From 66221229cac20eff172a44db999f9799401999b8 Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Mon, 11 Nov 2024 14:02:21 +0100 Subject: [PATCH] gitea, crashes --- configuration.nix | 1 + sops-secrets.yaml | 5 +- system-modules/gitea.nix | 6 -- system-modules/networking.nix | 4 +- system-modules/nx2site/gitea.nix | 71 ++++++++++++++++++++++ system-modules/nx2site/proxy.nix | 2 +- system-modules/nx2site/vaultwarden.nix | 0 system-modules/postgres.nix | 83 ++++++++++++++++++++++++++ system-modules/users.nix | 17 +++++- 9 files changed, 176 insertions(+), 13 deletions(-) delete mode 100644 system-modules/gitea.nix create mode 100644 system-modules/nx2site/gitea.nix create mode 100644 system-modules/nx2site/vaultwarden.nix create mode 100644 system-modules/postgres.nix diff --git a/configuration.nix b/configuration.nix index e6d7a09..e64be4d 100755 --- a/configuration.nix +++ b/configuration.nix @@ -39,6 +39,7 @@ ./system-modules/ydotool.nix ]) ++ (if (host == "NxACE") then [ ./system-modules/nx2site.nix + ./system-modules/postgres.nix ./system-modules/nx2site/proxy.nix # ./system-modules/nx2site/gitea.nix # ./system-modules/nx2site/vaultwarden.nix diff --git a/sops-secrets.yaml b/sops-secrets.yaml index 5a07b2e..83699ae 100644 --- a/sops-secrets.yaml +++ b/sops-secrets.yaml @@ -37,6 +37,7 @@ eduroam: nxxpspw: ENC[AES256_GCM,data:IpzL3rsB9BN5fhUBMtAo3DPhk6LEDuizHUj+mPPtQA==,iv:zjH5Bcw0q57oyA/ce0scSIeDvmt51vQzttHq6hwDkwk=,tag:Gf0NUQ3O3fol0M0+2HpGEA==,type:str] tuda_nmconnection: ENC[AES256_GCM,data:LHy4lYZ6hf0Xfz25KSIY47TwrjNoEvqPi21mXKsfOq9/8Hmveca7UD9jfSbL2fyQ7dEBB2yoW01l6L63GilmSRUqd7eU2dhUCOdZ6L0j7IiFg51oT0FtJSKnQIf9BHslRWP3gQifOxKCIMGwhVEw6xMRINwRizjq073oCCDvgKtbW0cxLy8s4VOsBgAjCWiRDWaItYW83lLL6y49SYw8JJljZXGwrSxmE/wN2STJ05Wzc3cuah63b+lKnGAApkfCALGYGjdktJ/87wT0RveTyV7DzmKOd9Oo0N2cPB91vsnYOKlUBEsNo45x52tvlAx4qJ7358SjNTV0i4HD+k5/byKe8IvSnEsRjvnOLG9OXdCkdf17NcI7VvWPF6u3kAWp81Wc+6lFo9LXB5AE8dRpf5naC1wseLl2pU/8cdgj2EgVl89mo8QaaQfAPxEbaFDnQcNCEYXcRcwjVfBV5cQVqYIrcmmb/c1IVGOOSBijM8u19zq5DfUP1uc835RE9D6NL7NV69VvgoYjb/8/GGf11hDcDESaOEK3zULeyKU0K0hM7AluI8rnZsOZJK70OMLJsUPvVfI0GS9NGZXjYfCoALE0DAt2Qi4cKMNLQzQvHkvXGbdMpzI=,iv:SZmGSEOEPdzWvYvAe4/Iv8qNZjaAfSY+uVfpt3BBN9Q=,tag:NprSgZJwjBHCEKNNypESxg==,type:str] hsmw-vpn-secret: ENC[AES256_GCM,data:3bKxRGTQcbhRjzARSpYBW5ekQW/U/ixzNiFmO36gw0NKyDMLlbVbJBqXvi71M0GXgmo/FA==,iv:7bVDA8u9apDNXFY/vEMbz/0HywG5Pyrl5JfZrcNCr8w=,tag:xz4j7cEc5hvLwrItWjkx0Q==,type:str] +postgres-pw: ENC[AES256_GCM,data:D9b7IbvLshmRuSyF9+V3WqVf/95+OhCJm0g=,iv:D4tpzEBzcCatbnQwtOGn8X0QSrXOye20rXaw8TSB7Gk=,tag:Q0B/86eDKkhu0Jnln1sUyg==,type:str] sops: kms: [] gcp_kms: [] @@ -79,8 +80,8 @@ sops: SHJLR3lvdlFiRmJuU25RUHFFTmpjamMKbzycdDvQBAuOiRROTZEQSnaXoPapz73L yVS9EUP25FSx/sGqRqaCefbeaybuM1aso6LDnlomv4Bib7zjugWKSw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-09T19:04:21Z" - mac: ENC[AES256_GCM,data:S2Y8EeIAh85xU30gR6HIUMGzO11/TP3g6S9UL+6QlHYY9lJKAcvdatWfD2DXJPdN7/dryYNZ1V1rYSIqEMi2QgBoiDN/fA9DF0/YPqfT2oLFBk5VASovRVqWb+x9kXDAnyev/RSX3i0wpJwsr9c1cGxv0ZYG8m+yyWkLJkcmRUo=,iv:MBP4jaUWnpOkUtR6BVTMDhDDP3oWspvBH2syPqL7uuw=,tag:8mySVfdq3D/xDZ3I272D3Q==,type:str] + lastmodified: "2024-11-10T17:15:08Z" + mac: ENC[AES256_GCM,data:VIPBKaDhSV7TG+pbo1OtdREJeqwdXqqDETeXkvhIs0Bz/c01MZXqPgubINW9tSLrNewFWSU5xI0O7L2ExBIjZxJ/nEmQkNkN+CUy1uGwatxsqa7gyVs1gXpIPPUGgStDMu8iukUSj9mLg9xQwGu0hGoC7DCbGqpu7blbUUzg0dE=,iv:+cR1vV7O3VdacP4MwAFkyBjKnqteL6AuV1H3Hh5hz28=,tag:WV/NHHPxvlkdslZbb0FBXA==,type:str] pgp: - created_at: "2024-06-09T19:44:41Z" enc: |- diff --git a/system-modules/gitea.nix b/system-modules/gitea.nix deleted file mode 100644 index bc24df1..0000000 --- a/system-modules/gitea.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, ... }: -{ - services.gitea = { - enable = true; - }; -} diff --git a/system-modules/networking.nix b/system-modules/networking.nix index 5acee63..d59a557 100755 --- a/system-modules/networking.nix +++ b/system-modules/networking.nix @@ -13,12 +13,10 @@ networkmanager = { enable = true; }; - enableIPv6 = false; + enableIPv6 = true; firewall.allowedTCPPorts = [ 80 443 ]; }; - - networking.enableIPv6 = true; } diff --git a/system-modules/nx2site/gitea.nix b/system-modules/nx2site/gitea.nix new file mode 100644 index 0000000..746c90f --- /dev/null +++ b/system-modules/nx2site/gitea.nix @@ -0,0 +1,71 @@ +{ config, pkgs-unstable, domain, ... }: +{ + sops.secrets = { + "postgres-pw" = { owner = "gitea"; }; + }; + + services.gitea = { + enable = true; + package = pkgs-unstable.gitea; + group = "gitea"; # default + user = "gitea"; # default + appName = "NxGit"; + stateDir = "/var/lib/gitea"; # default + useWizard = false; # default + # camoHmacKeyFile = ; + customDir = "${config.services.gitea.stateDir}/custom"; # default + database = { + createDatabase = false; # default + host = "127.0.0.1"; # default + port = 5432; + passwordFile = config.sops.secrets."postgres-pw".path; + # path = "${config.services.gitea.stateDir}/data/gitea.db"; # default + # socket = "/run/postgresql"; + socket = null; + type = "postgres"; + name = "gitea"; # default + user = "gitea"; # default + }; + dump = { + enable = true; + backupDir = "${config.services.gitea.stateDir}/dump"; # default + file = null; # default + interval = "daily"; + type = "zip"; # default + }; + extraConfig = null; # default + lfs = { + enable = false; # default + contentDir = "${config.services.gitea.stateDir}/data/lfs"; # default + }; + mailerPasswordFile = null; # default + metricsTokenFile = null; # default + repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default + settings = { + log = { + LEVEL = "Info"; + # LEVEL = "Error"; + ROOT_PATH = "${config.services.gitea.stateDir}/log"; # default + }; + i18n = { + LANGS = "en-US"; + }; + server = { + DISABLE_SSH = false; # default + SSH_PORT = 20022; + DOMAIN = "pw2.${domain}"; + HTTP_ADDR = "http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}/"; + HTTP_PORT = 3000; # default + PROTOCOL = "http"; # default + ROOT_URL = "https:pw2.${domain}/"; # default + STATIC_ROOT_PATH = "${config.services.gitea.stateDir}/static"; + }; + session = { + COOKIE_SECURE = true; + }; + service = { + DISABLE_REGISTRATION = true; + }; + }; + }; +} diff --git a/system-modules/nx2site/proxy.nix b/system-modules/nx2site/proxy.nix index c2a4a77..e6aa7a9 100644 --- a/system-modules/nx2site/proxy.nix +++ b/system-modules/nx2site/proxy.nix @@ -110,7 +110,7 @@ }; "pw2.${domain}" = vh // { listen = dl; - locations = let d = "127.0.0.1:8222"; in { + locations = let d = "127.0.0.1:3000"; in { "/" = { proxyPass = "http://${d}"; }; "/admin" = { proxyPass = "http://${d}"; }; "/notifications/hub" = { proxyPass = "http://${d}"; }; diff --git a/system-modules/nx2site/vaultwarden.nix b/system-modules/nx2site/vaultwarden.nix new file mode 100644 index 0000000..e69de29 diff --git a/system-modules/postgres.nix b/system-modules/postgres.nix new file mode 100644 index 0000000..35909af --- /dev/null +++ b/system-modules/postgres.nix @@ -0,0 +1,83 @@ +{ config, pkgs, lib, user, ... }: +{ + services = { + postgresql = { + enable = true; + package = pkgs.postgresql_12; + dataDir = "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; # default + # identMap = '' + # ${user} ${user} ${user} + # ''; + enableJIT = false; # default + initdbArgs = []; # default + checkConfig = true; # default + enableTCPIP = false; + # # extraPlugins = + initialScript = null; # default + authentication = lib.mkForce '' + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust #scram-sha-256 + host all all ::1/128 trust #scram-sha-256 + ''; + # recoveryConfig = null; + ensureDatabases = [ + "gitea" + # "vaultwarden" + ]; + settings = { + port = 5432; # default + listen_addresses = "localhost"; + log_line_prefix = "[%p] "; # default + shared_preload_libraries = [ ]; # default + }; + ensureUsers = [ + # { + # name = "${user}"; + # ensureDBOwnership = false; + # ensureClauses = { + # login = true; + # # inherit + # createdb = true; + # bypassrls = true; + # superuser = true; + # createrole = true; + # replication = true; + # }; + # } + { + # as liong as there is no declarative user management you gotta set a pw by hand + # sudo -u postgres psql -c "ALTER USER gitea PASSWORD 'new-passwd';" + name = "gitea"; + ensureDBOwnership = true; + } + ]; + }; +# postgresqlBackup = { +# enable +# startAt +# location +# databases +# backupAll +# compression +# } + + +# postgresqlWalReceiver.receivers."main" = { +# postgresqlPackage = pkgs.postgresql_15; +# directory = /mnt/pg_wal/main/; +# slot = "main_wal_receiver"; +# connection = "postgresql://user@somehost"; +# compress +# extraArgs +# synchronous +# environment +# statusInterval +# }; +# } + }; +} + + + + diff --git a/system-modules/users.nix b/system-modules/users.nix index 8e1168e..f43423e 100755 --- a/system-modules/users.nix +++ b/system-modules/users.nix @@ -5,7 +5,22 @@ users.users."${user}" = { isNormalUser = true; - extraGroups = [ "networkmanager" "wheel" "audio" "video" "docker" "libvirtd" "uinput" "input" "ydotool" "acme" "nginx" "adbusers" ]; + extraGroups = [ + "networkmanager" + "wheel" + "audio" + "video" + "docker" + "libvirtd" + "uinput" + "input" + "ydotool" + "acme" + "nginx" + "adbusers" + "gitea" + "postgres" + ]; useDefaultShell = true; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1RPCcS8DtIf75a2FEW4d8X6WTVeLlmretoLqppvZlJ" # From [A] GPG Sub Key