diff --git a/flake.nix b/flake.nix index e00afd2b..f701e06e 100644 --- a/flake.nix +++ b/flake.nix @@ -337,7 +337,7 @@ nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; }; httpapi.enable = true; mastodon.enable = true; - gitlab.enable = true; + gitea.enable = true; grafana.enable = true; fail2ban.enable = true; wireguard = diff --git a/modules/services/default.nix b/modules/services/default.nix index f4f56bdd..c9453eed 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -35,7 +35,7 @@ inputs: ./httpapi.nix ./mirism.nix ./mastodon.nix - ./gitlab.nix + ./gitea.nix ./grafana.nix ./fail2ban.nix ./wireguard.nix diff --git a/modules/services/gitea.nix b/modules/services/gitea.nix new file mode 100644 index 00000000..60df9187 --- /dev/null +++ b/modules/services/gitea.nix @@ -0,0 +1,64 @@ +inputs: +{ + options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in + { + enable = mkOption { type = types.bool; default = false; }; + hostname = mkOption { type = types.str; default = "git.chn.moe"; }; + }; + config = + let + inherit (inputs.config.nixos.services) gitea; + inherit (inputs.lib) mkIf; + in mkIf gitea.enable + { + services.gitea = + { + enable = true; + lfs.enable = true; + mailerPasswordFile = inputs.config.sops.secrets."gitea/mail".path; + database = + { + createDatabase = false; + type = "postgres"; + passwordFile = inputs.config.sops.secrets."gitea/db".path; + }; + settings = + { + session = + { + COOKIE_SECURE = true; + }; + server = + { + SSH_PORT = 2222; + ROOT_URL = "https://${gitea.hostname}"; + DOMAIN = gitea.hostname; + }; + mailer = + { + ENABLED = true; + FROM = "bot@chn.moe"; + PROTOCOL = "smtps"; + SMTP_ADDR = "mail.chn.moe"; + SMTP_PORT = 465; + USER = "bot@chn.moe"; + }; + }; + }; + nixos.services = + { + nginx = + { + enable = true; + https."${gitea.hostname}".location."/".proxy.upstream = "http://127.0.0.1:3000"; + }; + postgresql.instances.gitea = {}; + }; + sops.secrets = + { + "gitea/mail" = { owner = "gitea"; key = "mail/bot"; }; + "gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; }; + "mail/bot" = {}; + }; + }; +} diff --git a/modules/services/gitlab.nix b/modules/services/gitlab.nix deleted file mode 100644 index 931d6faa..00000000 --- a/modules/services/gitlab.nix +++ /dev/null @@ -1,81 +0,0 @@ -inputs: -{ - options.nixos.services.gitlab = let inherit (inputs.lib) mkOption types; in - { - enable = mkOption { type = types.bool; default = false; }; - hostname = mkOption { type = types.str; default = "git.chn.moe"; }; - }; - config = - let - inherit (inputs.config.nixos.services) gitlab; - inherit (inputs.lib) mkIf; - in mkIf gitlab.enable - { - services.gitlab = - { - enable = true; - host = gitlab.hostname; - port = 443; - https = true; - smtp = - { - enable = true; - address = "mail.chn.moe"; - username = "bot@chn.moe"; - passwordFile = inputs.config.sops.secrets."gitlab/mail".path; - tls = true; - enableStartTLSAuto = false; - port = 465; - domain = gitlab.hostname; - authentication = "login"; - }; - extraConfig = - { - gitlab.email_from = "bot@chn.moe"; - lfs.enabled = true; - }; - secrets = - { - secretFile = inputs.config.sops.secrets."gitlab/secret".path; - otpFile = inputs.config.sops.secrets."gitlab/otp".path; - jwsFile = inputs.config.sops.secrets."gitlab/jws".path; - dbFile = inputs.config.sops.secrets."gitlab/dbFile".path; - }; - initialRootPasswordFile = inputs.config.sops.secrets."gitlab/root".path; - initialRootEmail = "bot@chn.moe"; - databasePasswordFile = inputs.config.sops.secrets."gitlab/db".path; - databaseHost = "127.0.0.1"; - # extraGitlabRb = - # '' - # Settings.gitlab_sshd['enable'] = true - # Settings.gitlab_sshd['listen_address'] = '0.0.0.0:2222' - # ''; - }; - nixos.services = - { - nginx = - { - enable = true; - https."${gitlab.hostname}".location."/".proxy.upstream = "http://unix:/run/gitlab/gitlab-workhorse.socket"; - }; - postgresql.instances.gitlab = {}; - }; - sops.secrets = let owner = inputs.config.services.gitlab.user; in - { - "gitlab/mail" = { owner = owner; key = "mail/bot"; }; - "gitlab/secret".owner = owner; - "gitlab/otp".owner = owner; - "gitlab/jws" = - { - owner = owner; - sopsFile = - "${inputs.topInputs.self}/secrets/${inputs.config.nixos.system.networking.hostname}/gitlab/jws.bin"; - format = "binary"; - }; - "gitlab/dbFile".owner = owner; - "gitlab/root".owner = owner; - "gitlab/db" = { owner = owner; key = "postgresql/gitlab"; }; - "mail/bot" = {}; - }; - }; -} diff --git a/secrets/vps7/default.yaml b/secrets/vps7/default.yaml index 2ad2e475..e639c819 100644 --- a/secrets/vps7/default.yaml +++ b/secrets/vps7/default.yaml @@ -21,7 +21,7 @@ postgresql: vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str] nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str] mastodon: ENC[AES256_GCM,data:IQxoNjZILazu5cxkEzFAqqmGSsOffMQHoRB7AC2NqI/+CJSVsfdwiSVfxN+Jc9dmrqCjscUSxaWCMHnrZj/JyQ==,iv:d6tyj/w0uH2E3qHjEcopVhnmE/Pq0qN9PHthSArryyw=,tag:kfJsxqkErFcG11B0CmiIKw==,type:str] - gitlab: ENC[AES256_GCM,data:YC1Ubpc9zWK8rb5FvZAEYjNWqVF8tZL6Nxqa18Wyq7KAh2Rv2tjl0iVlVzhtaBf28gF++nJVu9LcATaOuHH9sw==,iv:j+t4PwizJNkWZkhzdqU01/P5MeS2nSk6XNlvxJ17hC0=,tag:0gtBn9has+xrtJCn6MAyyA==,type:str] + gitea: ENC[AES256_GCM,data:EAuFPlUFvtARh4wbevoIUwZ886nS+3O9Jy7q/SkaTDx7PkQKGhZcPPxY45AG0QQrjSaI3cGLzDBMutFMXP0BMA==,iv:0cLOsopAfyMLHJDowyZirVR5nqLrjSLHYtnPC8GXReE=,tag:BwG5UibGLS16rwJbH/0ZyQ==,type:str] grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str] meilisearch: misskey-misskey: ENC[AES256_GCM,data:4s+qqd6mmstioC0XmG/vA6ED9mzu1vRJVPFFalRiqnnsFy0dYEU87H+y12eOp/KDSLdTNvpp6Z6jCNvxnpDXzQ==,iv:x6L9OPu/dwVsD9pYb4dqavw9NesMbo7LB+rwz6veAR4=,tag:/BBqV2sHIgPas7XsZydh2g==,type:str] @@ -116,8 +116,8 @@ sops: SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T04:01:05Z" - mac: ENC[AES256_GCM,data:3iqD/x7fzpKWfb6Ckv5JP+ZuaD2VuVoHGEeEC9OSv0ZplVH6RGyUa0GLIf0rYvQn55N1d+k7N1iCbrPyAC1O1kAcgTev+mdZSC+MkiGNUk2gxNlh+9NN8gy8EchTm1eN3JFaQ1sZw7AYNJEQM4N+SSH8uM2HR2iAMdC4ACYwxdE=,iv:BDz04pY0mf3kcofuTZLaLwSxaP02FR7r0WWLIukOOYc=,tag:m/hpWWh+SExtj+B7xEuWFA==,type:str] + lastmodified: "2023-12-17T05:32:02Z" + mac: ENC[AES256_GCM,data:fgtAvBL6Dg/ATU2+jIY9RAukDm64VxKPkf19ouRptuHq6DPm5e/puVLpNMhs5X+uGH9GTfBy79aBV9lYzrniA0IFWv3vbUeHI1A4VvgfZwqGazJ+6oJg6jNibsoeWFhrZGWxfYGWs0U4HDkL52QcLDjU0VyMq33t8HrTEKh2KCM=,iv:ML+H3E/Mb+3d13U2E4zLb+F4vxPINtps0gsxqfqG9XA=,tag:jOcaxjXDJMxIweI5VwEgKw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/secrets/vps7/gitlab/jws.bin b/secrets/vps7/gitlab/jws.bin deleted file mode 100644 index 5837310c..00000000 --- a/secrets/vps7/gitlab/jws.bin +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:Al5NNNTib+gGITYXCC7y2eBnbMtDEg12PPIKhu5aYsX1y5hEzf8plZAQUpjipwW+MRGP8y13kjtvgmYEW+2hjPKkvB1V0wVWwyVlJW9z4c/8+XZQ6iHTbdczxKbSj9swXO+pbnt6n20ofKSB5eCJbaHWG6Fd1ln7S0sataprlccwSF/WoJuwL5Hk654ldN4EA6i/2QHcUZFeVCc7cx+j9kBp6optwydV+V/skp88sJ9mecLXDrfFnNqzEFK4U6s2lMnhSfDtYGCC6RlC63hslSS6aqYrVn7KJqoI1v2pMBWbTSjO4ZJZkjy4RBjcnbYotfEji8zJ1QEJ/49IjrMkDxxT/shdmk5G8F2Zf1f9bo6Ge6yBJffw3oBAnjZe7z4QgHQzbQmuEMmgZ6C+XMyvtFNXbCcBIjFPIiaMujj4aT7S1HBGyVIoYUTRiLsTF8cilsazIid65ps7ydkHJjDZigigcuunogBJ7WtOs1wU2j/O8LDwStMnJ33aib4M4dVAn896KyIltN2lber4zQcshce+Ld2Y5UPU9wUD6dcx+Ezmma0OCgvoAB8TmZ1L+6heBWf27hb+Z2eHQlatLDhnZrQ7OrO76eL3aBHDXbDHv5IDMRTntb4strUqDD6JPAN+L8HS8D3rhVK54OHVMMPyIWzkWJRpLjyrI2m0bgxlpNPDz97ACu1Mlu0ebbhWTYMOYeBZjNvyyvf2W0Bp01sgnImQkFbfoxwZchvtDAhfCeW4GtlF2GI2iwCCtbe09hCO+hf9ulQQsoPcS875n3QlLv8SiFh24MEmj2JwfbrfeCb4QZxh6d+A63PBZxurhk1eDfVHjWa/e23A7hdv8NJ9Qfd5ah5jDgEHwLzu0HOE+afsJieYYHLhEUmv0/+HIyLG3soWfDLjy+i73p3avtaFv0GHXZx8D5NQB7Gy3445Px9Yd75xOI2kasI1sHbJuDgtLzNImNhfnA3L9EwTNyHMVpPH+1dUOV3qw+UH34tD8iJfSdV1WYp3ewxnrPFWuuLnZp0Z8LhtXW/FHlBQGAOoth0gdixy9wxEfxN93bXYMDHLzwxLA8vQ3b5inWMEptKXWKGjfASa8N63K0+r0SAbLMYNp7QvJycaswiust2dYhxbwFE30eQKrf07IWoYEKSKOBJD6mgO2O89W9Zn0KXvcYB4gU+emHRUAURZVQ2JMKT17L7h/y2FJj7nQV9M9iCp+Z4svwl6ur4FwIJ6NjkNqiyL9e6fAeWwi/8ip3WIjSosk4H8et/D757D9Kd9TxBAijfyMdDEwNi7ign7WIa2dkKjZIt3TS2ZxdE8zlc9MYUqc04ncqfuw3LolBlnwVscQgO3zf99yaMBA0KL4fm+Wps7Yqx+SVWz/W614AqJDqPYmdqs4T7LQYGmRYAsb3T6SRHDAU/v7Z9moAXvxc5t20fChm6p6nJc8kpG0kYhyoh7EbVefMqhwxVL97QKgoqzMjH+cXUEGdFS07bKETCuMep9wL2wH1DqAU3jwzrhmJebjuvtr7Q1Y7Ea0CTx+mCkWp6puX7xwHMFoSkMVvc1Kw5Bao1uI+ENIMKcSB2JST5fvYkzFNfl21ellJo4sqpLl30LNrjAi7Mv2oxw7hERZCvMewEyqOX4jplQyGtg3rv9hZnZZ+vy0T/Dn0gRruF5+lc32rkPaYWN8KEsOilXnoP+1014ScfnDD0gK/I/pLkTrxZYXjpSFU2J+qwif8NtcYghbMT5u3B6nv5rdmhF0RPUG2qgVvQDG5e6inzPidyGLGMxzPVFGDNg25tQTnG9YO833FNTV0DS6ThZOHjW6AntDcxvtSc6GqKCOomBPD0vmsGAOEVxLCWTQ6j422obThFZu6QQSjoyPKWwukeHWA1MEMdNY79bf1qACxoBJvSh+Xg/M9POvySHxVbFItvvRPTQYii9i4Cr0DpDhmK8pH27AqIc1tyaFfb2n0q/OGqjsvExFhA0mDn8x6D9spt9j7hRixHFFmqMSAins8NolbOPeY/uVq2WqaU4w3sPSIM/on20eadpsC5O22xt5UQXGQYn3d7TtpvInJ7r3gU5pp/Sjoe4Qw68sl4BZ3u8jYUOuVUqVztcilqqcqMUf96qDVnGjetLtL1c+BTDqcefZmSaEUIDe8gyKbvuY5rB0OqkxZ6F6shXiJRKGLQOfGL7mhh9GCgUTa/VhXaZmcOuc9jS0hCl4cZbEaIJr+SdChqHvwCnvFLyh3DpUwEh8S1E8MK3v6J3pQRPEgWSji3ntJxakGbW6tHb,iv:w+4KWqVK5p9UrAulfCwq1naoJoBmLYxWhRlYeG3x08c=,tag:hMDB+QP1AXRU0iBd3ZSxGg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbDRxK0taVzlwWEJPNFNk\nWVVtS09Jb1AzaUhkeGlTNlJBOXUyTEs1MEVjCnEwOGMyV0tJVDNwTzhQb25Fb1lz\nRkJqbFZMa1VkWVBFOWc0NVIwU2E1SEEKLS0tIExqOEZFUThmYThnbzBpZC9TcGc2\nSFNRQmNmdGlPZnE1cXlMT1VKNTU4NkUK19Xik2Nc2UB6hREBiClAx8fQQd0/lhma\nq0e0KEOIlJfH9Yowc/oT+zZust/i7O69mIK8cS3XWF8eUqFzj4aG8w==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGxNN2xIOFYvYWxuQTJy\ndktHSjU3cnJWN1diQTJKaVRPVU52MG1XUVUwCk9nVTZIbkllQjhGK0JweE1EbGFp\nTXZoakZpODRTM3BzUkp3Wk1WRmtwbnMKLS0tIGhkdmIzTXJwUHc3dHlHV3phTVVr\nQS9kalRPdkRZM0FBbXF6SDh6YzA0QVkKGTVwOIO6JgEKSb78s8erh+McXjtfuQQm\nlhX1NRb8Uk/SYhvrnfjMTUIQ9i2yqPn1cBuhp/MNgSsSS49q5anRNA==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-11-20T06:57:24Z", - "mac": "ENC[AES256_GCM,data:QiRf8cKJeTkEQOK3qJCi2uise8RDyg0zcZOVX0XE6YSE6mDivg2LC8mKuSBFVPw1vX+99l7aOBDEqKALD0sQIOQjd0lySJTLp4TDbSP43QoVQ5KmUtUUzeByDkH6DUBnFuXWlvyD5kOokqGvxkYXvyihdji8yDQz8rlw6xlwNPU=,iv:C3Wd+I2yal/tFpURBRvPygOtPedJ4kLsVNmOip9CUio=,tag:NIq54bGg863j+/k15npz8A==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file