chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

git: Move to forgejo and migrate to marabethia

Browse source
This commit is contained in:
Charlotte Van Petegem 2024-11-10 22:11:07 +01:00
parent d49d3c74a6
commit 5537cc85c2
No known key found for this signature in database
GPG key ID: 019E764B7184435A
23 changed files with 114 additions and 289 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/nixos/base/default.nix
View file

@ -18,7 +18,7 @@
config = {
system.autoUpgrade = {
enable = true;
flake = "gitlab:chvp/nixos-config?host=git.chvp.be";
flake = "git+https://git.chvp.be/chvp/nixos-config";
dates = "01/4:00";
randomizedDelaySec = "10min";
};

130
modules/nixos/services/git/default.nix
View file

@ -1,85 +1,97 @@
{ config, lib, pkgs, ... }:
{
imports = [ ./runner.nix ];
options.chvp.services.git.enable = lib.mkOption {
default = false;
example = true;
};
config = lib.mkIf config.chvp.services.git.enable {
chvp.services.nginx.hosts = [{
fqdn = "git.chvp.be";
options = {
locations."/" = {
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
extraConfig = ''
client_max_body_size 50M;
'';
chvp.services.nginx.hosts = [
{
fqdn = "git.chvp.be";
options = {
locations."/" = {
proxyPass = "http://unix:/run/forgejo/forgejo.socket";
extraConfig = ''
client_max_body_size 50M;
'';
};
};
};
}];
}
];
users = {
users = {
git = {
uid = lib.mkForce 963;
home = "/var/lib/forgejo";
group = "git";
isSystemUser = true;
useDefaultShell = true;
};
nginx.extraGroups = [ "git" ];
};
groups.git.gid = lib.mkForce 963;
groups.git = {};
};
services.openssh.settings.AcceptEnv = "GIT_PROTOCOL";
services.gitlab = {
enable = true;
statePath = "/var/lib/git/state";
backup.path = "/var/lib/git/backup";
databaseCreateLocally = true;
databaseUsername = "git";
databaseName = "git";
user = "git";
group = "git";
host = "git.chvp.be";
port = 443;
https = true;
initialRootEmail = "charlotte@vanpetegem.be";
initialRootPasswordFile = config.age.secrets."passwords/services/git/initial-root-password".path;
# Hack, https://github.com/NixOS/nixpkgs/pull/135926 broke stuff
pages.settings.pages-domain = "not.actually.enabled";
secrets = {
dbFile = config.age.secrets."passwords/services/git/db".path;
jwsFile = config.age.secrets."passwords/services/git/jws".path;
otpFile = config.age.secrets."passwords/services/git/otp".path;
secretFile = config.age.secrets."passwords/services/git/secret".path;
};
smtp = {
services = {
forgejo = {
enable = true;
enableStartTLSAuto = false;
stateDir = "/var/lib/forgejo";
user = "git";
group = "git";
database = {
type = "postgres";
user = "git";
name = "git";
createDatabase = true;
};
settings = {
repository = {
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};
server = {
DOMAIN = "git.chvp.be";
PROTOCOL = "http+unix";
ROOT_URL = "https://git.chvp.be/";
HTTP_ADDR = "/run/forgejo/forgejo.socket";
};
service.EMAIL_DOMAIN_ALLOWLIST = "vanpetegem.be";
mailer = {
ENABLED = true;
PROTOCOL = "smtps";
SMTP_ADDR = "mail.vanpetegem.me";
SMPT_PORT = 465;
USER = "git@chvp.be";
FROM = "Git <git@chvp.be>";
};
"email.incoming" = {
ENABLED = true;
REPLY_TO_ADDRESS = "git+%{token}@chvp.be";
HOST = "mail.vanpetegem.me";
PORT = 993;
USERNAME = "git@chvp.be";
USE_TLS = true;
};
session = {
COOKIE_SECURE = true;
PROVIDER = "db";
COOKIE_NAME = "forgejo_session";
};
log = {
ROOT_PATH = "/var/log/forgejo";
};
};
secrets = {
mailer.PASSWD = config.age.secrets."passwords/services/git/mail-password".path;
"email.incoming".PASSWORD = config.age.secrets."passwords/services/git/mail-password".path;
};
};
};
age.secrets."passwords/services/git/initial-root-password" = {
file = ../../../../secrets/passwords/services/git/initial-root-password.age;
owner = "git";
};
age.secrets."passwords/services/git/db" = {
file = ../../../../secrets/passwords/services/git/db.age;
owner = "git";
};
age.secrets."passwords/services/git/jws" = {
file = ../../../../secrets/passwords/services/git/jws.age;
owner = "git";
};
age.secrets."passwords/services/git/otp" = {
file = ../../../../secrets/passwords/services/git/otp.age;
owner = "git";
};
age.secrets."passwords/services/git/secret" = {
file = ../../../../secrets/passwords/services/git/secret.age;
owner = "git";
age.secrets = {
"passwords/services/git/mail-password" = {
file = ../../../../secrets/passwords/services/git/mail-password.age;
owner = "git";
};
};
};
}

57
modules/nixos/services/git/runner.nix
View file

@ -1,57 +0,0 @@
{ config, lib, pkgs, ... }:
{
options.chvp.services.git.runner.enable = lib.mkOption {
default = false;
example = true;
};
config = lib.mkIf config.chvp.services.git.runner.enable {
services.gitlab-runner = {
enable = true;
settings.concurrent = 8;
services = {
nix = {
authenticationTokenConfigFile = config.age.secrets."passwords/services/gitlab-runner/registration".path;
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
"/etc/nix/nix.conf:/etc/nix/nix.conf:ro"
];
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix.sh
${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
requestConcurrency = 4;
};
};
};
virtualisation.docker = {
enable = true;
storageDriver = "zfs";
};
age.secrets."passwords/services/gitlab-runner/registration" = {
file = ../../../../secrets/passwords/services/gitlab-runner/registration.age;
};
};
}

4
modules/nixos/services/mail/default.nix
View file

@ -45,6 +45,9 @@ in
hashedPasswordFile = config.age.secrets."passwords/services/mail/noreply@vanpetegem.me".path;
sendOnly = true;
};
"git@chvp.be" = {
hashedPasswordFile = config.age.secrets."passwords/services/mail/git@chvp.be".path;
};
"peter@vanpetegem.me".hashedPasswordFile = config.age.secrets."passwords/services/mail/peter@vanpetegem.me".path;
"postbot@vanpetegem.be" = {
hashedPasswordFile = config.age.secrets."passwords/services/mail/postbot@vanpetegem.be".path;
@ -163,6 +166,7 @@ in
age.secrets = {
"passwords/services/mail/charlotte@vanpetegem.be".file = ../../../../secrets/passwords/services/mail/charlotte_at_vanpetegem.be.age;
"passwords/services/mail/git@chvp.be".file = ../../../../secrets/passwords/services/mail/git_at_chvp.be.age;
"passwords/services/mail/hallo@estherdereys.be".file = ../../../../secrets/passwords/services/mail/hallo_at_estherdereys.be.age;
"passwords/services/mail/hallo@robbe.be".file = ../../../../secrets/passwords/services/mail/hallo_at_robbe.be.age;
"passwords/services/mail/huis@vanpetegem.me".file = ../../../../secrets/passwords/services/mail/huis_at_vanpetegem.me.age;