From a975cc1f7f84c28c348627efb5b26afb42760dcf Mon Sep 17 00:00:00 2001 From: oddlama Date: Tue, 1 Aug 2023 02:01:43 +0200 Subject: [PATCH] feat: add forgejo --- hosts/ward/default.nix | 3 +- hosts/ward/microvms/forgejo.nix | 152 ++++++++++++++++++ .../forgejo/forgejo-mailer-password.age | 9 ++ hosts/ward/secrets/forgejo/host.pub | 1 + hosts/ward/secrets/forgejo/local.nix.age | 9 ++ .../forgejo/telegraf-influxdb-token.age | 13 ++ modules/config/users.nix | 1 + .../sentinel/loki-basic-auth-hashes.age | Bin 1454 -> 1537 bytes .../promtail-loki-basic-auth-password.age | 10 ++ .../proxy-sentinel/keys/ward-forgejo.age | 9 ++ .../proxy-sentinel/keys/ward-forgejo.pub | 1 + .../psks/sentinel+ward-forgejo.age | 10 ++ 12 files changed, 216 insertions(+), 2 deletions(-) create mode 100644 hosts/ward/microvms/forgejo.nix create mode 100644 hosts/ward/secrets/forgejo/forgejo-mailer-password.age create mode 100644 hosts/ward/secrets/forgejo/host.pub create mode 100644 hosts/ward/secrets/forgejo/local.nix.age create mode 100644 hosts/ward/secrets/forgejo/telegraf-influxdb-token.age create mode 100644 secrets/generated/ward-forgejo/promtail-loki-basic-auth-password.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-forgejo.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-forgejo.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+ward-forgejo.age diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 14c46cc..96b6b8f 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -60,11 +60,10 @@ }; in lib.genAttrs - ["kanidm" "grafana" "loki" "vaultwarden" "adguardhome" "influxdb"] + ["kanidm" "grafana" "loki" "vaultwarden" "adguardhome" "influxdb" "forgejo"] defaultConfig; #ddclient = defineVm; - #gitea/forgejo = defineVm; #samba+wsdd = defineVm; #fasten-health = defineVm; #immich = defineVm; diff --git a/hosts/ward/microvms/forgejo.nix b/hosts/ward/microvms/forgejo.nix new file mode 100644 index 0000000..f91f822 --- /dev/null +++ b/hosts/ward/microvms/forgejo.nix @@ -0,0 +1,152 @@ +{ + config, + lib, + nodes, + pkgs, + utils, + ... +}: let + sentinelCfg = nodes.sentinel.config; + forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}"; +in { + # TODO forward ssh port + meta.wireguard-proxy.sentinel.allowedTCPPorts = [ + config.services.gitea.settings.server.HTTP_PORT + ]; + + age.secrets.forgejo-mailer-password = { + rekeyFile = config.node.secretsDir + "/forgejo-mailer-password.age"; + mode = "400"; + group = "forgejo"; + }; + + nodes.sentinel = { + networking.providedDomains.forgejo = forgejoDomain; + + services.nginx = { + upstreams.forgejo = { + servers."${config.services.gitea.settings.server.HTTP_ADDR}:${toString config.services.gitea.settings.server.HTTP_PORT}" = {}; + extraConfig = '' + zone forgejo 64k; + keepalive 2; + ''; + }; + virtualHosts.${forgejoDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://forgejo"; + locations."/metrics" = { + proxyPass = "http://forgejo/metrics"; + extraConfig = '' + allow 127.0.0.0/8; + allow ::1; + deny all; + access_log off; + ''; + }; + }; + }; + }; + + # XXX: TODO ssh if not using internal + # AcceptEnv GIT_PROTOCOL + + services.gitea = { + enable = true; + package = pkgs.forgejo; + appName = "Redlew Git"; # tungsten inert gas? + stateDir = "/var/lib/forgejo"; + # TODO db backups + # dump.enable = true; + lfs.enable = true; + mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; + settings = { + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "https://gitea.com"; + }; + database = { + SQLITE_JOURNAL_MODE = "WAL"; + LOG_SQL = false; # Leaks secrets + }; + # federation.ENABLED = true; + mailer = { + ENABLED = true; + HOST = config.repo.secrets.local.forgejo.mail.host; + FROM = config.repo.secrets.local.forgejo.mail.from; + USER = config.repo.secrets.local.forgejo.mail.user; + SEND_AS_PLAIN_TEXT = true; + }; + metrics = { + # XXX: query with local telegraf + ENABLED = true; + ENABLED_ISSUE_BY_REPOSITORY = true; + ENABLED_ISSUE_BY_LABEL = true; + }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + ENABLE_AUTO_REGISTRATION = true; + OPENID_CONNECT_SCOPES = "email profile"; + REGISTER_EMAIL_CONFIRM = false; + UPDATE_AVATAR = true; + }; + # packages.ENABLED = true; + repository = { + DEFAULT_PRIVATE = false; + ENABLE_PUSH_CREATE_USER = true; + ENABLE_PUSH_CREATE_ORG = true; + }; + server = { + HTTP_ADDR = config.meta.wireguard.proxy-sentinel.ipv4; + HTTP_PORT = 3000; + DOMAIN = forgejoDomain; + ROOT_URL = "https://${forgejoDomain}/"; + LANDING_PAGE = "/explore/repos"; + SSH_PORT = 9922; + }; + service = { + DISABLE_REGISTRATION = false; + ALLOW_ONLY_INTERNAL_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + REGISTER_EMAIL_CONFIRM = false; + ENABLE_NOTIFY_MAIL = true; + REQUIRE_SIGNIN_VIEW = false; + }; + session.COOKIE_SECURE = true; + ui.DEFAULT_THEME = "forgejo-auto"; + "ui.meta" = { + AUTHOR = "Redlew Git"; + DESCRIPTION = "Tungsten Inert Gas?"; + }; + }; + }; + + systemd.services.gitea = { + after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; + serviceConfig.RestartSec = "600"; # Retry every 10 minutes + #preStart = let + # exe = lib.getExe config.services.gitea.package; + # providerName = "PrivateVoidAccount"; + # args = lib.escapeShellArgs [ + # "--name" providerName + # "--provider" "openidConnect" + # "--key" "net.privatevoid.forge1" + # "--auto-discover-url" "https://login.${domain}/auth/realms/master/.well-known/openid-configuration" + # "--group-claim-name" "groups" + # "--admin-group" "/forge_admins@${domain}" + # "--skip-local-2fa" + # ]; + #in lib.mkAfter /* bash */ '' + # provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1) + # if [[ -z "$provider_id" ]]; then + # FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth add-oauth ${args} + # else + # FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args} + # fi + #''; + }; +} diff --git a/hosts/ward/secrets/forgejo/forgejo-mailer-password.age b/hosts/ward/secrets/forgejo/forgejo-mailer-password.age new file mode 100644 index 0000000..3164abc --- /dev/null +++ b/hosts/ward/secrets/forgejo/forgejo-mailer-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 JlyIN/2lVHvsCqEgB/sz/zN8YwikwT2LnAQUMJGrq2g +lmLvulEsfMNWxxgmUn5aIr7sHtd+kcBDybUzXr6n5no +-> piv-p256 xqSe8Q Assr9n0it/QzKq8TOsx2t/MtEe92WMrXj+JJHo3RrT1n +DdtEjsC+Uv3A2aEeMeSapWEBpsvM2JtdrE7I3m/bc5A +-> >>"VV-grease S/>pq yum?k~& 85'4b7O +BIM8LsHCxjlyY5TWwWV5P6qF +--- /x2FdfG5vuiPmiE2369C0vQ16bhDqfSGAo6iJyPXtZE +HR@YAXƼv]˓SzduRjo }O \ No newline at end of file diff --git a/hosts/ward/secrets/forgejo/host.pub b/hosts/ward/secrets/forgejo/host.pub new file mode 100644 index 0000000..036169e --- /dev/null +++ b/hosts/ward/secrets/forgejo/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQOF4njC2ap3yl+0JDVEhkUjX0sxVx/nBrt+vt7bQKl diff --git a/hosts/ward/secrets/forgejo/local.nix.age b/hosts/ward/secrets/forgejo/local.nix.age new file mode 100644 index 0000000..070a040 --- /dev/null +++ b/hosts/ward/secrets/forgejo/local.nix.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 oa6IWrr6YZA553kin7UnrUFGBR7R8VE8WlfOskVH0Tk +g5KsBunZ+QQVJTK3pqfLxeDwI7KIPJotZmnOYgLvcn8 +-> piv-p256 xqSe8Q Aru3YJbt0597SblXoXuzzRxUqbhCtrmbLPPKhv4fA9tZ +Bo/hrsI5l10+vX5b8sM75PjLM5d3ipEvG4L+R9ex6Zo +-> z#-grease (5#aXK, eq@?N[S +gCAbCrw +--- bFEmSOwIaMjE4AEM5vldWZuBNptNajgtGV/VNrK/pxU +ݸ}Np޽ j6'5=?J.U<pma $!5#[ Oa2gB=EobxKx 8CZ8S a";/S7)'+)-|Y HS@G?ߌu \ No newline at end of file diff --git a/hosts/ward/secrets/forgejo/telegraf-influxdb-token.age b/hosts/ward/secrets/forgejo/telegraf-influxdb-token.age new file mode 100644 index 0000000..b2da0f5 --- /dev/null +++ b/hosts/ward/secrets/forgejo/telegraf-influxdb-token.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4 +KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU +-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o +SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk +-> e\9`z-grease +PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa +RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF +6g +--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE + p 6SDW(YR3s_۪/2g}ܶW?ub +)/ ,{&F-5/u.p \%ɟ4qӉyKQk4W3ˌ +ӈ[t__4y q^/F* \ No newline at end of file diff --git a/modules/config/users.nix b/modules/config/users.nix index 6e7ffb4..f631c8b 100644 --- a/modules/config/users.nix +++ b/modules/config/users.nix @@ -23,5 +23,6 @@ influxdb2 = uidGid 986; telegraf = uidGid 985; rtkit = uidGid 984; + gitea = uidGid 983; }; } diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index ca9db32ae62dbb3417af1efca49c4d8226b6cf67..b831edc1a690beeabd70e7b55bc0e0f1760b6845 100644 GIT binary patch delta 1523 zcmVprZZl<2OJzB6PikXoad&c0c~&uRIaW+?G%!|j zFfcM_RSH#eLV09*ZFX-qZgOr&cX3Krb8u`maA<00QbjXvOiV9sMk`D?V=pUWV+t)k zAaH4REpRe5HXwL$Q)M_&AVF>~XJ>9xS$Q;JMKoqiaWXMzc7J6{MOJ7_IA$_AOGIXR zNWnpt=3QBcnPFZJhN;W}3RZeYJYJZ>Eg5gUc>KHPC6vWLIK43l^T|fB>#)qIv=91OD?l`~ zeV0G`aG!P=r5wl>3W1vbS2R&rxsl6AyJ=?$Gn**_cz@1uIrxjX3>Jprm?++C4q+lU z7_0&4eZnrzBMeIS&S8$uvA`%`Ke8VU5KYiKU6W{ko)t>4F*1j1E~<>IV&M`Pm0_|= zVSdC@#8npeOF=e{x*w3x-p}?xoJ!ZcgU?@L(C4X?GM{2?}Ztr4{+9I#&JZu1W)lY(j?nHA-*YrSAsWc_VD#(Mx^wPJ#lQ)nGtFsFvzs&UD{ zsTAZ1guLyHWGUB?Lx{&Y+q#lnj^?}2AXV$}iuuQ-;{ z9k^%9U2v);39a~`b%FcK1xxxE5nT2Hw7lfU)Akag5FTWO;mk~)!@xQi`TTDlv%Po1 zxFnp(qYy8P3wm^?WUz;8+uoWMSmX0AFy-~XXbFx?hYZRk*K@9XumhhT(S6X zoX1eMSV)x>86uZ$t!mW(`U_VlPahJ^6maEwJGa)K<;~$u0RQDgYX9n2BVGygDSOqr zBy;=yuXHg)by}g0G+vDONWiaB)gij94S$Q_KFuYVZqA<~H=|iSxHnFlozHIgUNu!W zHoL|rQhxZTu&)!eT7>R@GyR*yL49`&DmDaN04YQ*VW4yLop{_!7By3Q*;tEhm@xqDos>woMM zi(8Q7WINsT5wkXrh*TwmPhkvoshzBi`hxrGRz}uWOTDVh%nf@;q76lMmcDM9%kjD8 z=`#u_ILnG;>$j+#m9v^OL*WC!68$*!uJKSud6PtJEw5DvVz`(@G*4muw^iG_V{G(? z+~{I|Iw}iZ-5n9o~ZDj(-#qk;M-z-7X2;iM}TX7E;3QeyptEbbJz_(7#4; z9LO6%-oUQZ>z;zpE2YX8mgy977(3%o6VMC)*SoZ3;cbcaVSIQ*Qq6$`c=TOL>Rf14 z(0Q{Vd__Dg6iC>W^?sJ++3NKrvHKPaQR12p{T*z{kY$tw|BFiD6l(+`Uw@qp6yKxh zM{o7KGj$$J3MJ(6GcXrW5p)Db@RchrFGq%O%;D==O~ZPEn{thIp1}PjioCmo(SwFQ zOL~?TE_BEv?mQ@&`JW7m#!p7E5Z?#mC3{c@nFp4J4QF1jBq)7tHKJWj7#Q0m9jva| zO}KOV41_S!$C0`VX>(6;R$5hJOJ{I! zS$cD6Gzw&MPGxN{Gfy}#dUz{iD_3M$QfoO^P~bYXNuPBtrOH&8iY zS2PMOJ|I|SEoX9NVRK~)F>Q5mR8mezcw1^MK4E8cq>^7Q|ge#nb;rvkuz!OHFE2b<%H9|@vLSgvWHG! zCg?d7y)Ttq%`3WtcARfJzdWdcbX#+uUHUXy6iI*KDSvErOvF&-xzc*|;8z7tmgPQD zRoGQEHL{n-f==S}(H?v-OuV#eei^3~1dEE#LX)Imj6aT5Mt#S%rqvazcy$6mLD*QkJ_;x#JTr_$9yqse*pj!S3cbGXiNPsHq zL2Nza}o)9oUp?oqmmrjSPUN@r!Md*T9^#izPv64O-IXthx^ouXotFMMZO>#N(Ta!9NrbTmgmh?ni z|I+-;Y-1H*l*TiX&M;jSe}27pd2N$R-N{qhELFjGefr2m3?I)~Yj&>1P=A3Gam`R0 zT7R8hG$N~0O+=q~i%_rIO>vEwZ)@~Fyh;NIsU4dUhI$0sTfU(B$ui;yyFqS512;+_ z(o)v~5KoG@r}R3sFhdAwtku?NfG?|uYBIOjhXVjMNyj?vhWgk^DjhHGO~q+vkDlb2 zG5$?5Q>u+zRht;`n4T^7HqqFTA{j>$M1TI5nwm1~Bcm3C+!^or@=-z{nI*$r=Wncx zRPvWc6-q9ZF+$;cE>u*lH9mKGu;^Kj4TyUyrZzw8o90@lGCjxA7!XlRfdB0$n==ol zZNgxp!Y|2Hm+#G$-a;Zy%`e%$KCg%30%=s32D+OIJi1;+KQ8;eUpR zz%nbV`%PYiWqlb*!)1D-5p&Xi^uelILDk0k9jI-_XiW%FRhrr(#2-uUEmDBe>o~!N z?|f8<T-+`5<$Ipg3+6J2EAoGYSm0&xsu`jr^^t^h;}EK#-tD~t zrCKgRKLnfga-E4`gcE{;_pB^z8h?9`0mnY*m$~I{-)b>`a}58n1UcJ*XdU)Q8g~*W zV`8wmT-@-8iJE5OX3DdpPG*O}O^vhBoR;~!~`GW?J5W9`lh;D)nyJmQP uDLK`b%} X25519 369RPyVuKta20vwEHgEqW0WxuZFLLcZJzvJAlPgZMHM +KfpCoHtmAC3oUgB+SRm5NgKFW0o6HOQDYcxLzDXBj/Y +-> piv-p256 xqSe8Q A1QO/2NvsLbr2cWy5kHFY3fRPHBo7AF3e/xPLRig/WCV +/dtC93EzQ8Kny1y/kopkxPMKaPP+7n2FG2ug1smrLvE +-> {hFm1$-grease HC |\`4oKj *7fd`} a7qK +dbl68LPkvYQUgggOcHKbqEeyi8b73S3zHLjyozdxJwBgaErd246piMCygl7ZgLo8 +V1LYMGkfWYYgTDXhpuUG8xvB3CzzUM9Zz8QkhsVHGUNUXB4eZYnrPZIyv/vR +--- PZnw5B9NoXRKVoqPuoxmPYOwpCJJULMhZu7SZEkotKs +Gy5Y֢NR =,1~>HGnLހԼlDY>2_L;z12"}/@ \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.age b/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.age new file mode 100644 index 0000000..2604371 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 R43TPz2QP32vi/5AHnixCG4vvaN78vhEEYZDht8YYzk +lQfgwf1G1GUVOeDY2PGnaJMGRgo3pghiyuBzwfAd2pI +-> piv-p256 xqSe8Q AmPoA+t+rJ3VbXnq8mRr4wkhc7kYoyt5ZhTEuXTUevtE +QDReg6mXHU7ios2g1HRGwsNcaGBn4Z5H1EP7ch+IejQ +-> l*3-grease `:]9Lg^ VOk0vG[ bB +4zccbVor+0eU +--- 8jwrSczZ3YdQJuiSutEQu03+aOMvc5AcIU1d5RmHp/M +L ?Hq$'n:,`RdnJW!s% KD77n6!X.u60d3o| \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.pub b/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.pub new file mode 100644 index 0000000..5e8eb1b --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-forgejo.pub @@ -0,0 +1 @@ +vhEBfqx8nZ9BIDWq7La3zrlM3aD3sHkHbFp7eBSXJUo= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-forgejo.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-forgejo.age new file mode 100644 index 0000000..04aaf25 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-forgejo.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 iBPXdrauwl6d/eujMjHNIs6cq5h6xM+RKK4FZCD3QBQ +IdfcmZOkbTiD0y/vPjGFgfTAFqDX5LCiD0ks/0H/itg +-> piv-p256 xqSe8Q Au3erLTADz8XI9FvOVXhD2z57I4RjxMW0EGN95sIlslb +RPuWDwH66XpmyxL+XzzwWZGY82HvBzuFw1F2GJnJbHc +-> SOJ*$-grease lN g +iip1iw8oWXVZAazHBZW+5EuIA+22mCqHmMJa8wl1uPd3MYAMGCnPwSndANQK3T4L +wyWuqxs7XqNrhJJJgyyPua/LFZcZrXOcDV+B6J29 +--- 2r9oES+McJfyEYWC4NQxOaBgSf3Lkv2HDCP3o2lFg6o +&YԼû2;JvJm ̛LO4%2 E=bs5O+8QZ%( j9HGRf# \ No newline at end of file