karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleanup

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-06-25 23:03:12 +01:00
parent b9d57d2d58
commit aca10fdc66
12 changed files with 420 additions and 425 deletions
Download Patch File Download Diff File Expand all files Collapse all files

341
hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
View File

@@ -13,8 +13,6 @@
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
autheliaClientId = "I2ZYDFGWP1bzfiauXe94IaiReZF6SqoEskSp6phoL2L8l16Cq7YX3Vr4pkQOSYfNDOwuFjTRIpqQ8eAqK0M93NeEgpr8YoPhKHyR";
podman = lib.meta.getExe pkgs.podman;
podmanAsUser = "${config.security.wrapperDir}/git-sudo -u ${user} ${podman}";
in
@@ -65,196 +63,201 @@ in
AuthorizedKeysCommand ${podmanAsUser} exec -i gitea gitea keys -c /etc/gitea/app.ini -e git -u %u -t %t -k %k
'';
home-manager.users.${user} = {
sops = {
secrets = {
"gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
};
home-manager.users.${user} =
let
autheliaClientId = "I2ZYDFGWP1bzfiauXe94IaiReZF6SqoEskSp6phoL2L8l16Cq7YX3Vr4pkQOSYfNDOwuFjTRIpqQ8eAqK0M93NeEgpr8YoPhKHyR";
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
in
{
sops = {
secrets = {
"gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
};
templates = {
gitea-postgresql-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."gitea/postgresql"}
'';
templates = {
gitea-postgresql-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."gitea/postgresql"}
'';
gitea-env.content = ''
GITEA_OAUTH_SECRET=${hmConfig.sops.placeholder."gitea/authelia/password"}
'';
gitea-env.content = ''
GITEA_OAUTH_SECRET=${hmConfig.sops.placeholder."gitea/authelia/password"}
'';
gitea.content = builtins.readFile (
(pkgs.formats.iniWithGlobalSection { }).generate "app.ini" {
globalSection = {
I_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true;
};
sections = {
server = {
ROOT_URL = "https://git.karaolidis.com:443/";
# FIXME: https://github.com/go-gitea/gitea/issues/31112
OFFLINE_MODE = false;
SSH_USER = "git";
SSH_DOMAIN = "karaolidis.com";
SSH_CREATE_AUTHORIZED_KEYS_FILE = false;
LFS_START_SERVER = true;
LFS_ALLOW_PURE_SSH = true;
LFS_JWT_SECRET = hmConfig.sops.placeholder."gitea/lfsJwtSecret";
gitea.content = builtins.readFile (
(pkgs.formats.iniWithGlobalSection { }).generate "app.ini" {
globalSection = {
I_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true;
};
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
sections = {
server = {
ROOT_URL = "https://git.karaolidis.com:443/";
openid = {
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "id.karaolidis.com";
};
# FIXME: https://github.com/go-gitea/gitea/issues/31112
OFFLINE_MODE = false;
oauth2 = {
JWT_SECRET = hmConfig.sops.placeholder."gitea/jwtSecret";
};
SSH_USER = "git";
SSH_DOMAIN = "karaolidis.com";
SSH_CREATE_AUTHORIZED_KEYS_FILE = false;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
USERNAME = "preferred_username";
};
LFS_START_SERVER = true;
LFS_ALLOW_PURE_SSH = true;
LFS_JWT_SECRET = hmConfig.sops.placeholder."gitea/lfsJwtSecret";
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
database = {
DB_TYPE = "postgres";
HOST = "gitea-postgresql:5432";
NAME = "gitea";
USER = "gitea";
PASSWD = hmConfig.sops.placeholder."gitea/postgresql";
};
openid = {
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "id.karaolidis.com";
};
mailer = {
ENABLE = true;
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "smtp.protonmail.ch";
SMTP_PORT = 587;
USER = "jupiter@karaolidis.com";
PASSWD = hmConfig.sops.placeholder."gitea/smtp";
FROM = "jupiter@karaolidis.com";
};
oauth2 = {
JWT_SECRET = hmConfig.sops.placeholder."gitea/jwtSecret";
};
security = {
INSTALL_LOCK = true;
SECRET_KEY = hmConfig.sops.placeholder."gitea/secretKey";
INTERNAL_TOKEN = hmConfig.sops.placeholder."gitea/internalToken";
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
USERNAME = "preferred_username";
};
metrics = {
ENABLED = true;
};
};
}
);
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
authelia-gitea.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "gitea.yaml" {
identity_providers.oidc = {
authorization_policies.gitea = {
default_policy = "deny";
rules = [
database = {
DB_TYPE = "postgres";
HOST = "gitea-postgresql:5432";
NAME = "gitea";
USER = "gitea";
PASSWD = hmConfig.sops.placeholder."gitea/postgresql";
};
mailer = {
ENABLE = true;
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "smtp.protonmail.ch";
SMTP_PORT = 587;
USER = "jupiter@karaolidis.com";
PASSWD = hmConfig.sops.placeholder."gitea/smtp";
FROM = "jupiter@karaolidis.com";
};
security = {
INSTALL_LOCK = true;
SECRET_KEY = hmConfig.sops.placeholder."gitea/secretKey";
INTERNAL_TOKEN = hmConfig.sops.placeholder."gitea/internalToken";
};
metrics = {
ENABLED = true;
};
};
}
);
authelia-gitea.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "gitea.yaml" {
identity_providers.oidc = {
authorization_policies.gitea = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:gitea";
}
];
};
clients = [
{
policy = "one_factor";
subject = "group:gitea";
client_id = autheliaClientId;
client_name = "Gitea";
client_secret = hmConfig.sops.placeholder."gitea/authelia/digest";
redirect_uris = [ "https://git.karaolidis.com/user/oauth2/authelia/callback" ];
authorization_policy = "gitea";
}
];
};
clients = [
{
client_id = autheliaClientId;
client_name = "Gitea";
client_secret = hmConfig.sops.placeholder."gitea/authelia/digest";
redirect_uris = [ "https://git.karaolidis.com/user/oauth2/authelia/callback" ];
authorization_policy = "gitea";
}
];
};
}
);
};
};
virtualisation.quadlet = {
networks.gitea.networkConfig.internal = true;
volumes = {
gitea-postgresql = { };
# TODO: Move LFS to mass storage
gitea = { };
}
);
};
};
containers = {
gitea =
let
entrypoint = pkgs.writeTextFile {
name = "entrypoint.sh";
executable = true;
text = builtins.readFile ./entrypoint.sh;
};
in
{
containerConfig = {
image = "docker-archive:${selfPkgs.docker-gitea}";
networks = [
networks.gitea.ref
networks.traefik.ref
];
volumes = [
"${volumes.gitea.ref}:/var/lib/gitea/data"
"${hmConfig.sops.templates.gitea.path}:/etc/gitea/app.ini:ro"
"${entrypoint}:/entrypoint.sh:ro"
];
environments.GITEA_OAUTH_KEY = autheliaClientId;
environmentFiles = [ hmConfig.sops.templates.gitea-env.path ];
entrypoint = "/entrypoint.sh";
labels = [
"traefik.enable=true"
"traefik.http.routers.gitea.rule=Host(`git.karaolidis.com`)"
];
};
virtualisation.quadlet = {
networks.gitea.networkConfig.internal = true;
unitConfig.After = [
"${containers.gitea-postgresql._serviceName}.service"
"sops-nix.service"
];
};
gitea-postgresql = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-postgresql}";
networks = [ networks.gitea.ref ];
volumes = [ "${volumes.gitea-postgresql.ref}:/var/lib/postgresql/data" ];
environments = {
POSTGRES_DB = "gitea";
POSTGRES_USER = "gitea";
};
environmentFiles = [ hmConfig.sops.templates.gitea-postgresql-env.path ];
};
unitConfig.After = [ "sops-nix.service" ];
volumes = {
gitea-postgresql = { };
# TODO: Move LFS to mass storage
gitea = { };
};
authelia-init.containerConfig.volumes = [
"${hmConfig.sops.templates.authelia-gitea.path}:/etc/authelia/conf.d/gitea.yaml:ro"
];
containers = {
gitea =
let
entrypoint = pkgs.writeTextFile {
name = "entrypoint.sh";
executable = true;
text = builtins.readFile ./entrypoint.sh;
};
in
{
containerConfig = {
image = "docker-archive:${selfPkgs.docker-gitea}";
networks = [
networks.gitea.ref
networks.traefik.ref
];
volumes = [
"${volumes.gitea.ref}:/var/lib/gitea/data"
"${hmConfig.sops.templates.gitea.path}:/etc/gitea/app.ini:ro"
"${entrypoint}:/entrypoint.sh:ro"
];
environments.GITEA_OAUTH_KEY = autheliaClientId;
environmentFiles = [ hmConfig.sops.templates.gitea-env.path ];
entrypoint = "/entrypoint.sh";
labels = [
"traefik.enable=true"
"traefik.http.routers.gitea.rule=Host(`git.karaolidis.com`)"
];
};
unitConfig.After = [
"${containers.gitea-postgresql._serviceName}.service"
"sops-nix.service"
];
};
gitea-postgresql = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-postgresql}";
networks = [ networks.gitea.ref ];
volumes = [ "${volumes.gitea-postgresql.ref}:/var/lib/postgresql/data" ];
environments = {
POSTGRES_DB = "gitea";
POSTGRES_USER = "gitea";
};
environmentFiles = [ hmConfig.sops.templates.gitea-postgresql-env.path ];
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia-init.containerConfig.volumes = [
"${hmConfig.sops.templates.authelia-gitea.path}:/etc/authelia/conf.d/gitea.yaml:ro"
];
};
};
};
};
}