Add gitea

2023-05-04 23:06:26 +02:00 · 2023-05-04 23:06:26 +02:00 · 137a809232
parent b485be966a
commit 137a809232
10 changed files with 213 additions and 4 deletions
--- a/modules/cloud/postgresql/default.nix
+++ b/modules/cloud/postgresql/default.nix
@ -32,7 +32,10 @@ in

    ensureDatabases = cfg.databases;

-    ensureUsers = map userFromDatabase cfg.databases;
+    ensureUsers = (map userFromDatabase cfg.databases) ++ [{
+      name = "root";
+      ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
+    }];
  };

  # Backup settings
--- a/nki-personal-do/configuration.nix
+++ b/nki-personal-do/configuration.nix
@ -14,6 +14,7 @@
    ../modules/cloud/gotosocial

    ./headscale.nix
+    ./gitea.nix
  ];

  common.linux.enable = false; # Don't enable the "common linux" module, this is a special machine.
@ -31,6 +32,7 @@
  networking.hostName = "nki-personal";
  networking.firewall.allowPing = true;
  services.openssh.enable = true;
+  services.openssh.passwordAuthentication = false;
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLr1Q+PJuDYJtBAVMSU0U2kZi4V0Z7dE+dpRxa4aEDupSlcPCwSEtcpNME1up7z0yxjcIHHkBYq0RobIaLqwEmntnZzz37jg/iiHwyZsN93jZljId1X0uykcMem4ljiqgmRg3Fs8RKj2+N1ovpIZVDOWINLJJDVJntNvwW/anSCtx27FATVdroHoiyXCwVknG6p3bHU5Nd3idRMn45kZ7Qf1J50XUhtu3ehIWI2/5nYIbi8WDnzY5vcRZEHROyTk2pv/m9rRkCTaGnUdZsv3wfxeeT3223k0mUfRfCsiPtNDGwXn66HcG2cmhrBIeDoZQe4XNkzspaaJ2+SGQfO8Zf natsukagami@gmail.com"
  ];
--- a/nki-personal-do/gitea.nix
+++ b/nki-personal-do/gitea.nix
@ -0,0 +1,199 @@
+{ pkgs, config, lib, ... }:
+with lib;
+let
+  user = "gitea";
+  host = "git.dtth.ch";
+  port = 61116;
+
+  secrets = config.sops.secrets;
+
+  signingKey = "0x3681E15E5C14A241";
+
+  catppuccinThemes = builtins.fetchurl {
+    url = "https://github.com/catppuccin/gitea/releases/download/v0.2.1/catppuccin-gitea.tar.gz";
+    sha256 = "sha256:18l67whffayrgylsf5j6g7sj95anjcjl0cy7fzqn1wrm0gg2xns0";
+  };
+  themes = strings.concatStringsSep "," [
+    "catppuccin-macchiato-green"
+    "catppuccin-mocha-teal"
+    "catppuccin-macchiato-sky"
+    "catppuccin-mocha-sky"
+    "catppuccin-mocha-yellow"
+    "catppuccin-mocha-lavender"
+    "catppuccin-macchiato-rosewater"
+    "catppuccin-macchiato-lavender"
+    "catppuccin-macchiato-pink"
+    "catppuccin-frappe-lavender"
+    "catppuccin-macchiato-yellow"
+    "catppuccin-frappe-yellow"
+    "catppuccin-latte-red"
+    "catppuccin-frappe-flamingo"
+    "catppuccin-mocha-blue"
+    "catppuccin-macchiato-peach"
+    "catppuccin-macchiato-flamingo"
+    "catppuccin-mocha-pink"
+    "catppuccin-macchiato-mauve"
+    "catppuccin-mocha-rosewater"
+    "catppuccin-latte-rosewater"
+    "catppuccin-mocha-red"
+    "catppuccin-macchiato-sapphire"
+    "catppuccin-latte-teal"
+    "catppuccin-latte-flamingo"
+    "catppuccin-macchiato-blue"
+    "catppuccin-latte-blue"
+    "catppuccin-latte-peach"
+    "catppuccin-frappe-mauve"
+    "catppuccin-frappe-green"
+    "catppuccin-frappe-teal"
+    "catppuccin-latte-mauve"
+    "catppuccin-macchiato-teal"
+    "catppuccin-frappe-red"
+    "catppuccin-latte-yellow"
+    "catppuccin-latte-lavender"
+    "catppuccin-mocha-flamingo"
+    "catppuccin-frappe-sapphire"
+    "catppuccin-frappe-blue"
+    "catppuccin-mocha-green"
+    "catppuccin-frappe-maroon"
+    "catppuccin-latte-green"
+    "catppuccin-frappe-rosewater"
+    "catppuccin-latte-sapphire"
+    "catppuccin-frappe-sky"
+    "catppuccin-mocha-sapphire"
+    "catppuccin-mocha-maroon"
+    "catppuccin-macchiato-red"
+    "catppuccin-latte-pink"
+    "catppuccin-frappe-peach"
+    "catppuccin-frappe-pink"
+    "catppuccin-mocha-mauve"
+    "catppuccin-macchiato-maroon"
+    "catppuccin-mocha-peach"
+    "catppuccin-latte-sky"
+    "catppuccin-latte-maroon"
+  ];
+in
+{
+  sops.secrets."gitea/signing-key".owner = user;
+  sops.secrets."gitea/mailer-password".owner = user;
+  # database
+  cloud.postgresql.databases = [ user ];
+  # traefik
+  cloud.traefik.hosts.gitea = {
+    inherit port host;
+  };
+
+  services.gitea = {
+    enable = true;
+    package = pkgs.unstable.gitea;
+
+    inherit user;
+
+    domain = host;
+    rootUrl = "https://${host}/";
+    httpAddress = "127.0.0.1";
+    httpPort = port;
+
+    appName = "DTTHgit";
+
+    settings = {
+      repository = {
+        DEFAULT_PRIVATE = "private";
+        PREFERRED_LICENSES = strings.concatStringsSep "," [ "AGPL-3.0-or-later" "GPL-3.0-or-later" "Apache-2.0" ];
+        DISABLE_HTTP_GIT = true;
+        DEFAULT_BRANCH = "master";
+        ENABLE_PUSH_CREATE_USER = true;
+      };
+      "repository.pull-request" = {
+        DEFAULT_MERGE_STYLE = "squash";
+      };
+      "repository.signing" = {
+        SIGNING_KEY = signingKey;
+        SIGNING_NAME = "DTTHGit";
+        SIGNING_EMAIL = "dtth-gitea@nkagami.me";
+      };
+      ui.THEMES = "auto,gitea,arc-green," + themes;
+      "ui.meta" = {
+        AUTHOR = "DTTHgit - Gitea instance for GTTH";
+        DESCRIPTION = "DTTHGit is a custom Gitea instance hosted for DTTH members only.";
+        KEYWORDS = "git,gitea,dtth";
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+        ENABLE_NOTIFY_MAIL = true;
+        ENABLE_BASIC_AUTHENTICATION = false;
+        REGISTER_EMAIL_CONFIRM = true;
+      };
+      "service.explore" = {
+        REQUIRE_SIGNIN_VIEW = true;
+      };
+      session = {
+        COOKIE_SECURE = true;
+      };
+
+      oauth2_client = {
+        REGISTER_EMAIL_CONFIRM = false;
+        ENABLE_AUTO_REGISTRATION = true;
+      };
+
+      mailer = {
+        ENABLED = true;
+        PROTOCOL = "smtps";
+        SMTP_ADDR = "mx1.nkagami.me";
+        SMTP_PORT = 465;
+        USER = "dtth-gitea@nkagami.me";
+        FROM = "DTTHGit <dtth-gitea@nkagami.me>";
+      };
+
+      git = {
+        PATH = "${pkgs.git}/bin/git";
+      };
+
+      federation.ENABLED = true;
+    };
+
+    mailerPasswordFile = secrets."gitea/mailer-password".path;
+
+    database = {
+      inherit user;
+      createDatabase = false;
+      type = "postgres";
+      socket = "/var/run/postgresql";
+      name = user;
+    };
+
+    # LFS
+    lfs.enable = true;
+
+    # Backup
+    dump.enable = true;
+  };
+
+  # Set up gpg signing key
+  systemd.services.gitea = {
+    path = with pkgs; [ gnupg ];
+    environment.GNUPGHOME = "${config.services.gitea.stateDir}/.gnupg";
+    # https://github.com/NixOS/nixpkgs/commit/93c1d370db28ad4573fb9890c90164ba55391ce7
+    serviceConfig.SystemCallFilter = mkForce "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
+    preStart = ''
+      # Import the signing subkey
+      if cat ${config.services.gitea.stateDir}/.gnupg/gpg.conf | grep -q ${signingKey}; then
+        echo "Keys already imported"
+        # imported
+      else
+        echo "Import your keys!"
+        ${pkgs.gnupg}/bin/gpg --quiet --import ${secrets."gitea/signing-key".path}
+        echo "trusted-key ${signingKey}" >> ${config.services.gitea.stateDir}/.gnupg/gpg.conf
+        exit 1
+      fi
+
+      # Copy icons
+      mkdir -p ${config.services.gitea.stateDir}/custom/public/img
+      install -m 0644 ${./gitea/img}/* ${config.services.gitea.stateDir}/custom/public/img
+
+      # Copy the themes
+      mkdir -p ${config.services.gitea.stateDir}/custom/public/css
+      env PATH=${pkgs.gzip}/bin:${pkgs.gnutar}/bin:$PATH \
+        tar -xvf ${catppuccinThemes} -C ${config.services.gitea.stateDir}/custom/public/css/
+    '';
+  };
+}
--- a/nki-personal-do/gitea/img/apple-touch-icon.png
+++ b/nki-personal-do/gitea/img/apple-touch-icon.png
--- a/nki-personal-do/gitea/img/avatar_default.png
+++ b/nki-personal-do/gitea/img/avatar_default.png
--- a/nki-personal-do/gitea/img/favicon.png
+++ b/nki-personal-do/gitea/img/favicon.png
--- a/nki-personal-do/gitea/img/favicon.svg
+++ b/nki-personal-do/gitea/img/favicon.svg
--- a/nki-personal-do/gitea/img/logo.png
+++ b/nki-personal-do/gitea/img/logo.png
--- a/nki-personal-do/gitea/img/logo.svg
+++ b/nki-personal-do/gitea/img/logo.svg
--- a/nki-personal-do/secrets/secrets.yaml
+++ b/nki-personal-do/secrets/secrets.yaml
@ -7,7 +7,7 @@ minio-secret-key: ENC[AES256_GCM,data:FkF4hFiW7s5gYbMbdemsmhduYDtb/aqMoUgP+CWI3r
 cloudflare-dns-api-token: ENC[AES256_GCM,data:2ny3JehpK30fTUDKrbzHv1QOczriChRyMQn6kNPULpUJ+eVwdptLvg==,iv:8wNAn3oawzLez7sO4ZvhFXcaZIpFVKgKCvTBlszFHn8=,tag:fRaO+u/5MtAWnTiy2Zwh0Q==,type:str]
 #ENC[AES256_GCM,data:KWrVRQg+cLm5MUdfsYrh7hkI4CWkl4Z0sDj0769eebeXDy+veixrQrxh1ZW+ro3WLwoIdU/IH5DPM4TWYn2qoM5aDHjGX764pr1x,iv:uZHBsGvSHv9vd/Wragl1dYNJ+8vCcMit2K3SrMFlz7s=,tag:7z4LyADfQvXsM2vvtWru8w==,type:comment]
 traefik-dashboard-users: ENC[AES256_GCM,data:kviapOq+xzxhjryse+5DaZbXRS/LEYyjqqFbHymXAZVEkWlu0T5pZ2bxSNCbXN+tXnb0u+6YPgGCaRNPLW74AF1hO8W8QqlLDA==,iv:41bwPyFQcuOLILTjLWUu5Kcnct/MaIIJsMbllc+n7Y0=,tag:17HyUjfRUcLGb0FrUm1O2A==,type:str]
-mail-users: ENC[AES256_GCM,data:DXVx2e6MSSSpHfKFD35zHGnGDPoZi7cOqPfAGubxa4gupatYcpI+PDEYwCPUc1ep2RXRXEMQW1BC3AOOEV/HUKfsPXOsx7jdb8Q4uHPb/ZJ7yNucNl3YxGBiP8N4/u4Avc9kGiHVsVlsMbVIMuOj3a/OF0x7g95DDNT4BscTCjKDFX+mMnkKceemUCc4gmmOJNAU3ytssCwdVZho0nzY80hGT2BwFXXE/KDl/Q==,iv:7zf1Av7I9nXxeRFGNBKK//1FqSTHzCavZTknx5lEy4g=,tag:zXUlnNxBi1JybnTlCAKF0g==,type:str]
+mail-users: ENC[AES256_GCM,data:FLmmXKcYLNRCyksuEervvU3HHzbPa4nPyHziF0CAtvB571AilH35KylvVb6YAh66Zacr8aO6CkxgIhcqs4/IFWmqNRSWta3R2r5g6yQE3gUW+HhPra1rRrmB9lRFs8j6lkUza0Rrrr1NmTkf2YqGyAR40+lEcaCQUyDAqUE3GW39YSunWDkvbsBCHK/Pj+Oq46dKr8NrOHqkbN7rdamSdReAKMzk8/lRAkbsxe9kfra/cwxVArEEVX10w2g4zTdPW2QlykvrmBLcjY6NA6FWDPwSUvq87lfKo6svUSN3zgfsgo2F809FdKPazEMQq9QvAoWe5jJ1YJbiquuJpelH6Ip7ShKGGw==,iv:BlhylfpbRfq9e9UOuhwcL2BUuWpynZT46RsprcaEVrI=,tag:g8QVUuNk4TuxgkHrfzqQvQ==,type:str]
 youmubot-env: ENC[AES256_GCM,data:m/NGN8r6Caq2tTHeVWV9y5fol9r36aKYYXLjHaa0AR+0XpVeJdXVZxPfQtzX4uo09rOGAPE4lepO05weo7mvEjI5m5QJ4FWrw0/HkLm4SUWnTnDU6BlK7l4K/2Ayz7jmD6GLWI+KcOSjEmma9GXNkVwDnxVrwaAWYOfDqDJMjMES/1S8OgCe5+74MCgNeefIwgXnmmxVMpl8fAdnOgovh1zRvcKPVrN5T0ia39IatDERwegas+q8t90Jjw==,iv:IEFvaMWzgClbHbsxGTdP5EdGayHQgggOT9CU7oAyMtE=,tag:GoEEcGCNHMimzltDit4kzA==,type:str]
 outline:
    smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str]
@ -19,6 +19,9 @@ gts-env: ENC[AES256_GCM,data:xnL6FYNQ4Cd1XUsHcgGN0jYBPDViVAi9WsD4ewImk4IxmMyJi50
 headscale:
    client_secret: ENC[AES256_GCM,data:MLW0z2stjhXgxb4poAYr7LzrLzTNj5HqJzsyzOvYpKpKbyfx7SEdeZidG+m3ROuaN4PVsdpJblFjsvozzQlDQYRJZo8q+kpPvUPvhU0Ejya/XBO/sFcJKzulpfr4j3rK7FSKh2V6PiB8m9mvLziHfDmgL30le0wDD9uCNWkaHVo=,iv:1hRwI1NG2yO6igBsEGCg2Qn/po97ZhsyAEZOMKP3EZc=,tag:FV+RXBKyq+EJRsKT+DZ6lQ==,type:str]
    webui-env: ENC[AES256_GCM,data:F4fGd5szjEGYqseq15VF8Emdd5oXKAlj+O7jET7BpD/w0/M162KgXQ/xN/uzO5Bh/euzedMrair0c8SQKO/06Ko9cj35lclaSrnBiwHSDIkFvuoITvLeSVSR4W3dsui91Dh8GCCYO8JAZQnpqClls6kHBOO2FYVwF06zg8Coxli9cKkPdeJKLDEnPGUb2UpLoP0dieanNFc3YNIavlXwkgt4/hxEoKHJplTYrilekBtZjD998SyvubhhVKHTH/VhTgxodXgnbI3sV1a3uJCrUKWt79NwHu5TUd+C2/gZqAniCbo4AX8=,iv:87cme6ToLFR4eF5apZauIm3Q6HR3Z8EM3GkQxo06oNI=,tag:dbXLQhw6qn/DyYJ3/UeDiw==,type:str]
+gitea:
+    mailer-password: ENC[AES256_GCM,data:LDW0bpbfanBa2QjqdgtKu6F+zG84xaGuLg1cs6eTJbg=,iv:Kle+czR9Xqi45qWjYJIjRhq87rG2PNoNF6YQ7tQ+HJA=,tag:WUuPgwdnz8F2WtFsgcrw/Q==,type:str]
+    signing-key: ENC[AES256_GCM,data:64tLU6rVcCq6CSfVGtFfSc8m89gHFHwGQ4JSHw8p7GqlB7ioHrJVu8o+6u6UPERMfkcHsTG2gTwh7wpblF//bk1+TRyYWSuDnIGl1G7+6FVmJbvLyGJBck0NauW4s5Keiqr2qg38i3y9qy7kPaJGz/2J6cYYSQxB9xy8mtdoxwypGf+zxu1teiUnKmWa89i941s2FZZ+FoQvQCZs/7En3YnxNiDM+lXR4wqbPZPROlYHaVDOgeACBgq8GwNdgAFF7qRLdjxMGgjS3jjlD4QCJlEO6UbqVEBEK7pf4Or4kx/RM2A0rgGNUPpwKu/b5xGTUkA0X7TcZNIcLJ2zred0JIEj0bM7MNrkBIQovHEYLT3m33W1zKTTBC2lgPh90I/tPauIOb1hWHzgjM+LpV8bPkGXIk3BmoxW8eCiFmSjfvxdyS6WVJ6lGOIhaFNl59LyKsljyUmYcauig7/T+ylGyWiPViXuYB4fWxWr1t7Tb6DgY2fJdl5KQHLkDoAylHQ6pOb0l2YUGw1+vvHocMA9KTJeTnhTWAPZLOIFbfZL8sxrWRlpuZvvKdXlOjzKwVgCzWudYJ4jUoPSCmvxpnuCpiPbqaoZyA3Vyx7UCTN7UhKRb99jxEqdTrDPwRL0VlVZUQgLDTMPXHjdoOan06wXmDJEDRDBFsrrpna9wY1uvyPGBBpZ+uQZdxPZfXKQ8HRVHS1dKfyvdIaG/eYUrimF9euhYKYGPH02S6UcU+yQXw5B12HBxLDwS0oF3yWXfTMBsgejWFAuyQkQVJJjAi/Zs+9HJ3FQqr4vl/hUclv/X2XURuPc/jjYziNuOAn6yGhXuNC713SzUOnZlDgEcCkm8DHn5hQ/W4rZGUbSq+y/HUk8GA6XSw8u8H7KDQFnV4l4Chg1cKAf0YSXeinJ2x/RA9GXBvC5FVOM/Cx95arxS57vD578Rkdf/c7UQmuH+6X9YTX8MHVgkpHAGJ+bu2UnQ/hjAvGW6kee4jqefybCTxJm7qcSz1JrG6rS+S+9ZFj8BrXLcSIRlvxotg+FmBjdlqJMj5i0w+cR2f2zXPsmeDC0gmSTV7mYNz9+uMv708xwm26e4/rTT0hS+szLzzz/Ygm9yAkLf9lIS3457IWEjF+LCs9SEq3jfkx5zqpWfOpBCQU9rYKJhvjCVK6a1Hb2PfO4klkuwSNFPwyMHDlEqNmIVUf6uM5p8RVEQy07GsE4ycNtgicC32JGpkotcaU1ByQVbqRXlqJqMJnUEbnWH6qf3Em+wi8eBHmPf1BNjdP3f9BOle+H17/SdKssRbA8o4qQAGVkFzfjybMIh0onB1e15Rt5TUrRDxQAZG+uIsrHEiEOCDED846wO9apeV7wuOKXv2USDhybQhIctcuwxFGQEZWtGGrKzWTlK82Qb8FUM44x2HFj1SK7mIQbU20TcL2bd3b1OZ2kQe16CaT9R0BkpRlPLfiA1ZD7+3DdCyOJxTjutCQgaI1ONQuWn47rDOMbyqZhxs+Gj6bormGEWVRXQpV4VTknN/GyFB2aWQmZF8hGpEBl/t8IfOXDs56kN2Z8W2eKzHZz9u11HQ0eJ05LX2xz5DB+22UZT4bGK6Y3vJtB0+27r7G7hh79Fkapggm61xh3+D593epyW6Ix4hN29KrJWz/s93gi/g==,iv:LlUhINacJf7haxl7i0QI9ALdOFLdLJGbsXgszKVJOVg=,tag:ALkAcUmPFHp8wpI7DVYbiw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -52,8 +55,8 @@ sops:
            by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
            hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-04T15:23:57Z"
-    mac: ENC[AES256_GCM,data:Zk6+H5SEt+W1/R+kv5jppwvPcZZ5g1PJWNuIDzjoUhtUacF/z7Lri0F6y2OAAscd2y8+h6rKmEw1HgcLL4sLFTfAmdihxgl9qc/RTBInYOAIiBBZbrDL5kcsFdYRoBoii53JVAlLksxl1wnM7somtHSP4Z2jTBujOTPgNSGMFMc=,iv:44SJBbERicfiNMmw5kzhC9Wr8vfBnDT5eHqzm6HAI4I=,tag:gz8hk78IPwenO14zO76OoA==,type:str]
+    lastmodified: "2023-05-04T17:44:13Z"
+    mac: ENC[AES256_GCM,data:FeZJJU3ZZx3WkGik+3gNem3LpfeUTPwTRCv/y8IEEs7vjmjYP2PpbS8Bh5MJtg8wloBMnPsi5LYpmi1c/sTyKKPDhzrqBydN/GG+dKnBApINEwWjuPgMq2qZjIDs1p66h3rCfjsIlNrgaL0mH6w2NLAZbk8lR+Ovaj0r1c53IUA=,iv:3WZbyMyFPoz3T0tbwldFOBYijwjT8usBFTkrtSVw9I8=,tag:T6cnI8lbP5Y7uR8DxHD4hA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3