nixos: Add Gitea VM

2023-12-09 15:22:01 +00:00
parent b4d0d9aff9
commit 88b6e00f93
59 changed files with 953 additions and 792 deletions
--- a/nixos/boxes/colony/vms/git/default.nix
+++ b/nixos/boxes/colony/vms/git/default.nix
@@ -0,0 +1,117 @@
+{ lib, ... }:
+let
+  inherit (lib.my) net;
+  inherit (lib.my.c.colony) domain prefixes;
+in
+{
+  nixos.systems.git = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      routing = {
+        name = "git-vm-routing";
+        inherit domain;
+        ipv4.address = net.cidr.host 4 prefixes.vms.v4;
+      };
+      internal = {
+        name = "git-vm";
+        inherit domain;
+        ipv4 = {
+          address = net.cidr.host 0 prefixes.vip3;
+          mask = 32;
+          gateway = null;
+          genPTR = false;
+        };
+        ipv6 = {
+          iid = "::4";
+          address = net.cidr.host 4 prefixes.vms.v6;
+        };
+      };
+    };
+
+    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
+      let
+        inherit (lib) mkMerge;
+        inherit (lib.my) networkdAssignment;
+      in
+      {
+        imports = [
+          "${modulesPath}/profiles/qemu-guest.nix"
+
+          ./gitea.nix
+          ./gitea-actions.nix
+        ];
+
+        config = mkMerge [
+          {
+            boot = {
+              kernelParams = [ "console=ttyS0,115200n8" ];
+            };
+
+            fileSystems = {
+              "/boot" = {
+                device = "/dev/disk/by-label/ESP";
+                fsType = "vfat";
+              };
+              "/nix" = {
+                device = "/dev/disk/by-label/nix";
+                fsType = "ext4";
+              };
+              "/persist" = {
+                device = "/dev/disk/by-label/persist";
+                fsType = "ext4";
+                neededForBoot = true;
+              };
+
+              "/var/lib/containers" = {
+                device = "/dev/disk/by-label/oci";
+                fsType = "xfs";
+                options = [ "pquota" ];
+              };
+            };
+
+            services = {
+              fstrim = lib.my.c.colony.fstrimConfig;
+              netdata.enable = true;
+            };
+
+            virtualisation = {
+              podman = {
+                enable = true;
+              };
+              oci-containers = {
+                backend = "podman";
+              };
+            };
+
+            systemd.network = {
+              links = {
+                "10-vms" = {
+                  matchConfig.MACAddress = "52:54:00:75:78:a8";
+                  linkConfig.Name = "vms";
+                };
+              };
+
+              networks = {
+                "80-vms" = mkMerge [
+                  (networkdAssignment "vms" assignments.routing)
+                  (networkdAssignment "vms" assignments.internal)
+                ];
+              };
+            };
+
+            my = {
+              secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+KINpHLMduBuW96JzfSRDLUzkI+XaCBghu5/wHiW5R";
+              server.enable = true;
+
+              firewall = {
+                tcp.allowed = [ 19999 ];
+                trustedInterfaces = [ "oci" ];
+              };
+            };
+          }
+        ];
+      };
+  };
+}
--- a/nixos/boxes/colony/vms/git/gitea-actions.nix
+++ b/nixos/boxes/colony/vms/git/gitea-actions.nix
@@ -0,0 +1,78 @@
+{ lib, pkgs, config, ... }:
+let
+  inherit (builtins) toJSON;
+  inherit (lib) mkForce;
+  inherit (lib.my.c) pubDomain;
+
+  cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON {
+    container = {
+      # network = "colony";
+      privileged = true;
+    };
+    cache = {
+      enabled = true;
+      dir = "/var/cache/gitea-runner";
+    };
+  });
+in
+{
+  config = {
+    fileSystems = {
+      "/var/cache/gitea-runner" = {
+        device = "/dev/disk/by-label/actions-cache";
+        fsType = "ext4";
+      };
+    };
+
+    services = {
+      gitea-actions-runner.instances = {
+        main = {
+          enable = true;
+          name = "main-docker";
+          labels = [
+            "debian-node-bullseye:docker://node:18-bullseye"
+            "ubuntu-22.04:docker://git.nul.ie/dev/actions-ubuntu:22.04"
+          ];
+          url = "https://git.${pubDomain}";
+          tokenFile = config.age.secrets."gitea/actions-runner.env".path;
+        };
+      };
+    };
+
+    users = with lib.my.c.ids; {
+      users = {
+        gitea-runner = {
+          isSystemUser = true;
+          uid = uids.gitea-runner;
+          group = "gitea-runner";
+          home = "/var/lib/gitea-runner";
+        };
+      };
+      groups = {
+        gitea-runner.gid = gids.gitea-runner;
+      };
+    };
+
+    systemd = {
+      services = {
+        gitea-runner-main.serviceConfig = {
+          # Needs to be able to read its secrets
+          CacheDirectory = "gitea-runner";
+          DynamicUser = mkForce false;
+          User = "gitea-runner";
+          Group = "gitea-runner";
+          ExecStart = mkForce "${config.services.gitea-actions-runner.package}/bin/act_runner -c ${cfgFile} daemon";
+        };
+      };
+    };
+
+    my = {
+      secrets.files = {
+        "gitea/actions-runner.env" = {
+          owner = "gitea-runner";
+          group = "gitea-runner";
+        };
+      };
+    };
+  };
+}
--- a/nixos/boxes/colony/vms/git/gitea.nix
+++ b/nixos/boxes/colony/vms/git/gitea.nix
@@ -0,0 +1,143 @@
+{ lib, pkgs, config, assignments, allAssignments, ... }:
+let
+  inherit (lib.my.c) pubDomain;
+  inherit (lib.my.c.colony) prefixes;
+in
+{
+  config = {
+    fileSystems = {
+      "/var/lib/gitea" = {
+        device = "/dev/disk/by-label/git";
+        fsType = "ext4";
+      };
+    };
+
+    users = {
+      users.git = {
+        description = "Gitea Service";
+        home = config.services.gitea.stateDir;
+        useDefaultShell = true;
+        group = config.services.gitea.group;
+        isSystemUser = true;
+      };
+      groups.git = {};
+    };
+
+    systemd = {
+      services = {
+        gitea.preStart =
+        let
+          repSec = "${pkgs.replace-secret}/bin/replace-secret";
+          confPath = "${config.services.gitea.customDir}/conf/app.ini";
+        in
+        ''
+          gitea_extra_setup() {
+            chmod u+w '${confPath}'
+            ${repSec} '#miniosecret#' '${config.age.secrets."gitea/minio.txt".path}' '${confPath}'
+            chmod u-w '${confPath}'
+          }
+
+          (umask 027; gitea_extra_setup)
+        '';
+      };
+    };
+
+    services = {
+      gitea = {
+        enable = true;
+        user = "git";
+        group = "git";
+        appName = "/dev/player0 git";
+        stateDir = "/var/lib/gitea";
+        lfs.enable = true;
+        database = {
+          type = "postgres";
+          createDatabase = false;
+          host = "colony-psql";
+          user = "gitea";
+          passwordFile = config.age.secrets."gitea/db.txt".path;
+        };
+        mailerPasswordFile = config.age.secrets."gitea/mail.txt".path;
+        settings = {
+          server = {
+            DOMAIN = "git.${pubDomain}";
+            HTTP_ADDR = "::";
+            ROOT_URL = "https://git.${pubDomain}";
+          };
+          service = {
+            DISABLE_REGISTRATION = true;
+            ENABLE_NOTIFY_MAIL = true;
+          };
+          session = {
+            COOKIE_SECURE = true;
+          };
+          repository = {
+            DEFAULT_BRANCH = "master";
+          };
+          mailer = {
+            ENABLED = true;
+            PROTOCOL = "smtp+starttls";
+            SMTP_ADDR = "mail.nul.ie";
+            SMTP_PORT = 587;
+            USER = "git@nul.ie";
+            FROM = "Gitea <git@nul.ie>";
+          };
+          "email.incoming" = {
+            ENABLED = true;
+            HOST = "mail.nul.ie";
+            PORT = 993;
+            USE_TLS = true;
+            USERNAME = "git@nul.ie";
+            PASSWORD = "#mailerpass#";
+            REPLY_TO_ADDRESS = "git+%{token}@nul.ie";
+          };
+          storage = {
+            STORAGE_TYPE = "minio";
+            SERVE_DIRECT = true;
+            MINIO_ENDPOINT = "s3.${pubDomain}";
+            MINIO_ACCESS_KEY_ID = "gitea";
+            MINIO_SECRET_ACCESS_KEY = "#miniosecret#";
+            MINIO_BUCKET = "gitea";
+            MINIO_LOCATION = "eu-central-1";
+            MINIO_USE_SSL = true;
+          };
+          actions = {
+            ENABLED = true;
+          };
+        };
+      };
+    };
+
+    my = {
+      secrets = {
+        files =
+        let
+          ownedByGit = {
+            owner = "git";
+            group = "git";
+          };
+        in
+        {
+          "gitea/db.txt" = ownedByGit;
+          "gitea/mail.txt" = ownedByGit;
+          "gitea/minio.txt" = ownedByGit;
+        };
+      };
+
+      firewall.extraRules = ''
+        table inet filter {
+          chain input {
+            ip saddr ${prefixes.all.v4} tcp dport 3000 accept
+            ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept
+          }
+        }
+        table inet nat {
+          chain prerouting {
+            ip daddr ${assignments.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address}
+            ip6 daddr ${assignments.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address}
+          }
+        }
+      '';
+    };
+  };
+}