forked from c3d2/nix-config
Add Gitea container
This commit is contained in:
parent
9ce399de42
commit
3ed7b4e16f
24
flake.lock
24
flake.lock
|
@ -4,15 +4,14 @@
|
|||
"locked": {
|
||||
"lastModified": 1632990363,
|
||||
"narHash": "sha256-SNqz+9Vt4yDHqw8u/CMFdzMQTulKoMlVGJdshfcb5O0=",
|
||||
"owner": "nixos",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "0a8b8054c9920368a3c15e6d766188fdf04b736f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"type": "github"
|
||||
"id": "nixos-hardware",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
|
@ -62,6 +61,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1633080050,
|
||||
"narHash": "sha256-T9I2WnlUzAIL70dk9V1jqaYk3nypy/cMkWR19S47ZHc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "82155ff501c7622cb2336646bb62f7624261f6d7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1631792076,
|
||||
|
@ -83,6 +98,7 @@
|
|||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-mobilizon": "nixpkgs-mobilizon",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"scrapers": "scrapers",
|
||||
"secrets": "secrets",
|
||||
"spacemsg": "spacemsg",
|
||||
|
|
13
flake.nix
13
flake.nix
|
@ -4,6 +4,7 @@
|
|||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs/release-21.05";
|
||||
nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon";
|
||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git";
|
||||
zentralwerk.url = "git+https://gitea.c3d2.de/zentralwerk/network.git";
|
||||
yammat.url = "git+https://gitea.c3d2.de/astro/yammat.git?ref=nix";
|
||||
|
@ -62,8 +63,7 @@
|
|||
in {
|
||||
overlay = import ./overlay;
|
||||
|
||||
legacyPackages = forAllSystems
|
||||
(system: nixpkgs.legacyPackages.${system}.extend self.overlay);
|
||||
legacyPackages = forAllSystems (system: nixpkgs.legacyPackages.${system}.extend self.overlay);
|
||||
|
||||
packages = forAllSystems (system:
|
||||
let
|
||||
|
@ -177,6 +177,15 @@
|
|||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
gitea = nixosSystem' {
|
||||
nixpkgs = inputs.nixpkgs-unstable;
|
||||
modules = [
|
||||
./lib/lxc-container.nix
|
||||
./hosts/containers/gitea
|
||||
];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
glotzbert = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/glotzbert
|
||||
|
|
55
hosts/containers/gitea/Migration.md
Normal file
55
hosts/containers/gitea/Migration.md
Normal file
|
@ -0,0 +1,55 @@
|
|||
## Migration from [imbert to zentralwerk](https://codimd.c3d2.de/inbert-2021)
|
||||
|
||||
[based on https://docs.gitea.io/en-us/backup-and-restore/](https://docs.gitea.io/en-us/backup-and-restore/)
|
||||
|
||||
### @imbert
|
||||
```shell
|
||||
sudo -u git gitea dump -c /etc/gitea/app.ini
|
||||
```
|
||||
|
||||
### @gitea.hq.c3d2.de (lxc 315 @server6)
|
||||
|
||||
- copied `gitea-dump-*.zip` from imbert to `/tmp/`
|
||||
|
||||
```shell
|
||||
/etc/nixos/migrate.sh
|
||||
```
|
||||
|
||||
Check consistency:
|
||||
|
||||
```shell
|
||||
su gitea
|
||||
cd
|
||||
export GITEA_WORK_DIR=/var/lib/gitea
|
||||
/nix/store/*-gitea-1.15.2/bin/gitea doctor --all
|
||||
```
|
||||
|
||||
#### Fix problems caused by database schema changes between Gitea 1.8.3 and 1.15.2
|
||||
|
||||
2 Factor Auth didn't work, but was only used by 2 users anyway. We delete the old settings:
|
||||
|
||||
```sql
|
||||
delete from two_factor;
|
||||
```
|
||||
|
||||
There is a new column `repository.owner_name` that needs be set. Otherwise the web frontend displayed links starting with `//`.
|
||||
|
||||
Before fixing, we checked the `owner_names` queried by joining via `"user".id = repo.owner_id`:
|
||||
|
||||
```sql
|
||||
select "user".lower_name, repo.owner_name, repo.lower_name from repository as repo inner join "user" on "user".id = repo.owner_id;
|
||||
```
|
||||
|
||||
```sql
|
||||
UPDATE repository
|
||||
SET owner_name = map.name
|
||||
FROM (SELECT "user".lower_name AS name, repository.owner_id AS id
|
||||
FROM repository INNER JOIN "user" ON "user".id = repository.owner_id
|
||||
) AS map
|
||||
WHERE map.id = repository.owner_id;
|
||||
```
|
||||
|
||||
#### Problems with old logins
|
||||
|
||||
Till now `PASSWORD_HASH_ALGO` `argon2` was used, but seems not to work in the new version.
|
||||
Using the password recovery works.
|
12
hosts/containers/gitea/default.nix
Normal file
12
hosts/containers/gitea/default.nix
Normal file
|
@ -0,0 +1,12 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./modules/networking.nix
|
||||
./modules/gitea.nix
|
||||
./modules/nginx.nix
|
||||
./modules/ssh.nix
|
||||
];
|
||||
|
||||
system.stateVersion = "21.11";
|
||||
}
|
19
hosts/containers/gitea/migrate.sh
Executable file
19
hosts/containers/gitea/migrate.sh
Executable file
|
@ -0,0 +1,19 @@
|
|||
#/usr/bin/env bash -e
|
||||
|
||||
DUMP=gitea-dump-1633035257
|
||||
USER=gitea
|
||||
DATABASE=gitea
|
||||
|
||||
cd /tmp/
|
||||
unzip ${DUMP}.zip
|
||||
unzip gitea-repo.zip
|
||||
|
||||
systemctl stop gitea
|
||||
|
||||
rm -r /var/lib/gitea/repositories/*
|
||||
mv gitea-repositories/* /var/lib/gitea/repositories/
|
||||
chown -R gitea:gitea /var/lib/gitea
|
||||
|
||||
sudo -u gitea psql -U $USER -d $DATABASE < gitea-db.sql
|
||||
|
||||
systemctl start gitea
|
64
hosts/containers/gitea/modules/gitea.nix
Normal file
64
hosts/containers/gitea/modules/gitea.nix
Normal file
|
@ -0,0 +1,64 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.gitea = rec {
|
||||
enable = true;
|
||||
domain = "gitea.c3d2.de";
|
||||
rootUrl = "https://${domain}/";
|
||||
|
||||
database = {
|
||||
type = "postgres";
|
||||
host = "127.0.0.1";
|
||||
name = "gitea";
|
||||
user = "gitea";
|
||||
passwordFile = "/etc/giteaPassword";
|
||||
};
|
||||
repositoryRoot = "/var/lib/gitea/repositories";
|
||||
|
||||
disableRegistration = true;
|
||||
|
||||
lfs.enable = true;
|
||||
log.level = "Info";
|
||||
|
||||
dump = {
|
||||
## Is a nice feature once we have a dedicated backup storage.
|
||||
## For now it is disabled, since it delays `nixos-rebuild switch`.
|
||||
enable = false;
|
||||
backupDir = "/var/lib/gitea/dump";
|
||||
};
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
# START_SSH_SERVER = true;
|
||||
# BUILTIN_SSH_SERVER_USER = "git";
|
||||
SSH_DOMAIN = domain;
|
||||
ENABLE_GZIP = true;
|
||||
};
|
||||
cron = {
|
||||
ENABLED = true;
|
||||
};
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
FROM = "gitea@c3d2.de";
|
||||
MAILER_TYPE = "smtp";
|
||||
HOST = "mail.c3d2.de:465";
|
||||
IS_TLS_ENABLED = true;
|
||||
};
|
||||
service = {
|
||||
NO_REPLY_ADDRESS = "no_reply@c3d2.de";
|
||||
REGISTER_EMAIL_CONFIRM = true;
|
||||
ENABLE_NOTIFY_MAIL = true;
|
||||
};
|
||||
database = {
|
||||
LOG_SQL = false;
|
||||
};
|
||||
time = {
|
||||
DEFAULT_UI_LOCATION = config.time.timeZone;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 3000 2222 ];
|
||||
|
||||
environment.systemPackages = with pkgs; [ postgresql unzip ]; ## used to restore database dumps
|
||||
}
|
15
hosts/containers/gitea/modules/networking.nix
Normal file
15
hosts/containers/gitea/modules/networking.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking = {
|
||||
hostName = "gitea";
|
||||
useDHCP = false;
|
||||
interfaces.eth0 = {
|
||||
useDHCP = false;
|
||||
ipv4.addresses = [{ address = "172.20.73.53"; prefixLength = 26; }];
|
||||
};
|
||||
defaultGateway = "172.20.73.1";
|
||||
nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
||||
firewall.allowedTCPPorts = [ 80 443 2222 ];
|
||||
};
|
||||
}
|
12
hosts/containers/gitea/modules/nginx.nix
Normal file
12
hosts/containers/gitea/modules/nginx.nix
Normal file
|
@ -0,0 +1,12 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."gitea.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:3000";
|
||||
};
|
||||
};
|
||||
}
|
15
hosts/containers/gitea/modules/ssh.nix
Normal file
15
hosts/containers/gitea/modules/ssh.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "prohibit-password";
|
||||
extraConfig = ''
|
||||
Match User gitea
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
PermitTTY no
|
||||
X11Forwarding no
|
||||
'';
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user