From a088e336dc10f987340312f4f125182168ef4665 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Sun, 11 Feb 2024 15:40:02 +0100 Subject: [PATCH] Host `forgejo` on `sisko` And runner on `picard` --- hosts/default.nix | 1 + hosts/picard/default.nix | 1 + hosts/sisko/default.nix | 1 + modules/forgejo-runners/default.nix | 25 ++++++++++++++++ modules/forgejo/default.nix | 44 +++++++++++++++++++++++++++++ modules/matrix/default.nix | 17 +++++++---- secrets/forgejo-runners-token.age | 29 +++++++++++++++++++ secrets/secrets.nix | 1 + 8 files changed, 113 insertions(+), 6 deletions(-) create mode 100644 modules/forgejo-runners/default.nix create mode 100644 modules/forgejo/default.nix create mode 100644 secrets/forgejo-runners-token.age diff --git a/hosts/default.nix b/hosts/default.nix index 66865e8..09b3afb 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -117,6 +117,7 @@ "autistici-password".owner = "ccr"; "restic-hetzner-password" = {}; "aws-credentials".owner = "hercules-ci-agent"; + "forgejo-runners-token".owner = "forgejo-runners"; }; }; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index 79c6557..2175678 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -34,6 +34,7 @@ "greetd" "syncthing" "hass-poweroff" + "forgejo-runners" ] ++ [ ./disko.nix diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index 1e33ebf..3e41ec6 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -29,6 +29,7 @@ "syncthing" "minio" "matrix" + "forgejo" ] ++ [ ./disko.nix diff --git a/modules/forgejo-runners/default.nix b/modules/forgejo-runners/default.nix new file mode 100644 index 0000000..3c5742e --- /dev/null +++ b/modules/forgejo-runners/default.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + ... +}: { + users.users.forgejo-runners = { + isSystemUser = true; + group = "forgejo-runners"; + }; + + users.groups.forgejo-runners = {}; + + services.gitea-actions-runner.instances.test = { + enable = true; + name = "test"; + url = "https://git.aciceri.dev"; + tokenFile = config.age.secrets.forgejo-runners-token.file; + labels = ["test"]; + }; + + systemd.services.gitea-runner-test.serviceConfig = { + User = lib.mkForce "forgejo-runners"; + Group = lib.mkForce "forgejo-runners"; + }; +} diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix new file mode 100644 index 0000000..295e8b4 --- /dev/null +++ b/modules/forgejo/default.nix @@ -0,0 +1,44 @@ +{ + config, + pkgs, + ... +}: { + services.forgejo = { + enable = true; + stateDir = "/mnt/hd/forgejo"; + settings = { + DEFAULT = { + RUN_MODE = "dev"; + APP_NAME = "git.aciceri.dev"; + }; + session.COOKIE_SECURE = true; + service.DISABLE_REGISTRATION = true; + server = { + HTTP_PORT = 3002; + ROOT_URL = "https://git.aciceri.dev"; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; + }; + dump.enable = true; + }; + + systemd.tmpfiles.rules = [ + "d ${config.services.forgejo.stateDir} 770 forgejo forgejo" + ]; + + backup.paths = [ + config.services.forgejo.stateDir + ]; + + imports = [../nginx-base]; + + services.nginx.virtualHosts = { + "git.aciceri.dev" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + }; +} diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index c248ac3..0478717 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -33,16 +33,21 @@ in { services.postgresql = { enable = true; initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; ''; }; + systemd.tmpfiles.rules = [ + "d ${config.services.matrix-synapse.dataDir} 770 matrix-synapse matrix-synapse" + ]; + services.matrix-synapse = { enable = true; + dataDir = "/mnt/hd/matrix-synapse"; settings = { server_name = "aciceri.dev"; public_baseurl = "https://matrix.aciceri.dev"; @@ -66,7 +71,7 @@ in { }; backup.paths = [ - "/var/lib/matrix-synapse" + config.services.matrix-synapse.dataDir "/var/backup/postgresql/matrix-synapse.sql.gz" ]; diff --git a/secrets/forgejo-runners-token.age b/secrets/forgejo-runners-token.age new file mode 100644 index 0000000..c50ffc1 --- /dev/null +++ b/secrets/forgejo-runners-token.age @@ -0,0 +1,29 @@ +age-encryption.org/v1 +-> ssh-rsa /AagBw +Z16SvgU6/7dOl+1UxJkOjXGRWzj6EwS2Df+4PwSaxraCN3bZmFKbS/XoHKfrl+IM +HWLtHspDOCFVDoncA4RrhjhFmZFXEYHLQhvaK6br274ALahEPf3kNZWfHntVKJyy +wLyBnGpW5hscln1X/NSC0xXkUKfmZAE6lkpFj/C3TUZpIKnQ6LFpyGs5mAj6PEuY +amPVOotBSGgbJQed8JpmWcX8XiO05cfPEi6oSiDkauXKGVSzWfXk3GSChzBl/Y2a +8llIvJ9BNy6cFC0d7pZBJrpV1FXlDxo6LxkC6WeUzMJH7s44UvOhVbjPp0dNjLLD +AqYotOWm6r4KMBlpUU8q+9t4ipBRDYhxEgjZyuEfwXcXilJJ0IYYLwGSlkTFbGUQ +RwiZnRHbdHrpkysTRemLbZl4ZqvCcV9k+uGDaVLNnYZoXmO1jd3A49lr4Pg31niQ +wdfEhbQF2m3ERERiNgz/FkO2jXp8uRKPvFnkFkeE5rf3p7rA8iNdAAIKOkMtqn23 +u5RRNDXx547Z47C7DaXpzu91wa7cp1PmAgsuvvO0+7EWCIkZh+CsSuJqQwFbGuTf +RUK/cxLjU3M/1WyedNaWRt4g6WfbBGptuLJgGV7dAR+4sJdNTD2wCeovmBnAjk4z +uz0BrfQjkLgFk8h2/nNShCshHqjo6WgbS/0uhHyVFCA +-> ssh-rsa QHr3/A +EoP1VXE5X5h6XHFzfE+vdAQHA92DqOAu+d4DFPTUJMjns3roMcW1Q0p0B288H7zl +lo2Q+9MmQNkSCdeJbAZBirUidr9UHRrQqONHxa9Dc3Q9vx82Z2M+BYJ+wiVyEX3x +8yZwuVl2W0zjQzhSmkymFQJHsMLD8icMH5gQSL2nS38Dbm2qtD0zkUPg4wYchy8p +Yzu9OotRT1AigoSjBgUG4ChlZSLmKFlHPI3Fkh80OsflobhM80jkMDQ1n66G2GLv +0swhI5vBbHbwUbEl0LJpKKsY4zBLm91dIAa4m3L95WNEr21YwplLZ+FV2deExfkZ +rimqEjsS2lJMpul7ondDDuG2u3Wr7tTkKgfotu3+Es8oOtOsvnmhQOZS1uYYK9mu +kiyg3RDo0CN78VN0XSw/oPNxR6xVDA9eNbn4mnXoPf8jZHxJ9mjZ64zusNgN8TuU +Yr/GlnJoTOkbjPvqtRDA+uz6ovhq9KIExhDXMAelmoxs3BmAyAXkGX+6f8ds0ZWA +I6hrhaY1hqbnyyNf18pldvi0XhI4CoD3VVCc5qeMN4aSfKM6Sz+vlRiiKY0snwa0 +2OnCbcTJbxFr/niQI27d/T2G8P9LYumY38Ez+FLhCdICTmaCKjzsIkujGzzd/M8l +nWC3BxPuWlvBs3frX5Ujun0UKyqWZCpRNZXNQwWr2L0 +-> ssh-ed25519 /WmILg Q88RuUxDh5UDcN6I7sbvIcYnY8sl4wN9e72pk9MKCXo +yd0XyHfUuYAr+gcB2q95JlddvYj61IkweeRH/YA4SYo +--- 3vWlg+QLHC83h7gKBavcsZPVO/twVSbWNhRHQBwnoQA + aLw5$^zdF".'0*'^>ayڲ#oI.q@!Ba!dy[ڣ(Wuk \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1c7a8ca..331df8f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,6 +22,7 @@ in "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk]; "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko]; "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko]; + "forgejo-runners-token.age".publicKeys = [ccr-ssh ccr-gpg picard]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard];