nix-config/hosts/gitea/default.nix

{ config, pkgs, lib, libC, libS, ... }:

{
  c3d2.deployment.server = "server10";

  microvm.mem = 4 * 1024;

  environment.systemPackages = with pkgs; [
    # used to restore database dumps
    config.services.postgresql.package unzip
  ];

  networking = {
    hostName = "gitea";
    firewall.allowedTCPPorts = [ 2222 ];
  };

  services = {
    backup = {
      paths = [ "/var/lib/gitea/" ];
      exclude = [
        "/var/lib/gitea/data/indexers/"
        "/var/lib/gitea/data/repo-archive"
        "/var/lib/gitea/data/queues"
        "/var/lib/gitea/data/tmp/"
      ];
    };

    gitea = {
      enable = true;
      appName = "Gitea: with a cup of Kolle Mate";
      database.type = "postgres";
      lfs.enable = true;
      repositoryRoot = "/var/lib/gitea/repositories";

      dump = {
        # Is a nice feature once we have a dedicated backup storage.
        # For now it is disabled, since it delays `nixos-rebuild switch`.
        enable = false;
        backupDir = "/var/backup/gitea/";
      };

      ldap = {
        enable = true;
        adminGroup = "gitea-admins";
        bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
      };

      settings = {
        # we use drone for internal tasks and don't want people to execute code on our infrastructure
        actions.ENABLED = false;
        "cron.delete_generated_repository_avatars".ENABLED = true;
        "cron.delete_old_system_notices".ENABLED = true;
        "cron.git_gc_repos".ENABLED = true;
        "cron.repo_health_check".TIMEOUT = "300s";
        "cron.resync_all_sshkeys" = {
          ENABLED = true;
          RUN_AT_START = true;
        };
        database.LOG_SQL = false;
        # enable if it is actually useful
        # federation.ENABLED = true;
        indexer.REPO_INDEXER_ENABLED = true;
        log = {
          LEVEL = "Info";
          DISABLE_ROUTER_LOG = true;
        };
        mailer = {
          ENABLED = true;
          FROM = "gitea@c3d2.de";
          PROTOCOL = "sendmail";
          SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
          SENDMAIL_ARGS = "--";
        };
        other.SHOW_FOOTER_VERSION = false;
        # disabled to prevent us becoming critical infrastructure, might revisit later
        packages.ENABLED = false;
        picture = {
          # this also disables libravatar
          DISABLE_GRAVATAR = false;
          ENABLE_FEDERATED_AVATAR = true;
          GRAVATAR_SOURCE = "libravatar";
          REPOSITORY_AVATAR_FALLBACK = "random";
        };
        repository.DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.pulls";
        server = rec {
          DOMAIN = "gitea.c3d2.de";
          ENABLE_GZIP = true;
          SSH_AUTHORIZED_KEYS_BACKUP = false;
          SSH_DOMAIN = DOMAIN;
        };
        service = {
          DISABLE_REGISTRATION = true;
          NO_REPLY_ADDRESS = "no_reply@c3d2.de";
          REGISTER_EMAIL_CONFIRM = true;
          ENABLE_NOTIFY_MAIL = true;
        };
        session = {
          COOKIE_SECURE = lib.mkForce true;
          PROVIDER = "db";
          SAME_SITE = "strict";
        };
        "ssh.minimum_key_sizes" = {
          ECDSA = -1;
          RSA = 4095;
        };
        time.DEFAULT_UI_LOCATION = config.time.timeZone;
        ui = {
          DEFAULT_THEME = "arc-green";
          EXPLORE_PAGING_NUM = 25;
          FEED_PAGING_NUM = 50;
          ISSUE_PAGING_NUM = 25;
        };
      };
    };

    nginx = {
      enable = true;
      virtualHosts."gitea.c3d2.de" = {
        forceSSL = true;
        enableACME = true;
        listen = libC.defaultListen;
        locations."/".proxyPass = "http://localhost:3000";
      };
    };

    openssh = {
      enable = true;
      extraConfig = ''
        Match User gitea
          AllowAgentForwarding no
          AllowTcpForwarding no
          PermitTTY no
          X11Forwarding no
      '';
    };

    portunus.addToHosts = true;

    postgresql = {
      package = pkgs.postgresql_15;
      upgrade.stopServices = [ "gitea" ];
    };
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      "gitea/ldapSearchUserPassword" = libS.sops.permissionForUser "gitea";
      "restic/password".owner = "root";
      "restic/repository/server8".owner = "root";
    };
  };

  programs.msmtp = {
    enable = true;
    accounts.default = {
      host = "mail.c3d2.de";
      port = 587;
      tls = true;
      tls_starttls = true;
      auth = false;
      domain = "gitea.c3d2.de";
      from = "mail@c3d2.de";
    };
  };

  system.stateVersion = "21.11";
}
Enable proxyProtocol for drone and gitea 2023-04-11 01:11:43 +02:00			`{ config, pkgs, lib, libC, libS, ... }:`
Add Gitea container 2021-10-02 20:28:30 +02:00
			`{`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`c3d2.deployment.server = "server10";`
gitea: convert to microvm 2022-06-20 22:10:23 +02:00
gitea: reduce RAM to 4 GB 2022-06-21 01:13:53 +02:00			`microvm.mem = 4 * 1024;`
gitea: convert to microvm 2022-06-20 22:10:23 +02:00
gitea: use postgres package that is used for db service 2023-04-27 21:47:12 +02:00			`environment.systemPackages = with pkgs; [`
			`# used to restore database dumps`
			`config.services.postgresql.package unzip`
			`];`
gitea: format, enable declarative ldap 2023-03-18 01:35:27 +01:00
gitea: renovate config 2022-06-20 20:27:14 +02:00			`networking = {`
			`hostName = "gitea";`
Handle nginx open firewall by nixos-modules 2022-12-20 04:31:37 +01:00			`firewall.allowedTCPPorts = [ 2222 ];`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`};`

			`services = {`
Use options for restic backups 2023-05-18 01:55:16 +02:00			`backup = {`
			`paths = [ "/var/lib/gitea/" ];`
			`exclude = [`
			`"/var/lib/gitea/data/indexers/"`
			`"/var/lib/gitea/data/repo-archive"`
			`"/var/lib/gitea/data/queues"`
			`"/var/lib/gitea/data/tmp/"`
			`];`
			`};`

gitea: remove rec 2023-04-27 21:50:37 +02:00			`gitea = {`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`enable = true;`
			`appName = "Gitea: with a cup of Kolle Mate";`
Format 2023-01-06 21:08:58 +01:00			`database.type = "postgres";`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`lfs.enable = true;`
gitea: format, enable declarative ldap 2023-03-18 01:35:27 +01:00			`repositoryRoot = "/var/lib/gitea/repositories";`
gitea: renovate config 2022-06-20 20:27:14 +02:00
			`dump = {`
Format 2023-01-06 21:08:58 +01:00			`# Is a nice feature once we have a dedicated backup storage.`
			# For now it is disabled, since it delays `nixos-rebuild switch`.
gitea: renovate config 2022-06-20 20:27:14 +02:00			`enable = false;`
gitea: format, enable declarative ldap 2023-03-18 01:35:27 +01:00			`backupDir = "/var/backup/gitea/";`
			`};`

			`ldap = {`
			`enable = true;`
			`adminGroup = "gitea-admins";`
			`bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`};`

			`settings = {`
gitea: update shiny new and old settings 2023-03-23 20:29:18 +01:00			`# we use drone for internal tasks and don't want people to execute code on our infrastructure`
			`actions.ENABLED = false;`
Format 2023-01-06 21:08:58 +01:00			`"cron.delete_generated_repository_avatars".ENABLED = true;`
			`"cron.delete_old_system_notices".ENABLED = true;`
gitea: update shiny new and old settings 2023-03-23 20:29:18 +01:00			`"cron.git_gc_repos".ENABLED = true;`
Format 2023-01-06 21:08:58 +01:00			`"cron.repo_health_check".TIMEOUT = "300s";`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`"cron.resync_all_sshkeys" = {`
			`ENABLED = true;`
			`RUN_AT_START = true;`
			`};`
Format 2023-01-06 21:08:58 +01:00			`database.LOG_SQL = false;`
gitea: update shiny new and old settings 2023-03-23 20:29:18 +01:00			`# enable if it is actually useful`
			`# federation.ENABLED = true;`
Format 2023-01-06 21:08:58 +01:00			`indexer.REPO_INDEXER_ENABLED = true;`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`log = {`
			`LEVEL = "Info";`
			`DISABLE_ROUTER_LOG = true;`
			`};`
			`mailer = {`
			`ENABLED = true;`
			`FROM = "gitea@c3d2.de";`
gitea: fix deprecated option 2023-02-22 20:01:43 +01:00			`PROTOCOL = "sendmail";`
gitea: add working sendmail config 2022-06-24 00:12:08 +02:00			`SENDMAIL_PATH = "/run/wrappers/bin/sendmail";`
			`SENDMAIL_ARGS = "--";`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`};`
Format 2023-01-06 21:08:58 +01:00			`other.SHOW_FOOTER_VERSION = false;`
gitea: update shiny new and old settings 2023-03-23 20:29:18 +01:00			`# disabled to prevent us becoming critical infrastructure, might revisit later`
			`packages.ENABLED = false;`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`picture = {`
			`# this also disables libravatar`
			`DISABLE_GRAVATAR = false;`
			`ENABLE_FEDERATED_AVATAR = true;`
			`GRAVATAR_SOURCE = "libravatar";`
			`REPOSITORY_AVATAR_FALLBACK = "random";`
			`};`
gitea: update shiny new and old settings 2023-03-23 20:29:18 +01:00			`repository.DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.pulls";`
gitea: fix infinite recursion 2023-04-28 00:07:24 +02:00			`server = rec {`
			`DOMAIN = "gitea.c3d2.de";`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`ENABLE_GZIP = true;`
			`SSH_AUTHORIZED_KEYS_BACKUP = false;`
gitea: fix infinite recursion 2023-04-28 00:07:24 +02:00			`SSH_DOMAIN = DOMAIN;`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`};`
			`service = {`
Fix deprecations 2022-10-31 22:14:10 +01:00			`DISABLE_REGISTRATION = true;`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`NO_REPLY_ADDRESS = "no_reply@c3d2.de";`
			`REGISTER_EMAIL_CONFIRM = true;`
			`ENABLE_NOTIFY_MAIL = true;`
			`};`
			`session = {`
			`COOKIE_SECURE = lib.mkForce true;`
			`PROVIDER = "db";`
			`SAME_SITE = "strict";`
			`};`
			`"ssh.minimum_key_sizes" = {`
			`ECDSA = -1;`
gitea: increqase minimal rsa key size 2022-07-23 22:26:08 +02:00			`RSA = 4095;`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`};`
Format 2023-01-06 21:08:58 +01:00			`time.DEFAULT_UI_LOCATION = config.time.timeZone;`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`ui = {`
			`DEFAULT_THEME = "arc-green";`
gitea: increase paging per size 2022-07-27 21:00:29 +02:00			`EXPLORE_PAGING_NUM = 25;`
			`FEED_PAGING_NUM = 50;`
			`ISSUE_PAGING_NUM = 25;`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`};`
			`};`
			`};`

			`nginx = {`
			`enable = true;`
			`virtualHosts."gitea.c3d2.de" = {`
			`forceSSL = true;`
			`enableACME = true;`
Enable proxyProtocol for drone and gitea 2023-04-11 01:11:43 +02:00			`listen = libC.defaultListen;`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`locations."/".proxyPass = "http://localhost:3000";`
			`};`
			`};`

			`openssh = {`
			`enable = true;`
			`extraConfig = ''`
			`Match User gitea`
			`AllowAgentForwarding no`
			`AllowTcpForwarding no`
			`PermitTTY no`
			`X11Forwarding no`
			`'';`
			`};`
Replace copy pasted hosts entry with option 2022-12-22 21:25:53 +01:00
			`portunus.addToHosts = true;`
Upgrade postgres 2023-01-07 00:54:40 +01:00
			`postgresql = {`
			`package = pkgs.postgresql_15;`
			`upgrade.stopServices = [ "gitea" ];`
			`};`
gitea: renovate config 2022-06-20 20:27:14 +02:00			`};`

gitea: format, enable declarative ldap 2023-03-18 01:35:27 +01:00			`sops = {`
			`defaultSopsFile = ./secrets.yaml;`
gitea: add restic, server8: bump max_blob_size 2023-05-17 00:27:06 +02:00			`secrets = {`
			`"gitea/ldapSearchUserPassword" = libS.sops.permissionForUser "gitea";`
Add offsite restic backups, move to backup module 2023-05-17 00:57:08 +02:00			`"restic/password".owner = "root";`
			`"restic/repository/server8".owner = "root";`
gitea: add restic, server8: bump max_blob_size 2023-05-17 00:27:06 +02:00			`};`
gitea: format, enable declarative ldap 2023-03-18 01:35:27 +01:00			`};`

gitea: add working sendmail config 2022-06-24 00:12:08 +02:00			`programs.msmtp = {`
			`enable = true;`
			`accounts.default = {`
			`host = "mail.c3d2.de";`
			`port = 587;`
			`tls = true;`
			`tls_starttls = true;`
			`auth = false;`
			`domain = "gitea.c3d2.de";`
			`from = "mail@c3d2.de";`
			`};`
			`};`

Add Gitea container 2021-10-02 20:28:30 +02:00			`system.stateVersion = "21.11";`
			`}`