nixos/shill: Add Gitea

nixos/boxes/colony/vms/default.nix

@@ -167,6 +167,19 @@
                 };
                 frontend = "virtio-blk";
               }
+              {
+                name = "git";
+                backend = {
+                  driver = "host_device";
+                  filename = "/dev/main/git";
+                  discard = "unmap";
+                };
+                format = {
+                  driver = "raw";
+                  discard = "unmap";
+                };
+                frontend = "virtio-blk";
+              }
             ]);
           };
 

nixos/boxes/colony/vms/estuary/default.nix

@@ -459,6 +459,8 @@ in
                   table inet nat {
                     chain prerouting {
                       ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
+                      ip daddr ${allAssignments.shill.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address}
+                      ip6 daddr ${allAssignments.shill.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address}
                     }
                     chain postrouting {
                       ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}

nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix

@@ -390,6 +390,11 @@ in
         };
         useACMEHost = pubDomain;
       };
+
+      "git.${pubDomain}" = {
+        locations."/".proxyPass = "http://shill-vm.${domain}:3000";
+        useACMEHost = pubDomain;
+      };
     };
 
     minio =

nixos/boxes/colony/vms/shill/default.nix

@@ -49,7 +49,7 @@ in
         inherit (lib.my) networkdAssignment;
       in
       {
-        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./hercules.nix ];
+        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./hercules.nix ./gitea.nix ];
 
         config = mkMerge [
           {

nixos/boxes/colony/vms/shill/gitea.nix

@@ -0,0 +1,95 @@
+{ lib, pkgs, config, ... }:
+let
+  inherit (lib.my.c) pubDomain;
+  inherit (lib.my.c.colony) prefixes;
+in
+{
+  config = {
+    fileSystems = {
+      "/var/lib/gitea" = {
+        device = "/dev/disk/by-label/git";
+        fsType = "ext4";
+      };
+    };
+
+    users = {
+      users.git = {
+        description = "Gitea Service";
+        home = config.services.gitea.stateDir;
+        useDefaultShell = true;
+        group = config.services.gitea.group;
+        isSystemUser = true;
+      };
+      groups.git = {};
+    };
+
+    services = {
+      gitea = {
+        enable = true;
+        user = "git";
+        group = "git";
+        appName = "/dev/player0 git";
+        stateDir = "/var/lib/gitea";
+        lfs.enable = true;
+        database = {
+          type = "postgres";
+          createDatabase = false;
+          host = "colony-psql";
+          user = "gitea";
+          passwordFile = config.age.secrets."gitea/db.txt".path;
+        };
+        mailerPasswordFile = config.age.secrets."gitea/mail.txt".path;
+        settings = {
+          server = {
+            DOMAIN = "git.${pubDomain}";
+            HTTP_ADDR = "::";
+            ROOT_URL = "https://git.${pubDomain}";
+          };
+          service = {
+            DISABLE_REGISTRATION = true;
+            ENABLE_NOTIFY_MAIL = true;
+          };
+          session = {
+            COOKIE_SECURE = true;
+          };
+          repository = {
+            DEFAULT_BRANCH = "master";
+          };
+          mailer = {
+            ENABLED = true;
+            PROTOCOL = "smtp+starttls";
+            SMTP_ADDR = "mail.nul.ie";
+            SMTP_PORT = 587;
+            USER = "git@nul.ie";
+            FROM = "Gitea <git@nul.ie>";
+          };
+        };
+      };
+    };
+
+    my = {
+      secrets = {
+        files =
+        let
+          ownedByGit = {
+            owner = "git";
+            group = "git";
+          };
+        in
+        {
+          "gitea/db.txt" = ownedByGit;
+          "gitea/mail.txt" = ownedByGit;
+        };
+      };
+
+      firewall.extraRules = ''
+        table inet filter {
+          chain input {
+            ip saddr ${prefixes.all.v4} tcp dport 3000 accept
+            ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept
+          }
+        }
+      '';
+    };
+  };
+}

secrets/gitea/db.txt.age

@@ -0,0 +1,10 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEJhUWxSZyBRK3Zp
+OTVnQ2lZRzloWE1hYmxMYWZERDdXL0pTdFVGYUN3Vk0wbkhBWTFBCkg1YkVidmwy
+ZVhDSWJOTXB6Qmw5OXNVU0RVUlFyQkE4MVE2eUp6ZXZBOHMKLT4gWDI1NTE5IG9u
+YUMxZkhHc0RVZkQ3UEEvazArRnl5NGpvTkJPRWdFbm9qYzdjZjNZZ28KRU1FdmMz
+cVlzbHRFWUZqbkw2Ry9QVXppTFdNRTIwWnJBYzc0NUxieUMvRQotPiAxbn4nYSxC
+LWdyZWFzZSBNRyAxO0EgVDoKQklPUS93Ci0tLSBoTXhqZ2VjNTlOVzdBN25CeUdD
+VFJtT2pDWi9taXh1SHpNTG9oeHJsbE9jCgGD+69tbzN5f1FlBBSMb/2GgJW2cmXI
+97MXqA888ugf0vppdqy5yu+D4GdjoIvkKv0=
+-----END AGE ENCRYPTED FILE-----

secrets/gitea/mail.txt.age

@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEJhUWxSZyBGekxK
+ZFVBQkpTeGtzcHJuektzS0hPUFBIelg5UzQvVzg3SXJmSE9NbG5nCjFMbDBMcmFw
+dG9xaHpGV2RvZDg3WjRueTZtUGR3TnUyZE8yM1Rhdi83MGcKLT4gWDI1NTE5IGRu
+Ry9ZNVIyWEYvcWhCOWx0eEVVcnFaYm5IK3Fhc1Z1Ykg0VDFEbE0wU28KcnFGN3Rs
+bEtUazc3dkFCMEN2V2hTNFhlK2Z0OWQyNjNjaW5kbVU2OVozQQotPiAlfj84LWdy
+ZWFzZSBNLzc9fUcgNi5nKCBdRk50dSB1ClJkdmx0VjVUK0o3cmxrY1JycktXVkFS
+Yk10a3plZmsKLS0tIEVzUEhoUEE5TkZFK01BckxpZ0tKV2hZRERRbnFQUnlXRjQx
+RExPb1B3dHMKUaxZI1wEt10kHnWMgn3Na0UVpn/bhGpwXpToyH0Gzdjy5mQiPvcl
+X8RKm1wpkrLhXA==
+-----END AGE ENCRYPTED FILE-----