services.gitea: init

2024-10-23 04:38:44 +08:00 · 2023-12-17 13:37:15 +08:00 · 2023-12-17 13:37:15 +08:00 · f906e9d556
commit f906e9d556
parent 4ffd5aebd5
6 changed files with 69 additions and 110 deletions
--- a/flake.nix
+++ b/flake.nix
@ -337,7 +337,7 @@
                nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; };
                httpapi.enable = true;
                mastodon.enable = true;
-                gitlab.enable = true;
+                gitea.enable = true;
                grafana.enable = true;
                fail2ban.enable = true;
                wireguard =
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -35,7 +35,7 @@ inputs:
    ./httpapi.nix
    ./mirism.nix
    ./mastodon.nix
-    ./gitlab.nix
+    ./gitea.nix
    ./grafana.nix
    ./fail2ban.nix
    ./wireguard.nix
--- a/modules/services/gitea.nix
+++ b/modules/services/gitea.nix
@ -0,0 +1,64 @@
+inputs:
+{
+  options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "git.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) gitea;
+      inherit (inputs.lib) mkIf;
+    in mkIf gitea.enable
+    {
+      services.gitea =
+      {
+        enable = true;
+        lfs.enable = true;
+        mailerPasswordFile = inputs.config.sops.secrets."gitea/mail".path;
+        database =
+        {
+          createDatabase = false;
+          type = "postgres";
+          passwordFile = inputs.config.sops.secrets."gitea/db".path;
+        };
+        settings =
+        {
+          session =
+          {
+            COOKIE_SECURE = true;
+          };
+          server =
+          {
+            SSH_PORT = 2222;
+            ROOT_URL = "https://${gitea.hostname}";
+            DOMAIN = gitea.hostname;
+          };
+          mailer =
+          {
+            ENABLED = true;
+            FROM = "bot@chn.moe";
+            PROTOCOL = "smtps";
+            SMTP_ADDR = "mail.chn.moe";
+            SMTP_PORT = 465;
+            USER = "bot@chn.moe";
+          };
+        };
+      };
+      nixos.services =
+      {
+        nginx =
+        {
+          enable = true;
+          https."${gitea.hostname}".location."/".proxy.upstream = "http://127.0.0.1:3000";
+        };
+        postgresql.instances.gitea = {};
+      };
+      sops.secrets =
+      {
+        "gitea/mail" = { owner = "gitea"; key = "mail/bot"; };
+        "gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; };
+        "mail/bot" = {};
+      };
+    };
+}
--- a/modules/services/gitlab.nix
+++ b/modules/services/gitlab.nix
@ -1,81 +0,0 @@
-inputs:
-{
-  options.nixos.services.gitlab = let inherit (inputs.lib) mkOption types; in
-  {
-    enable = mkOption { type = types.bool; default = false; };
-    hostname = mkOption { type = types.str; default = "git.chn.moe"; };
-  };
-  config =
-    let
-      inherit (inputs.config.nixos.services) gitlab;
-      inherit (inputs.lib) mkIf;
-    in mkIf gitlab.enable
-    {
-      services.gitlab =
-      {
-        enable = true;
-        host = gitlab.hostname;
-        port = 443;
-        https = true;
-        smtp =
-        {
-          enable = true;
-          address = "mail.chn.moe";
-          username = "bot@chn.moe";
-          passwordFile = inputs.config.sops.secrets."gitlab/mail".path;
-          tls = true;
-          enableStartTLSAuto = false;
-          port = 465;
-          domain = gitlab.hostname;
-          authentication = "login";
-        };
-        extraConfig =
-        {
-          gitlab.email_from = "bot@chn.moe";
-          lfs.enabled = true;
-        };
-        secrets =
-        {
-          secretFile = inputs.config.sops.secrets."gitlab/secret".path;
-          otpFile = inputs.config.sops.secrets."gitlab/otp".path;
-          jwsFile = inputs.config.sops.secrets."gitlab/jws".path;
-          dbFile = inputs.config.sops.secrets."gitlab/dbFile".path;
-        };
-        initialRootPasswordFile = inputs.config.sops.secrets."gitlab/root".path;
-        initialRootEmail = "bot@chn.moe";
-        databasePasswordFile = inputs.config.sops.secrets."gitlab/db".path;
-        databaseHost = "127.0.0.1";
-        # extraGitlabRb =
-        # ''
-        #   Settings.gitlab_sshd['enable'] = true
-        #   Settings.gitlab_sshd['listen_address'] = '0.0.0.0:2222'
-        # '';
-      };
-      nixos.services =
-      {
-        nginx =
-        {
-          enable = true;
-          https."${gitlab.hostname}".location."/".proxy.upstream = "http://unix:/run/gitlab/gitlab-workhorse.socket";
-        };
-        postgresql.instances.gitlab = {};
-      };
-      sops.secrets = let owner = inputs.config.services.gitlab.user; in
-      {
-        "gitlab/mail" = { owner = owner; key = "mail/bot"; };
-        "gitlab/secret".owner = owner;
-        "gitlab/otp".owner = owner;
-        "gitlab/jws" =
-        {
-          owner = owner;
-          sopsFile =
-            "${inputs.topInputs.self}/secrets/${inputs.config.nixos.system.networking.hostname}/gitlab/jws.bin";
-          format = "binary";
-        };
-        "gitlab/dbFile".owner = owner;
-        "gitlab/root".owner = owner;
-        "gitlab/db" = { owner = owner; key = "postgresql/gitlab"; };
-        "mail/bot" = {};
-      };
-    };
-}
--- a/secrets/vps7/default.yaml
+++ b/secrets/vps7/default.yaml
@ -21,7 +21,7 @@ postgresql:
    vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
    nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
    mastodon: ENC[AES256_GCM,data:IQxoNjZILazu5cxkEzFAqqmGSsOffMQHoRB7AC2NqI/+CJSVsfdwiSVfxN+Jc9dmrqCjscUSxaWCMHnrZj/JyQ==,iv:d6tyj/w0uH2E3qHjEcopVhnmE/Pq0qN9PHthSArryyw=,tag:kfJsxqkErFcG11B0CmiIKw==,type:str]
-    gitlab: ENC[AES256_GCM,data:YC1Ubpc9zWK8rb5FvZAEYjNWqVF8tZL6Nxqa18Wyq7KAh2Rv2tjl0iVlVzhtaBf28gF++nJVu9LcATaOuHH9sw==,iv:j+t4PwizJNkWZkhzdqU01/P5MeS2nSk6XNlvxJ17hC0=,tag:0gtBn9has+xrtJCn6MAyyA==,type:str]
+    gitea: ENC[AES256_GCM,data:EAuFPlUFvtARh4wbevoIUwZ886nS+3O9Jy7q/SkaTDx7PkQKGhZcPPxY45AG0QQrjSaI3cGLzDBMutFMXP0BMA==,iv:0cLOsopAfyMLHJDowyZirVR5nqLrjSLHYtnPC8GXReE=,tag:BwG5UibGLS16rwJbH/0ZyQ==,type:str]
    grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str]
 meilisearch:
    misskey-misskey: ENC[AES256_GCM,data:4s+qqd6mmstioC0XmG/vA6ED9mzu1vRJVPFFalRiqnnsFy0dYEU87H+y12eOp/KDSLdTNvpp6Z6jCNvxnpDXzQ==,iv:x6L9OPu/dwVsD9pYb4dqavw9NesMbo7LB+rwz6veAR4=,tag:/BBqV2sHIgPas7XsZydh2g==,type:str]
@ -116,8 +116,8 @@ sops:
            SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
            HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-13T04:01:05Z"
-    mac: ENC[AES256_GCM,data:3iqD/x7fzpKWfb6Ckv5JP+ZuaD2VuVoHGEeEC9OSv0ZplVH6RGyUa0GLIf0rYvQn55N1d+k7N1iCbrPyAC1O1kAcgTev+mdZSC+MkiGNUk2gxNlh+9NN8gy8EchTm1eN3JFaQ1sZw7AYNJEQM4N+SSH8uM2HR2iAMdC4ACYwxdE=,iv:BDz04pY0mf3kcofuTZLaLwSxaP02FR7r0WWLIukOOYc=,tag:m/hpWWh+SExtj+B7xEuWFA==,type:str]
+    lastmodified: "2023-12-17T05:32:02Z"
+    mac: ENC[AES256_GCM,data:fgtAvBL6Dg/ATU2+jIY9RAukDm64VxKPkf19ouRptuHq6DPm5e/puVLpNMhs5X+uGH9GTfBy79aBV9lYzrniA0IFWv3vbUeHI1A4VvgfZwqGazJ+6oJg6jNibsoeWFhrZGWxfYGWs0U4HDkL52QcLDjU0VyMq33t8HrTEKh2KCM=,iv:ML+H3E/Mb+3d13U2E4zLb+F4vxPINtps0gsxqfqG9XA=,tag:jOcaxjXDJMxIweI5VwEgKw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/secrets/vps7/gitlab/jws.bin
+++ b/secrets/vps7/gitlab/jws.bin
@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:Al5NNNTib+gGITYXCC7y2eBnbMtDEg12PPIKhu5aYsX1y5hEzf8plZAQUpjipwW+MRGP8y13kjtvgmYEW+2hjPKkvB1V0wVWwyVlJW9z4c/8+XZQ6iHTbdczxKbSj9swXO+pbnt6n20ofKSB5eCJbaHWG6Fd1ln7S0sataprlccwSF/WoJuwL5Hk654ldN4EA6i/2QHcUZFeVCc7cx+j9kBp6optwydV+V/skp88sJ9mecLXDrfFnNqzEFK4U6s2lMnhSfDtYGCC6RlC63hslSS6aqYrVn7KJqoI1v2pMBWbTSjO4ZJZkjy4RBjcnbYotfEji8zJ1QEJ/49IjrMkDxxT/shdmk5G8F2Zf1f9bo6Ge6yBJffw3oBAnjZe7z4QgHQzbQmuEMmgZ6C+XMyvtFNXbCcBIjFPIiaMujj4aT7S1HBGyVIoYUTRiLsTF8cilsazIid65ps7ydkHJjDZigigcuunogBJ7WtOs1wU2j/O8LDwStMnJ33aib4M4dVAn896KyIltN2lber4zQcshce+Ld2Y5UPU9wUD6dcx+Ezmma0OCgvoAB8TmZ1L+6heBWf27hb+Z2eHQlatLDhnZrQ7OrO76eL3aBHDXbDHv5IDMRTntb4strUqDD6JPAN+L8HS8D3rhVK54OHVMMPyIWzkWJRpLjyrI2m0bgxlpNPDz97ACu1Mlu0ebbhWTYMOYeBZjNvyyvf2W0Bp01sgnImQkFbfoxwZchvtDAhfCeW4GtlF2GI2iwCCtbe09hCO+hf9ulQQsoPcS875n3QlLv8SiFh24MEmj2JwfbrfeCb4QZxh6d+A63PBZxurhk1eDfVHjWa/e23A7hdv8NJ9Qfd5ah5jDgEHwLzu0HOE+afsJieYYHLhEUmv0/+HIyLG3soWfDLjy+i73p3avtaFv0GHXZx8D5NQB7Gy3445Px9Yd75xOI2kasI1sHbJuDgtLzNImNhfnA3L9EwTNyHMVpPH+1dUOV3qw+UH34tD8iJfSdV1WYp3ewxnrPFWuuLnZp0Z8LhtXW/FHlBQGAOoth0gdixy9wxEfxN93bXYMDHLzwxLA8vQ3b5inWMEptKXWKGjfASa8N63K0+r0SAbLMYNp7QvJycaswiust2dYhxbwFE30eQKrf07IWoYEKSKOBJD6mgO2O89W9Zn0KXvcYB4gU+emHRUAURZVQ2JMKT17L7h/y2FJj7nQV9M9iCp+Z4svwl6ur4FwIJ6NjkNqiyL9e6fAeWwi/8ip3WIjSosk4H8et/D757D9Kd9TxBAijfyMdDEwNi7ign7WIa2dkKjZIt3TS2ZxdE8zlc9MYUqc04ncqfuw3LolBlnwVscQgO3zf99yaMBA0KL4fm+Wps7Yqx+SVWz/W614AqJDqPYmdqs4T7LQYGmRYAsb3T6SRHDAU/v7Z9moAXvxc5t20fChm6p6nJc8kpG0kYhyoh7EbVefMqhwxVL97QKgoqzMjH+cXUEGdFS07bKETCuMep9wL2wH1DqAU3jwzrhmJebjuvtr7Q1Y7Ea0CTx+mCkWp6puX7xwHMFoSkMVvc1Kw5Bao1uI+ENIMKcSB2JST5fvYkzFNfl21ellJo4sqpLl30LNrjAi7Mv2oxw7hERZCvMewEyqOX4jplQyGtg3rv9hZnZZ+vy0T/Dn0gRruF5+lc32rkPaYWN8KEsOilXnoP+1014ScfnDD0gK/I/pLkTrxZYXjpSFU2J+qwif8NtcYghbMT5u3B6nv5rdmhF0RPUG2qgVvQDG5e6inzPidyGLGMxzPVFGDNg25tQTnG9YO833FNTV0DS6ThZOHjW6AntDcxvtSc6GqKCOomBPD0vmsGAOEVxLCWTQ6j422obThFZu6QQSjoyPKWwukeHWA1MEMdNY79bf1qACxoBJvSh+Xg/M9POvySHxVbFItvvRPTQYii9i4Cr0DpDhmK8pH27AqIc1tyaFfb2n0q/OGqjsvExFhA0mDn8x6D9spt9j7hRixHFFmqMSAins8NolbOPeY/uVq2WqaU4w3sPSIM/on20eadpsC5O22xt5UQXGQYn3d7TtpvInJ7r3gU5pp/Sjoe4Qw68sl4BZ3u8jYUOuVUqVztcilqqcqMUf96qDVnGjetLtL1c+BTDqcefZmSaEUIDe8gyKbvuY5rB0OqkxZ6F6shXiJRKGLQOfGL7mhh9GCgUTa/VhXaZmcOuc9jS0hCl4cZbEaIJr+SdChqHvwCnvFLyh3DpUwEh8S1E8MK3v6J3pQRPEgWSji3ntJxakGbW6tHb,iv:w+4KWqVK5p9UrAulfCwq1naoJoBmLYxWhRlYeG3x08c=,tag:hMDB+QP1AXRU0iBd3ZSxGg==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbDRxK0taVzlwWEJPNFNk\nWVVtS09Jb1AzaUhkeGlTNlJBOXUyTEs1MEVjCnEwOGMyV0tJVDNwTzhQb25Fb1lz\nRkJqbFZMa1VkWVBFOWc0NVIwU2E1SEEKLS0tIExqOEZFUThmYThnbzBpZC9TcGc2\nSFNRQmNmdGlPZnE1cXlMT1VKNTU4NkUK19Xik2Nc2UB6hREBiClAx8fQQd0/lhma\nq0e0KEOIlJfH9Yowc/oT+zZust/i7O69mIK8cS3XWF8eUqFzj4aG8w==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGxNN2xIOFYvYWxuQTJy\ndktHSjU3cnJWN1diQTJKaVRPVU52MG1XUVUwCk9nVTZIbkllQjhGK0JweE1EbGFp\nTXZoakZpODRTM3BzUkp3Wk1WRmtwbnMKLS0tIGhkdmIzTXJwUHc3dHlHV3phTVVr\nQS9kalRPdkRZM0FBbXF6SDh6YzA0QVkKGTVwOIO6JgEKSb78s8erh+McXjtfuQQm\nlhX1NRb8Uk/SYhvrnfjMTUIQ9i2yqPn1cBuhp/MNgSsSS49q5anRNA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2023-11-20T06:57:24Z",
-		"mac": "ENC[AES256_GCM,data:QiRf8cKJeTkEQOK3qJCi2uise8RDyg0zcZOVX0XE6YSE6mDivg2LC8mKuSBFVPw1vX+99l7aOBDEqKALD0sQIOQjd0lySJTLp4TDbSP43QoVQ5KmUtUUzeByDkH6DUBnFuXWlvyD5kOokqGvxkYXvyihdji8yDQz8rlw6xlwNPU=,iv:C3Wd+I2yal/tFpURBRvPygOtPedJ4kLsVNmOip9CUio=,tag:NIq54bGg863j+/k15npz8A==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.3"
-	}
-}