erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

gitea: Move machine-specific module to machine config

Browse source
This commit is contained in:
Erwin Boskma 2024-01-22 20:27:45 +01:00
parent 4f9b088afb
commit 72030e6c69
Signed by: erwin
SSH key fingerprint: SHA256:/Wk1WZdLg+vQHs3in9qq7PsIp8SMzwGSk/RLZ5zPuZk
4 changed files with 118 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
machines/gitea/backup.nix
View file

@ -1,13 +1,11 @@
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
with lib; with lib;
let let
giteaCfg = config.services.gitea;
borgJob = name: { borgJob = name: {
environment = { environment = {
BORG_RSH = "ssh -i ${config.sops.secrets.gitea_backup_ssh_key.path}"; BORG_RSH = "ssh -i ${config.sops.secrets.gitea_backup_ssh_key.path}";
}; };
repo = "ssh://zh2088@zh2088.rsync.net/./backups/gitea/${name}"; repo = "ssh://zh2088@zh2088.rsync.net/./backups/forgejo/${name}";
compression = "zstd,10"; compression = "zstd,10";
startAt = "*-*-* 2,6,10,14,18,22:30:00"; startAt = "*-*-* 2,6,10,14,18,22:30:00";
extraInitArgs = "--make-parent-dirs"; extraInitArgs = "--make-parent-dirs";
@ -29,11 +27,14 @@ let
}; };
in in
{ {
services.borgbackup.jobs = mkIf giteaCfg.enable { services = {
repos = borgJob "gitea" // { borgbackup.jobs = {
paths = [ "/var/lib" ]; repos = borgJob "forgejo" // {
paths = [ "/var/lib/forgejo/dump" ];
};
}; };
}; };
environment.systemPackages = [ pkgs.borgbackup ]; environment.systemPackages = [ pkgs.borgbackup ];
} }

5
machines/gitea/configuration.nix
View file

@ -6,6 +6,8 @@
../../users/root ../../users/root
../../users/erwin ../../users/erwin
./backup.nix ./backup.nix
./forgejo
]; ];
eboskma = { eboskma = {
@ -13,7 +15,6 @@
enable = true; enable = true;
server = true; server = true;
}; };
gitea.enable = true;
nix-common = { nix-common = {
enable = true; enable = true;
remote-builders = true; remote-builders = true;
@ -28,7 +29,7 @@
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
networking = { networking = {
hostName = "ci"; hostName = "gitea";
useDHCP = false; useDHCP = false;
useHostResolvConf = false; useHostResolvConf = false;
networkmanager.enable = false; networkmanager.enable = false;

108
machines/gitea/forgejo/default.nix Normal file
View file

@ -0,0 +1,108 @@
{ pkgs
, config
, lib
, ...
}:
with lib; let
forgejoCfg = config.services.forgejo;
in
{
services.forgejo = {
enable = true;
user = "git";
lfs = {
enable = true;
};
database = {
type = "postgres";
socket = "/run/postgresql";
passwordFile = config.sops.secrets.gitea_db_password.path;
createDatabase = false;
name = "git";
user = "git";
};
dump = {
enable = true;
interval = "*-*-* 2,6,10,14,18,22:00:00";
type = "tar.zst";
};
settings = {
DEFAULT = {
APP_NAME = "Datarift Git";
};
security = {
PASSWORD_HASH_ALGO = "argon2";
DISABLE_GIT_HOOKS = false;
};
log.LEVEL = "Warn";
database = {
LOG_SQL = false;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};
server = {
DOMAIN = "git.datarift.nl";
ROOT_URL = "https://git.datarift.nl/";
};
service = {
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DISABLE_REGISTRATION = true;
};
picture = {
ENABLE_FEDERATED_AVATAR = true;
};
session = {
PROVIDER = "db";
SAME_SITE = "strict";
COOKIE_SECURE = true;
};
webhook = {
ALLOWED_HOST_LIST = "external,10.0.0.202/32,ci.datarift.nl,10.0.0.210/32";
};
# Experimental Actions
actions = {
ENABLED = true;
};
};
};
networking.firewall.allowedTCPPorts = [ 3000 ];
users.users.git = {
description = "Forgejo service user";
home = forgejoCfg.stateDir;
useDefaultShell = true;
group = "forgejo";
isSystemUser = true;
};
services.postgresql = {
enable = true;
# Explicitly specify version here, because upgrading is a manual process that involves dumping and restoring databases:
# https://nixos.org/manual/nixos/unstable/index.html#module-services-postgres-upgrading
package = pkgs.postgresql_14;
ensureDatabases = [ "git" ];
ensureUsers = [
{
name = "git";
ensureDBOwnership = true;
}
];
};
}

106
modules/gitea/default.nix
View file

@ -1,106 +0,0 @@
{ pkgs
, config
, lib
, ...
}:
with lib; let
cfg = config.eboskma.gitea;
giteaCfg = config.services.gitea;
in
{
options.eboskma.gitea = { enable = mkEnableOption "gitea"; };
config = mkIf cfg.enable {
services.gitea = {
enable = true;
package = pkgs.forgejo;
user = "git";
appName = "Datarift Git";
lfs = {
enable = true;
};
database = {
type = "postgres";
socket = "/run/postgresql";
passwordFile = "/run/secrets/gitea_db_password";
createDatabase = false;
user = "git";
};
settings = {
security = {
PASSWORD_HASH_ALGO = "argon2";
DISABLE_GIT_HOOKS = false;
};
log.LEVEL = "Warn";
database = {
LOG_SQL = false;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};
server = {
DOMAIN = "git.datarift.nl";
ROOT_URL = "https://git.datarift.nl/";
};
service = {
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DISABLE_REGISTRATION = true;
};
picture = {
ENABLE_FEDERATED_AVATAR = true;
};
session = {
PROVIDER = "db";
SAME_SITE = "strict";
COOKIE_SECURE = true;
};
webhook = {
ALLOWED_HOST_LIST = "external,10.0.0.202/32,ci.datarift.nl";
};
# Experimental Gitea Actions
actions = {
ENABLED = true;
};
};
};
networking.firewall.allowedTCPPorts = [ 3000 ];
users.users.git = {
description = "Gitea service user";
home = giteaCfg.stateDir;
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
services.postgresql = {
enable = true;
# Explicitly specify version here, because upgrading is a manual process that involves dumping and restoring databases:
# https://nixos.org/manual/nixos/unstable/index.html#module-services-postgres-upgrading
package = pkgs.postgresql_14;
ensureDatabases = [ "gitea" ];
ensureUsers = [
{
name = "git";
ensurePermissions = {
"DATABASE gitea" = "ALL PRIVILEGES";
};
}
];
};
};
}