diff --git a/nixos/boxes/colony/vms/default.nix b/nixos/boxes/colony/vms/default.nix index 8cf5d50..c7566b5 100644 --- a/nixos/boxes/colony/vms/default.nix +++ b/nixos/boxes/colony/vms/default.nix @@ -167,6 +167,19 @@ }; frontend = "virtio-blk"; } + { + name = "git"; + backend = { + driver = "host_device"; + filename = "/dev/main/git"; + discard = "unmap"; + }; + format = { + driver = "raw"; + discard = "unmap"; + }; + frontend = "virtio-blk"; + } ]); }; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index dd93b80..be0a202 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -459,6 +459,8 @@ in table inet nat { chain prerouting { ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"} + ip daddr ${allAssignments.shill.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address} + ip6 daddr ${allAssignments.shill.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address} } chain postrouting { ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address} diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix index bc69715..58a2ff9 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix @@ -390,6 +390,11 @@ in }; useACMEHost = pubDomain; }; + + "git.${pubDomain}" = { + locations."/".proxyPass = "http://shill-vm.${domain}:3000"; + useACMEHost = pubDomain; + }; }; minio = diff --git a/nixos/boxes/colony/vms/shill/default.nix b/nixos/boxes/colony/vms/shill/default.nix index f47e1fa..e393e1a 100644 --- a/nixos/boxes/colony/vms/shill/default.nix +++ b/nixos/boxes/colony/vms/shill/default.nix @@ -49,7 +49,7 @@ in inherit (lib.my) networkdAssignment; in { - imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./hercules.nix ]; + imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./hercules.nix ./gitea.nix ]; config = mkMerge [ { diff --git a/nixos/boxes/colony/vms/shill/gitea.nix b/nixos/boxes/colony/vms/shill/gitea.nix new file mode 100644 index 0000000..eb44636 --- /dev/null +++ b/nixos/boxes/colony/vms/shill/gitea.nix @@ -0,0 +1,95 @@ +{ lib, pkgs, config, ... }: +let + inherit (lib.my.c) pubDomain; + inherit (lib.my.c.colony) prefixes; +in +{ + config = { + fileSystems = { + "/var/lib/gitea" = { + device = "/dev/disk/by-label/git"; + fsType = "ext4"; + }; + }; + + users = { + users.git = { + description = "Gitea Service"; + home = config.services.gitea.stateDir; + useDefaultShell = true; + group = config.services.gitea.group; + isSystemUser = true; + }; + groups.git = {}; + }; + + services = { + gitea = { + enable = true; + user = "git"; + group = "git"; + appName = "/dev/player0 git"; + stateDir = "/var/lib/gitea"; + lfs.enable = true; + database = { + type = "postgres"; + createDatabase = false; + host = "colony-psql"; + user = "gitea"; + passwordFile = config.age.secrets."gitea/db.txt".path; + }; + mailerPasswordFile = config.age.secrets."gitea/mail.txt".path; + settings = { + server = { + DOMAIN = "git.${pubDomain}"; + HTTP_ADDR = "::"; + ROOT_URL = "https://git.${pubDomain}"; + }; + service = { + DISABLE_REGISTRATION = true; + ENABLE_NOTIFY_MAIL = true; + }; + session = { + COOKIE_SECURE = true; + }; + repository = { + DEFAULT_BRANCH = "master"; + }; + mailer = { + ENABLED = true; + PROTOCOL = "smtp+starttls"; + SMTP_ADDR = "mail.nul.ie"; + SMTP_PORT = 587; + USER = "git@nul.ie"; + FROM = "Gitea "; + }; + }; + }; + }; + + my = { + secrets = { + files = + let + ownedByGit = { + owner = "git"; + group = "git"; + }; + in + { + "gitea/db.txt" = ownedByGit; + "gitea/mail.txt" = ownedByGit; + }; + }; + + firewall.extraRules = '' + table inet filter { + chain input { + ip saddr ${prefixes.all.v4} tcp dport 3000 accept + ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept + } + } + ''; + }; + }; +} diff --git a/secrets/gitea/db.txt.age b/secrets/gitea/db.txt.age new file mode 100644 index 0000000..2e3c675 --- /dev/null +++ b/secrets/gitea/db.txt.age @@ -0,0 +1,10 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEJhUWxSZyBRK3Zp +OTVnQ2lZRzloWE1hYmxMYWZERDdXL0pTdFVGYUN3Vk0wbkhBWTFBCkg1YkVidmwy +ZVhDSWJOTXB6Qmw5OXNVU0RVUlFyQkE4MVE2eUp6ZXZBOHMKLT4gWDI1NTE5IG9u +YUMxZkhHc0RVZkQ3UEEvazArRnl5NGpvTkJPRWdFbm9qYzdjZjNZZ28KRU1FdmMz +cVlzbHRFWUZqbkw2Ry9QVXppTFdNRTIwWnJBYzc0NUxieUMvRQotPiAxbn4nYSxC +LWdyZWFzZSBNRyAxO0EgVDoKQklPUS93Ci0tLSBoTXhqZ2VjNTlOVzdBN25CeUdD +VFJtT2pDWi9taXh1SHpNTG9oeHJsbE9jCgGD+69tbzN5f1FlBBSMb/2GgJW2cmXI +97MXqA888ugf0vppdqy5yu+D4GdjoIvkKv0= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/gitea/mail.txt.age b/secrets/gitea/mail.txt.age new file mode 100644 index 0000000..55d12c5 --- /dev/null +++ b/secrets/gitea/mail.txt.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEJhUWxSZyBGekxK +ZFVBQkpTeGtzcHJuektzS0hPUFBIelg5UzQvVzg3SXJmSE9NbG5nCjFMbDBMcmFw +dG9xaHpGV2RvZDg3WjRueTZtUGR3TnUyZE8yM1Rhdi83MGcKLT4gWDI1NTE5IGRu +Ry9ZNVIyWEYvcWhCOWx0eEVVcnFaYm5IK3Fhc1Z1Ykg0VDFEbE0wU28KcnFGN3Rs +bEtUazc3dkFCMEN2V2hTNFhlK2Z0OWQyNjNjaW5kbVU2OVozQQotPiAlfj84LWdy +ZWFzZSBNLzc9fUcgNi5nKCBdRk50dSB1ClJkdmx0VjVUK0o3cmxrY1JycktXVkFS +Yk10a3plZmsKLS0tIEVzUEhoUEE5TkZFK01BckxpZ0tKV2hZRERRbnFQUnlXRjQx +RExPb1B3dHMKUaxZI1wEt10kHnWMgn3Na0UVpn/bhGpwXpToyH0Gzdjy5mQiPvcl +X8RKm1wpkrLhXA== +-----END AGE ENCRYPTED FILE-----