Add Gitea container

This commit is contained in:
Sandro - 2021-10-02 20:28:30 +02:00
parent 9ce399de42
commit 3ed7b4e16f
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
9 changed files with 223 additions and 6 deletions

View File

@ -4,15 +4,14 @@
"locked": {
"lastModified": 1632990363,
"narHash": "sha256-SNqz+9Vt4yDHqw8u/CMFdzMQTulKoMlVGJdshfcb5O0=",
"owner": "nixos",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "0a8b8054c9920368a3c15e6d766188fdf04b736f",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
"id": "nixos-hardware",
"type": "indirect"
}
},
"nixpkgs": {
@ -62,6 +61,22 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1633080050,
"narHash": "sha256-T9I2WnlUzAIL70dk9V1jqaYk3nypy/cMkWR19S47ZHc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "82155ff501c7622cb2336646bb62f7624261f6d7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1631792076,
@ -83,6 +98,7 @@
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-mobilizon": "nixpkgs-mobilizon",
"nixpkgs-unstable": "nixpkgs-unstable",
"scrapers": "scrapers",
"secrets": "secrets",
"spacemsg": "spacemsg",

View File

@ -4,6 +4,7 @@
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/release-21.05";
nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git";
zentralwerk.url = "git+https://gitea.c3d2.de/zentralwerk/network.git";
yammat.url = "git+https://gitea.c3d2.de/astro/yammat.git?ref=nix";
@ -62,8 +63,7 @@
in {
overlay = import ./overlay;
legacyPackages = forAllSystems
(system: nixpkgs.legacyPackages.${system}.extend self.overlay);
legacyPackages = forAllSystems (system: nixpkgs.legacyPackages.${system}.extend self.overlay);
packages = forAllSystems (system:
let
@ -177,6 +177,15 @@
system = "x86_64-linux";
};
gitea = nixosSystem' {
nixpkgs = inputs.nixpkgs-unstable;
modules = [
./lib/lxc-container.nix
./hosts/containers/gitea
];
system = "x86_64-linux";
};
glotzbert = nixosSystem' {
modules = [
./hosts/glotzbert

View File

@ -0,0 +1,55 @@
## Migration from [imbert to zentralwerk](https://codimd.c3d2.de/inbert-2021)
[based on https://docs.gitea.io/en-us/backup-and-restore/](https://docs.gitea.io/en-us/backup-and-restore/)
### @imbert
```shell
sudo -u git gitea dump -c /etc/gitea/app.ini
```
### @gitea.hq.c3d2.de (lxc 315 @server6)
- copied `gitea-dump-*.zip` from imbert to `/tmp/`
```shell
/etc/nixos/migrate.sh
```
Check consistency:
```shell
su gitea
cd
export GITEA_WORK_DIR=/var/lib/gitea
/nix/store/*-gitea-1.15.2/bin/gitea doctor --all
```
#### Fix problems caused by database schema changes between Gitea 1.8.3 and 1.15.2
2 Factor Auth didn't work, but was only used by 2 users anyway. We delete the old settings:
```sql
delete from two_factor;
```
There is a new column `repository.owner_name` that needs be set. Otherwise the web frontend displayed links starting with `//`.
Before fixing, we checked the `owner_names` queried by joining via `"user".id = repo.owner_id`:
```sql
select "user".lower_name, repo.owner_name, repo.lower_name from repository as repo inner join "user" on "user".id = repo.owner_id;
```
```sql
UPDATE repository
SET owner_name = map.name
FROM (SELECT "user".lower_name AS name, repository.owner_id AS id
FROM repository INNER JOIN "user" ON "user".id = repository.owner_id
) AS map
WHERE map.id = repository.owner_id;
```
#### Problems with old logins
Till now `PASSWORD_HASH_ALGO` `argon2` was used, but seems not to work in the new version.
Using the password recovery works.

View File

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
imports = [
./modules/networking.nix
./modules/gitea.nix
./modules/nginx.nix
./modules/ssh.nix
];
system.stateVersion = "21.11";
}

View File

@ -0,0 +1,19 @@
#/usr/bin/env bash -e
DUMP=gitea-dump-1633035257
USER=gitea
DATABASE=gitea
cd /tmp/
unzip ${DUMP}.zip
unzip gitea-repo.zip
systemctl stop gitea
rm -r /var/lib/gitea/repositories/*
mv gitea-repositories/* /var/lib/gitea/repositories/
chown -R gitea:gitea /var/lib/gitea
sudo -u gitea psql -U $USER -d $DATABASE < gitea-db.sql
systemctl start gitea

View File

@ -0,0 +1,64 @@
{ config, pkgs, ... }:
{
services.gitea = rec {
enable = true;
domain = "gitea.c3d2.de";
rootUrl = "https://${domain}/";
database = {
type = "postgres";
host = "127.0.0.1";
name = "gitea";
user = "gitea";
passwordFile = "/etc/giteaPassword";
};
repositoryRoot = "/var/lib/gitea/repositories";
disableRegistration = true;
lfs.enable = true;
log.level = "Info";
dump = {
## Is a nice feature once we have a dedicated backup storage.
## For now it is disabled, since it delays `nixos-rebuild switch`.
enable = false;
backupDir = "/var/lib/gitea/dump";
};
settings = {
server = {
# START_SSH_SERVER = true;
# BUILTIN_SSH_SERVER_USER = "git";
SSH_DOMAIN = domain;
ENABLE_GZIP = true;
};
cron = {
ENABLED = true;
};
mailer = {
ENABLED = true;
FROM = "gitea@c3d2.de";
MAILER_TYPE = "smtp";
HOST = "mail.c3d2.de:465";
IS_TLS_ENABLED = true;
};
service = {
NO_REPLY_ADDRESS = "no_reply@c3d2.de";
REGISTER_EMAIL_CONFIRM = true;
ENABLE_NOTIFY_MAIL = true;
};
database = {
LOG_SQL = false;
};
time = {
DEFAULT_UI_LOCATION = config.time.timeZone;
};
};
};
networking.firewall.allowedTCPPorts = [ 3000 2222 ];
environment.systemPackages = with pkgs; [ postgresql unzip ]; ## used to restore database dumps
}

View File

@ -0,0 +1,15 @@
{ config, pkgs, ... }:
{
networking = {
hostName = "gitea";
useDHCP = false;
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{ address = "172.20.73.53"; prefixLength = 26; }];
};
defaultGateway = "172.20.73.1";
nameservers = [ "172.20.73.8" "9.9.9.9" ];
firewall.allowedTCPPorts = [ 80 443 2222 ];
};
}

View File

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
services.nginx = {
enable = true;
virtualHosts."gitea.c3d2.de" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:3000";
};
};
}

View File

@ -0,0 +1,15 @@
{ config, pkgs, ... }:
{
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
extraConfig = ''
Match User gitea
AllowAgentForwarding no
AllowTcpForwarding no
PermitTTY no
X11Forwarding no
'';
};
}