Merge pull request 'Flake is now modular and supports forgejo and forgejo-ci-runner' (#1) from debug into main
Reviewed-on: #1
This commit is contained in:
commit
12221697d2
17 changed files with 451 additions and 128 deletions
22
.sops.yaml
Normal file
22
.sops.yaml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
keys:
|
||||||
|
- &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
||||||
|
- &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
|
||||||
|
- &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
|
||||||
|
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/all/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *Lyn
|
||||||
|
- *forgenite
|
||||||
|
#hosts
|
||||||
|
- path_regex: secrets/hosts/forgenite.yaml
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *Lyn
|
||||||
|
- *forgenite
|
||||||
|
- path_regex: secrets/hosts/forgejo-ci.yaml
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *Lyn
|
||||||
|
- *forgejo-ci
|
96
flake.lock
Normal file
96
flake.lock
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725407940,
|
||||||
|
"narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixos-24.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs-stable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1721524707,
|
||||||
|
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "release-24.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs-unstable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725432240,
|
||||||
|
"narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "ad416d066ca1222956472ab7d0555a6946746a80",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixos-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725194671,
|
||||||
|
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs",
|
||||||
|
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||||
|
"sops-nix": "sops-nix"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs_2",
|
||||||
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725540166,
|
||||||
|
"narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 7
|
||||||
|
}
|
43
flake.nix
43
flake.nix
|
@ -2,22 +2,39 @@
|
||||||
description = "Lyns flake";
|
description = "Lyns flake";
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
|
||||||
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
};
|
};
|
||||||
outputs = { self, nixpkgs }@inputs: {
|
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let
|
||||||
nixosConfigurations = {
|
|
||||||
"forgejo" = nixpkgs.lib.nixosSystem {
|
passInputs = ({lib,config,...}:{
|
||||||
|
options.inputs = lib.mkOption{type = lib.types.attrs;};
|
||||||
|
config.inputs = inputs;
|
||||||
|
options.pkgsInstances = lib.mkOption{type = lib.types.attrs;};
|
||||||
|
config.pkgsInstances = {
|
||||||
|
unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
|
in {
|
||||||
|
|
||||||
|
nixosConfigurations = {
|
||||||
|
"forgejo" = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
# Import the configuration.nix here, so that the
|
./hosts/forgenite
|
||||||
# old configuration file can still take effect.
|
sops-nix.nixosModules.sops
|
||||||
# Note: configuration.nix itself is also a Nixpkgs Module,
|
passInputs
|
||||||
./configuration.nix
|
|
||||||
];
|
];
|
||||||
specialArgs = {
|
};
|
||||||
inherit inputs;
|
"forgejo-ci" = nixpkgs.lib.nixosSystem {
|
||||||
flake = self;
|
system = "x86_64-linux";
|
||||||
};
|
modules = [
|
||||||
|
./hosts/forgejo-ci
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
passInputs
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
20
hosts/forgejo-ci/default.nix
Normal file
20
hosts/forgejo-ci/default.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{ config, pkgs, lib, inputs, ... }: {
|
||||||
|
imports =
|
||||||
|
[
|
||||||
|
./../../services/forgejo-ci.nix
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./../../users/lyn
|
||||||
|
./../../meta/profiles/base.nix
|
||||||
|
./../../meta/profiles/vm.nix
|
||||||
|
];
|
||||||
|
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
|
||||||
|
# Use UEFI
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
|
||||||
|
networking.hostName = "forgenite"; # Define your hostname.
|
||||||
|
|
||||||
|
# Firewall stuff:
|
||||||
|
networking.firewall.enable = true;
|
||||||
|
networking.firewall.allowPing = true;
|
||||||
|
system.stateVersion = "23.05";
|
||||||
|
}
|
38
hosts/forgejo-ci/hardware-configuration.nix
Normal file
38
hosts/forgejo-ci/hardware-configuration.nix
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/58fe64e6-74c3-4a96-885c-340a3126d1f0";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/40A9-C398";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[ { device = "/dev/disk/by-uuid/4d39c334-1726-4646-95d3-ecbedbf21ddb"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
}
|
|
@ -1,126 +1,22 @@
|
||||||
# Edit this configuration file to define what should be installed on
|
{ config, pkgs, lib, inputs, ... }: {
|
||||||
# your system. Help is available in the configuration.nix(5) man page
|
|
||||||
# and in the NixOS manual (accessible by running `nixos-help`).
|
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
|
./../../services/forgejo.nix
|
||||||
|
./../../users/lyn
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
# comment in backup.nix for borgbackuping forgejo
|
./../../meta/profiles/base.nix
|
||||||
#./backup.nix
|
./../../meta/profiles/vm.nix
|
||||||
];
|
];
|
||||||
# Write path for borgbackup repos for backup.nix
|
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
|
||||||
_module.args.borgrepolistfile = ./borgrepos;
|
|
||||||
|
|
||||||
# Enable Flakes and the new command-line tool
|
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
||||||
# Set default editor to vim
|
|
||||||
environment.variables.EDITOR = "vim";
|
|
||||||
# Use UEFI
|
# Use UEFI
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
|
||||||
# Use the GRUB 2 boot loader.
|
networking.hostName = "forgenite"; # Define your hostname.
|
||||||
#boot.loader.grub.enable = true;
|
|
||||||
#boot.loader.grub.device = "/dev/sda";
|
|
||||||
|
|
||||||
networking.hostName = "forgejo"; # Define your hostname.
|
|
||||||
# Set your time zone.
|
|
||||||
time.timeZone = "Europe/Berlin";
|
|
||||||
|
|
||||||
users.users.lyn = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "wheel"];
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"
|
|
||||||
];
|
|
||||||
packages = with pkgs; [
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
|
||||||
# $ nix search wget
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
git
|
|
||||||
vim
|
|
||||||
wget
|
|
||||||
curl
|
|
||||||
htop
|
|
||||||
];
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Enable the OpenSSH daemon.
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
X11Forwarding = true;
|
|
||||||
PermitRootLogin = "no";
|
|
||||||
PasswordAuthentication = false;
|
|
||||||
};
|
|
||||||
openFirewall = true;
|
|
||||||
};
|
|
||||||
#Forgejo
|
|
||||||
services.forgejo = {
|
|
||||||
enable = true;
|
|
||||||
settings.server = {
|
|
||||||
ROOT_URL = "https://git.shibe.pro";
|
|
||||||
DOMAIN = "git.shibe.pro";
|
|
||||||
HTTP_PORT = 48540;
|
|
||||||
OFFLINE_MODE = true; # disable gravatar, CDN
|
|
||||||
};
|
|
||||||
settings.actions = {
|
|
||||||
ENABLED = true;
|
|
||||||
};
|
|
||||||
settings."repository.upload" = {
|
|
||||||
FILE_MAX_SIZE = 4095;
|
|
||||||
MAX_FILES = 20;
|
|
||||||
};
|
|
||||||
settings."attachment" = {
|
|
||||||
MAX_SIZE = 4095;
|
|
||||||
MAX_FILES = 20;
|
|
||||||
};
|
|
||||||
|
|
||||||
settings.service = {
|
|
||||||
DISABLE_REGISTRATION = true;
|
|
||||||
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
|
||||||
};
|
|
||||||
database = {
|
|
||||||
user = "forgejo";
|
|
||||||
passwordFile = "/etc/nixos/forgejo-dbpassword";
|
|
||||||
name = "forgejodb";
|
|
||||||
type = "mysql";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Allow forgejo user to adjust authorized_keys dynamically
|
|
||||||
services.openssh.extraConfig = ''
|
|
||||||
Match User forgejo
|
|
||||||
AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys
|
|
||||||
'';
|
|
||||||
|
|
||||||
#enable qemu-guestagent
|
|
||||||
services.qemuGuest.enable = true;
|
|
||||||
# Disable password checking for wheel group users so we can solely rely on ssh keys
|
|
||||||
security.sudo.wheelNeedsPassword = false;
|
|
||||||
|
|
||||||
# Firewall stuff:
|
# Firewall stuff:
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
networking.firewall.allowPing = true;
|
networking.firewall.allowPing = true;
|
||||||
|
|
||||||
# Open ports in the firewall.
|
|
||||||
networking.firewall.allowedTCPPorts = [48540 ];
|
|
||||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
|
||||||
# Or disable the firewall altogether.
|
|
||||||
# networking.firewall.enable = false;
|
|
||||||
|
|
||||||
# Copy the NixOS configuration file and link it from the resulting system
|
|
||||||
# (/run/current-system/configuration.nix). This is useful in case you
|
|
||||||
# accidentally delete configuration.nix.
|
|
||||||
# system.copySystemConfiguration = true;
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It's perfectly fine and recommended to leave
|
# on your system were taken. It's perfectly fine and recommended to leave
|
||||||
|
@ -129,10 +25,6 @@
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
system.stateVersion = "24.05"; # Did you read the comment?
|
system.stateVersion = "24.05"; # Did you read the comment?
|
||||||
|
|
||||||
system.autoUpgrade = {
|
|
||||||
enable = true;
|
|
||||||
allowReboot = true;
|
|
||||||
};
|
|
||||||
nix.gc = {
|
nix.gc = {
|
||||||
automatic = true;
|
automatic = true;
|
||||||
persistent = true;
|
persistent = true;
|
||||||
|
|
8
meta/enable.nix
Normal file
8
meta/enable.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{lib, config, ...}: {
|
||||||
|
lib.meta.enable = list: lib.genAttrs
|
||||||
|
list
|
||||||
|
(name:
|
||||||
|
${name}.enable = true;
|
||||||
|
)
|
||||||
|
;
|
||||||
|
}
|
23
meta/mkLocalModule.nix
Normal file
23
meta/mkLocalModule.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{lib, config, ...}: {
|
||||||
|
lib.mkLocalModule = pathInterpolation: optDesc: config: let
|
||||||
|
#example_input = ./some/subdir/MARKER/a/b/c/d/e/f/g;
|
||||||
|
marker = "local-modules";
|
||||||
|
splitAfterMarker = marker: input: builtins.foldl' (acc: new:
|
||||||
|
if acc == false then # marker not found yet
|
||||||
|
if new == marker then [] else acc
|
||||||
|
else # marker found
|
||||||
|
if builtins.typeOf new == "string"
|
||||||
|
then acc ++ [new]
|
||||||
|
else acc
|
||||||
|
) false (builtins.split "/" (builtins.toString input));
|
||||||
|
path = splitAfterMarker marker pathInterpolation;
|
||||||
|
inputs = {
|
||||||
|
#optDesc = "enable this";
|
||||||
|
inherit optDesc: config;
|
||||||
|
};
|
||||||
|
mod = {config, ...}: {
|
||||||
|
options = lib.setAttrsByPath path (lib.mkEnableOption inputs.optDesc);
|
||||||
|
config = lib.mkIf (lib.getAttrByPath path config) inputs.config;
|
||||||
|
};
|
||||||
|
in mod;
|
||||||
|
}
|
23
meta/modules/sops/default.nix
Normal file
23
meta/modules/sops/default.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{ pkgs, lib, config, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.lyn.sops;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.lyn.sops = with lib; {
|
||||||
|
secrets = mkOption {
|
||||||
|
type = types.attrs;
|
||||||
|
default = { };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = {
|
||||||
|
sops.secrets = lib.mapAttrs
|
||||||
|
(name: value:
|
||||||
|
let
|
||||||
|
name_split = lib.splitString "/" name;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sopsFile = ../../../secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
|
||||||
|
} // value)
|
||||||
|
cfg.secrets;
|
||||||
|
};
|
||||||
|
}
|
31
meta/profiles/base.nix
Normal file
31
meta/profiles/base.nix
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
{lib, config, pkgs, ...}: {
|
||||||
|
imports = [
|
||||||
|
../modules/sops
|
||||||
|
];
|
||||||
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
nix.package = config.pkgsInstances.unstable.lix;
|
||||||
|
environment.variables.EDITOR = "vim";
|
||||||
|
|
||||||
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
X11Forwarding = true;
|
||||||
|
PermitRootLogin = "no";
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
};
|
||||||
|
openFirewall = true;
|
||||||
|
};
|
||||||
|
# Disable password checking for wheel group users so we can solely rely on ssh keys
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
git
|
||||||
|
vim
|
||||||
|
wget
|
||||||
|
curl
|
||||||
|
htop
|
||||||
|
];
|
||||||
|
}
|
5
meta/profiles/vm.nix
Normal file
5
meta/profiles/vm.nix
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
{
|
||||||
|
#enable qemu-guestagent
|
||||||
|
services.qemuGuest.enable = true;
|
||||||
|
}
|
32
secrets/hosts/forgejo-ci.yaml
Normal file
32
secrets/hosts/forgejo-ci.yaml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
hosts:
|
||||||
|
forgejo-ci:
|
||||||
|
forgejo_ci_token: ENC[AES256_GCM,data:zZQPn/YxMKly1hcT2m3cGoIILh4wG7GiCXwiKRwNLrrPfwJlfAUn9g==,iv:xKVR09JhCIM5plxifcHeAEcsp1UyuXaqXaQCqIPywtU=,tag:zF032vUnTr8Mj79ZLCWcfg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMG5zVlFXWjNYdFVjdEd3
|
||||||
|
WWliRGtBR2YrTEtYcXF0WmI1NnNQc0NnN2dFCjVMMXVWVzJ3Z3g3NjlBaFNSdFFy
|
||||||
|
NWxSNjNxN2hFNWYyQkRVUHBGa25laFkKLS0tIFpWaEE4MDBPTWhFdnBOOWNtRC80
|
||||||
|
YW9QUWJCRmhhYm1Zb2t6RFJ1SStERHMK8Yk/lGQYocea8MaR4c7/7tkRSqIcjYrO
|
||||||
|
+i1HN9gIrasVtZF1k0YuSB7sCCQ+oVvKtVCR7TRoeJhoxqgQZ/q5RQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TWhSM3lYK3JMQUc0WDUz
|
||||||
|
VlEySTNTN2ZaMHo0OXlyTWNPYVhSWE5uZkNJCkFqNHJCc3h6WkVJUkYxM0VibFRY
|
||||||
|
MWdYYWdtd1FnMmdtMndIY3gvcmJVQzQKLS0tIFpZV2RrZTg3cWxJOFlkY2F3TWRW
|
||||||
|
SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8
|
||||||
|
Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-06T03:55:48Z"
|
||||||
|
mac: ENC[AES256_GCM,data:H9RZy7w/quqfjMedaQe1NHAasC0FspxcXPyAXoy5uZaAoevNdXQNIe5yqBW+BRrw/5uIKKtLuS7YS5B3evpor2WRV0EeoPmy4dI/oFYZWg2kNzLVTumxQp4Q1vOOcrBrMUmm7OeoItr85p42Cx/08I9TnwRieGMnG5Mn0J6o+Zo=,iv:XbWd6j2LhhOld7NXN2m58f1cUJpLcdb3Ywf0bNkQYdA=,tag:T5gTjfRCCLfGFtIzXE7OfA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
32
secrets/hosts/forgenite.yaml
Normal file
32
secrets/hosts/forgenite.yaml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
hosts:
|
||||||
|
forgenite:
|
||||||
|
forgejo_db_password: ENC[AES256_GCM,data:1Qp6kLbt4tO+9/i5JN2rRjZJW0gJDKEQV9XmDEEts4bVvOsBCu6wYg==,iv:FZCthW7Yo9z0KqJvjhnQaNX1rqdUeINyfdM3xdLcOrk=,tag:32peH4VsZ3hLeC7XAqINAg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySlhJWGtCd21zM3BxeEox
|
||||||
|
NG9VcHBoYkxHeUVwN1dQMHZVVmtpVTV6ekRRClB2MzNlKzVwbkdXRFY0QlUwOEUw
|
||||||
|
R2xBNkZGK09pZzBmTUJDdC95bU4vdTAKLS0tIGQ2Z1RpZjRHQUNya2JzZzFQQjA0
|
||||||
|
YlJIcmQrUVJMMUdkMjNoOUkva1hIMWMK+56bsZXNIeYiuj+QAuajsCDWPAv9IYV9
|
||||||
|
7oh61PZvFYql6TXWjVioIBpS0MxKTbidjWQoYwD4vp8ZikfYUwuoqQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5R2lUZkdXQTUrQmRhMnE3
|
||||||
|
bnRkdUF1WW1obG1acmdQN0NmSkNmWGlFYzFJCkNGQ2lNVFMvYXZYT2dERE1aMVEy
|
||||||
|
a3AybWpZcTZIakVrUExHeTl0MXoxbFkKLS0tIE4wdTRtcUtZTkxiWVkyZC9QSDlR
|
||||||
|
YnpWY3ZsZWdQcEc2YTJJeldTaTdCVkkKA8cfHrWV7COWKYf19IP/dt/mPM6PDWvm
|
||||||
|
DiTB8JBSKTlsBsvA26qkPHcKyXCBjLDaSi1hmGI6PhI7nIDTQ15t6w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-06T00:00:08Z"
|
||||||
|
mac: ENC[AES256_GCM,data:LC/WIffWQMHRk0ty3bnSGNyUySjYIA84euR5dgb95+uegLzAaMtBehnE5GB36eMzciMSP95jP2KOHfDimwU7eugeauEgJLrtv8Sp5r29LnU+MLDpAVwqw/HDZq8J7LIoYspqMr19ZxwcG1K4kfNlB7JYSuP7V7DhXo+I5/Qjv8A=,iv:CHf0KGCpbFIEMjgkxxS8RvSfOrGRYdGd/rdVJ/XPkoI=,tag:ZghIOEu9NLchxz7j4Er6QQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
28
services/forgejo-ci.nix
Normal file
28
services/forgejo-ci.nix
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
{ config, pkgs, lib, inputs, ... }:
|
||||||
|
{
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
docker
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enable docker
|
||||||
|
virtualisation.docker = {
|
||||||
|
enable = true;
|
||||||
|
daemon.settings = {
|
||||||
|
fixed-cidr-v6 = "fd00::/80";
|
||||||
|
ipv6 = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# Forgejo actions runner
|
||||||
|
services.gitea-actions-runner = {
|
||||||
|
package = config.pkgsInstances.unstable.forgejo-runner;
|
||||||
|
instances = {
|
||||||
|
"shibepro-ci" = {
|
||||||
|
enable = true;
|
||||||
|
url = "https://git.shibe.pro";
|
||||||
|
name = "shibepro-ci";
|
||||||
|
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
|
||||||
|
labels = [];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
42
services/forgejo.nix
Normal file
42
services/forgejo.nix
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
{pkgs, lib, config, ...}:
|
||||||
|
with lib; with builtins; {
|
||||||
|
services.forgejo = {
|
||||||
|
enable = true;
|
||||||
|
package = config.pkgsInstances.unstable.forgejo;
|
||||||
|
settings.server = {
|
||||||
|
ROOT_URL = "https://git.shibe.pro";
|
||||||
|
DOMAIN = "git.shibe.pro";
|
||||||
|
HTTP_PORT = 48540;
|
||||||
|
OFFLINE_MODE = true; # disable gravatar, CDN
|
||||||
|
};
|
||||||
|
settings.actions = {
|
||||||
|
ENABLED = true;
|
||||||
|
};
|
||||||
|
settings."repository.upload" = {
|
||||||
|
FILE_MAX_SIZE = 4095;
|
||||||
|
MAX_FILES = 20;
|
||||||
|
};
|
||||||
|
settings."attachment" = {
|
||||||
|
MAX_SIZE = 4095;
|
||||||
|
MAX_FILES = 20;
|
||||||
|
};
|
||||||
|
|
||||||
|
settings.service = {
|
||||||
|
DISABLE_REGISTRATION = true;
|
||||||
|
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||||
|
};
|
||||||
|
database = {
|
||||||
|
user = "forgejo";
|
||||||
|
passwordFile = config.sops.secrets."hosts/forgenite/forgejo_db_password".path;
|
||||||
|
name = "forgejodb";
|
||||||
|
type = "mysql";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Allow forgejo user to adjust authorized_keys dynamically
|
||||||
|
services.openssh.extraConfig = ''
|
||||||
|
Match User forgejo
|
||||||
|
AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys
|
||||||
|
'';
|
||||||
|
networking.firewall.allowedTCPPorts = [48540];
|
||||||
|
}
|
11
users/lyn/default.nix
Normal file
11
users/lyn/default.nix
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
{lib,pkgs, config, ...}:{
|
||||||
|
imports = [
|
||||||
|
./ssh.nix
|
||||||
|
];
|
||||||
|
users.users.lyn = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel"];
|
||||||
|
packages = with pkgs; [
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
3
users/lyn/ssh.nix
Normal file
3
users/lyn/ssh.nix
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
{lib, config, ...}: {
|
||||||
|
users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
|
||||||
|
}
|
Loading…
Reference in a new issue