ward/secrets/forgejo/forgejo-mailer-password.age new file mode 100644 index 0000000..3164abc --- /dev/null +++ b/hosts/ward/secrets/forgejo/forgejo-mailer-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 JlyIN/2lVHvsCqEgB/sz/zN8YwikwT2LnAQUMJGrq2g +lmLvulEsfMNWxxgmUn5aIr7sHtd+kcBDybUzXr6n5no +-> piv-p256 xqSe8Q Assr9n0it/QzKq8TOsx2t/MtEe92WMrXj+JJHo3RrT1n +DdtEjsC+Uv3A2aEeMeSapWEBpsvM2JtdrE7I3m/bc5A +-> >>"VV-grease S/>pq yum?k~& 85'4b7O +BIM8LsHCxjlyY5TWwWV5P6qF +--- /x2FdfG5vuiPmiE2369C0vQ16bhDqfSGAo6iJyPXtZE +HR@YAXƼv]˓SzduRjo }O \ No newline at end of file diff --git a/hosts/ward/secrets/forgejo/host.pub b/hosts/ward/secrets/forgejo/host.pub new file mode 100644 index 0000000..036169e --- /dev/null +++ b/hosts/ward/secrets/forgejo/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQOF4njC2ap3yl+0JDVEhkUjX0sxVx/nBrt+vt7bQKl diff --git a/hosts/ward/secrets/forgejo/local.nix.age b/hosts/ward/secrets/forgejo/local.nix.age new file mode 100644 index 0000000..070a040 --- /dev/null +++ b/hosts/ward/secrets/forgejo/local.nix.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 oa6IWrr6YZA553kin7UnrUFGBR7R8VE8WlfOskVH0Tk +g5KsBunZ+QQVJTK3pqfLxeDwI7KIPJotZmnOYgLvcn8 +-> piv-p256 xqSe8Q Aru3YJbt0597SblXoXuzzRxUqbhCtrmbLPPKhv4fA9tZ +Bo/hrsI5l10+vX5b8sM75PjLM5d3ipEvG4L+R9ex6Zo +-> z#-grease (5#aXK, eq@?N[S +gCAbCrw +--- bFEmSOwIaMjE4AEM5vldWZuBNptNajgtGV/VNrK/pxU +ݸ}Np޽ j6'5=?J.U<pma $!5#[ Oa2gB=EobxKx 8CZ8S a";/S7)'+)-|Y HS@G?ߌu \ No newline at end of file diff --git a/hosts/ward/secrets/forgejo/telegraf-influxdb-token.age b/hosts/ward/secrets/forgejo/telegraf-influxdb-token.age new file mode 100644 index 0000000..b2da0f5 --- /dev/null +++ b/hosts/ward/secrets/forgejo/telegraf-influxdb-token.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4 +KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU +-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o +SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk +-> e\9`z-grease +PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa +RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF +6g +--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE + p 6SDW(YR3s_۪/2g}ܶW?ub +)/ ,{&F-5/u.p \%ɟ4qӉyKQk4W3ˌ +ӈ[t__4y q^/F* \ No newline at end of file diff --git a/modules/config/users.nix b/modules/config/users.nix index 6e7ffb4..f631c8b 100644 --- a/modules/config/users.nix +++ b/modules/config/users.nix @@ -23,5 +23,6 @@ influxdb2 = uidGid 986; telegraf = uidGid 985; rtkit = uidGid 984; + gitea = uidGid 983; }; } diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index ca9db32..b831edc 100644 Binary files a/secrets/generated/sentinel/loki-basic-auth-hashes.age and b/secrets/generated/sentinel/loki-basic-auth-hashes.age differ diff --git a/secrets/generated/ward-forgejo/promtail-loki-basic-auth-password.age b/secrets/generated/ward-forgejo/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..9722f7c --- /dev/null +++ b/secrets/generated/ward-forgejo/promtail-loki-basic-auth-password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 369RPyVuKta20vwEHgEqW0WxuZFLLcZJzvJAlPgZMHM +KfpCoHtmAC3oUgB+SRm5NgKFW0o6HOQDYcxLzDXBj/Y +-> piv-p256 xqSe8Q A1QO/2NvsLbr2cWy5kHFY3fRPHBo7AF3e/xPLRig/WCV +/dtC93EzQ8Kny1y/kopkxPMKaPP+7n2FG2ug1smrLvE +-> {hFm1$-grease HC |\`4oKj *7fd`} a7qK +dbl68LPkvYQUgggOcHKbqEeyi8b73S3zHLjyozdxJwBgaErd246piMCygl7ZgLo8 +V1LYMGkfWYYgTDXhpuUG8xvB3CzzUM9Zz8QkhsVHGUNUXB4eZYnrPZIyv/vR +--- PZnw5B9NoXRKVoqPuoxmPYOwpCJJULMhZu7SZEkotKs +Gy5Y֢NR =,1~>HGnLހԼlDY>2_L;z12"}/@ \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.age b/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.age new file mode 100644 index 0000000..2604371 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 R43TPz2QP32vi/5AHnixCG4vvaN78vhEEYZDht8YYzk +lQfgwf1G1GUVOeDY2PGnaJMGRgo3pghiyuBzwfAd2pI +-> piv-p256 xqSe8Q AmPoA+t+rJ3VbXnq8mRr4wkhc7kYoyt5ZhTEuXTUevtE +QDReg6mXHU7ios2g1HRGwsNcaGBn4Z5H1EP7ch+IejQ +-> l*3-grease `:]9Lg^ VOk0vG[ bB +4zccbVor+0eU +--- 8jwrSczZ3YdQJuiSutEQu03+aOMvc5AcIU1d5RmHp/M +L ?Hq$'n:,`RdnJW!s% KD77n6!X.u60d3o| \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.pub b/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.pub new file mode 100644 index 0000000..5e8eb1b --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.pub @@ -0,0 +1 @@ +vhEBfqx8nZ9BIDWq7La3zrlM3aD3sHkHbFp7eBSXJUo= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-forgejo.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-forgejo.age new file mode 100644 index 0000000..04aaf25 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-forgejo.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 iBPXdrauwl6d/eujMjHNIs6cq5h6xM+RKK4FZCD3QBQ +IdfcmZOkbTiD0y/vPjGFgfTAFqDX5LCiD0ks/0H/itg +-> piv-p256 xqSe8Q Au3erLTADz8XI9FvOVXhD2z57I4RjxMW0EGN95sIlslb +RPuWDwH66XpmyxL+XzzwWZGY82HvBzuFw1F2GJnJbHc +-> SOJ*$-grease lN g +iip1iw8oWXVZAazHBZW+5EuIA+22mCqHmMJa8wl1uPd3MYAMGCnPwSndANQK3T4L +wyWuqxs7XqNrhJJJgyyPua/LFZcZrXOcDV+B6J29 +--- 2r9oES+McJfyEYWC4NQxOaBgSf3Lkv2HDCP3o2lFg6o +&YԼû2;JvJm ̛LO4%2 E=bs5O+8QZ%( j9HGRf# \ No newline at end of file