From 3ed7b4e16fdeaf45ceeef1bf98473938142cfe0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sat, 2 Oct 2021 20:28:30 +0200 Subject: [PATCH] Add Gitea container --- flake.lock | 24 +++++-- flake.nix | 13 +++- hosts/containers/gitea/Migration.md | 55 ++++++++++++++++ hosts/containers/gitea/default.nix | 12 ++++ hosts/containers/gitea/migrate.sh | 19 ++++++ hosts/containers/gitea/modules/gitea.nix | 64 +++++++++++++++++++ hosts/containers/gitea/modules/networking.nix | 15 +++++ hosts/containers/gitea/modules/nginx.nix | 12 ++++ hosts/containers/gitea/modules/ssh.nix | 15 +++++ 9 files changed, 223 insertions(+), 6 deletions(-) create mode 100644 hosts/containers/gitea/Migration.md create mode 100644 hosts/containers/gitea/default.nix create mode 100755 hosts/containers/gitea/migrate.sh create mode 100644 hosts/containers/gitea/modules/gitea.nix create mode 100644 hosts/containers/gitea/modules/networking.nix create mode 100644 hosts/containers/gitea/modules/nginx.nix create mode 100644 hosts/containers/gitea/modules/ssh.nix diff --git a/flake.lock b/flake.lock index a69157b3..2674650a 100644 --- a/flake.lock +++ b/flake.lock @@ -4,15 +4,14 @@ "locked": { "lastModified": 1632990363, "narHash": "sha256-SNqz+9Vt4yDHqw8u/CMFdzMQTulKoMlVGJdshfcb5O0=", - "owner": "nixos", + "owner": "NixOS", "repo": "nixos-hardware", "rev": "0a8b8054c9920368a3c15e6d766188fdf04b736f", "type": "github" }, "original": { - "owner": "nixos", - "repo": "nixos-hardware", - "type": "github" + "id": "nixos-hardware", + "type": "indirect" } }, "nixpkgs": { @@ -62,6 +61,22 @@ "type": "github" } }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1633080050, + "narHash": "sha256-T9I2WnlUzAIL70dk9V1jqaYk3nypy/cMkWR19S47ZHc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "82155ff501c7622cb2336646bb62f7624261f6d7", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1631792076, @@ -83,6 +98,7 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-mobilizon": "nixpkgs-mobilizon", + "nixpkgs-unstable": "nixpkgs-unstable", "scrapers": "scrapers", "secrets": "secrets", "spacemsg": "spacemsg", diff --git a/flake.nix b/flake.nix index 2037902c..58918785 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/release-21.05"; nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"; zentralwerk.url = "git+https://gitea.c3d2.de/zentralwerk/network.git"; yammat.url = "git+https://gitea.c3d2.de/astro/yammat.git?ref=nix"; @@ -62,8 +63,7 @@ in { overlay = import ./overlay; - legacyPackages = forAllSystems - (system: nixpkgs.legacyPackages.${system}.extend self.overlay); + legacyPackages = forAllSystems (system: nixpkgs.legacyPackages.${system}.extend self.overlay); packages = forAllSystems (system: let @@ -177,6 +177,15 @@ system = "x86_64-linux"; }; + gitea = nixosSystem' { + nixpkgs = inputs.nixpkgs-unstable; + modules = [ + ./lib/lxc-container.nix + ./hosts/containers/gitea + ]; + system = "x86_64-linux"; + }; + glotzbert = nixosSystem' { modules = [ ./hosts/glotzbert diff --git a/hosts/containers/gitea/Migration.md b/hosts/containers/gitea/Migration.md new file mode 100644 index 00000000..05f391e6 --- /dev/null +++ b/hosts/containers/gitea/Migration.md @@ -0,0 +1,55 @@ +## Migration from [imbert to zentralwerk](https://codimd.c3d2.de/inbert-2021) + +[based on https://docs.gitea.io/en-us/backup-and-restore/](https://docs.gitea.io/en-us/backup-and-restore/) + +### @imbert +```shell +sudo -u git gitea dump -c /etc/gitea/app.ini +``` + +### @gitea.hq.c3d2.de (lxc 315 @server6) + +- copied `gitea-dump-*.zip` from imbert to `/tmp/` + +```shell +/etc/nixos/migrate.sh +``` + +Check consistency: + +```shell +su gitea +cd +export GITEA_WORK_DIR=/var/lib/gitea +/nix/store/*-gitea-1.15.2/bin/gitea doctor --all +``` + +#### Fix problems caused by database schema changes between Gitea 1.8.3 and 1.15.2 + +2 Factor Auth didn't work, but was only used by 2 users anyway. We delete the old settings: + +```sql +delete from two_factor; +``` + +There is a new column `repository.owner_name` that needs be set. Otherwise the web frontend displayed links starting with `//`. + +Before fixing, we checked the `owner_names` queried by joining via `"user".id = repo.owner_id`: + +```sql +select "user".lower_name, repo.owner_name, repo.lower_name from repository as repo inner join "user" on "user".id = repo.owner_id; +``` + +```sql +UPDATE repository +SET owner_name = map.name +FROM (SELECT "user".lower_name AS name, repository.owner_id AS id + FROM repository INNER JOIN "user" ON "user".id = repository.owner_id + ) AS map +WHERE map.id = repository.owner_id; +``` + +#### Problems with old logins + +Till now `PASSWORD_HASH_ALGO` `argon2` was used, but seems not to work in the new version. +Using the password recovery works. diff --git a/hosts/containers/gitea/default.nix b/hosts/containers/gitea/default.nix new file mode 100644 index 00000000..530819f3 --- /dev/null +++ b/hosts/containers/gitea/default.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./modules/networking.nix + ./modules/gitea.nix + ./modules/nginx.nix + ./modules/ssh.nix + ]; + + system.stateVersion = "21.11"; +} diff --git a/hosts/containers/gitea/migrate.sh b/hosts/containers/gitea/migrate.sh new file mode 100755 index 00000000..da73d11c --- /dev/null +++ b/hosts/containers/gitea/migrate.sh @@ -0,0 +1,19 @@ +#/usr/bin/env bash -e + +DUMP=gitea-dump-1633035257 +USER=gitea +DATABASE=gitea + +cd /tmp/ +unzip ${DUMP}.zip +unzip gitea-repo.zip + +systemctl stop gitea + +rm -r /var/lib/gitea/repositories/* +mv gitea-repositories/* /var/lib/gitea/repositories/ +chown -R gitea:gitea /var/lib/gitea + +sudo -u gitea psql -U $USER -d $DATABASE < gitea-db.sql + +systemctl start gitea diff --git a/hosts/containers/gitea/modules/gitea.nix b/hosts/containers/gitea/modules/gitea.nix new file mode 100644 index 00000000..cf9210d9 --- /dev/null +++ b/hosts/containers/gitea/modules/gitea.nix @@ -0,0 +1,64 @@ +{ config, pkgs, ... }: + +{ + services.gitea = rec { + enable = true; + domain = "gitea.c3d2.de"; + rootUrl = "https://${domain}/"; + + database = { + type = "postgres"; + host = "127.0.0.1"; + name = "gitea"; + user = "gitea"; + passwordFile = "/etc/giteaPassword"; + }; + repositoryRoot = "/var/lib/gitea/repositories"; + + disableRegistration = true; + + lfs.enable = true; + log.level = "Info"; + + dump = { + ## Is a nice feature once we have a dedicated backup storage. + ## For now it is disabled, since it delays `nixos-rebuild switch`. + enable = false; + backupDir = "/var/lib/gitea/dump"; + }; + + settings = { + server = { + # START_SSH_SERVER = true; + # BUILTIN_SSH_SERVER_USER = "git"; + SSH_DOMAIN = domain; + ENABLE_GZIP = true; + }; + cron = { + ENABLED = true; + }; + mailer = { + ENABLED = true; + FROM = "gitea@c3d2.de"; + MAILER_TYPE = "smtp"; + HOST = "mail.c3d2.de:465"; + IS_TLS_ENABLED = true; + }; + service = { + NO_REPLY_ADDRESS = "no_reply@c3d2.de"; + REGISTER_EMAIL_CONFIRM = true; + ENABLE_NOTIFY_MAIL = true; + }; + database = { + LOG_SQL = false; + }; + time = { + DEFAULT_UI_LOCATION = config.time.timeZone; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 3000 2222 ]; + + environment.systemPackages = with pkgs; [ postgresql unzip ]; ## used to restore database dumps +} diff --git a/hosts/containers/gitea/modules/networking.nix b/hosts/containers/gitea/modules/networking.nix new file mode 100644 index 00000000..c96e3966 --- /dev/null +++ b/hosts/containers/gitea/modules/networking.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + networking = { + hostName = "gitea"; + useDHCP = false; + interfaces.eth0 = { + useDHCP = false; + ipv4.addresses = [{ address = "172.20.73.53"; prefixLength = 26; }]; + }; + defaultGateway = "172.20.73.1"; + nameservers = [ "172.20.73.8" "9.9.9.9" ]; + firewall.allowedTCPPorts = [ 80 443 2222 ]; + }; +} diff --git a/hosts/containers/gitea/modules/nginx.nix b/hosts/containers/gitea/modules/nginx.nix new file mode 100644 index 00000000..9ce38a10 --- /dev/null +++ b/hosts/containers/gitea/modules/nginx.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +{ + services.nginx = { + enable = true; + virtualHosts."gitea.c3d2.de" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:3000"; + }; + }; +} diff --git a/hosts/containers/gitea/modules/ssh.nix b/hosts/containers/gitea/modules/ssh.nix new file mode 100644 index 00000000..f53f70a9 --- /dev/null +++ b/hosts/containers/gitea/modules/ssh.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + services.openssh = { + enable = true; + permitRootLogin = "prohibit-password"; + extraConfig = '' + Match User gitea + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + X11Forwarding no + ''; + }; +}