From e9ce88b058e1d52d4b712a4344c49e4642ce0639 Mon Sep 17 00:00:00 2001
From: Julius de Jeu <julius@voidcorp.nl>
Date: Thu, 19 May 2022 21:10:04 +0200
Subject: [PATCH] Add new gitea

---
 common/users/default.nix                |  1 +
 flake.nix                               | 12 ++++++--
 machines/{base.nix => base/default.nix} |  2 +-
 machines/gitea/default.nix              | 40 +++++++++++++++++++++++++
 machines/nginx/default.nix              |  9 ++++++
 machines/postgres/default.nix           | 19 ++++++++----
 6 files changed, 75 insertions(+), 8 deletions(-)
 rename machines/{base.nix => base/default.nix} (64%)
 create mode 100644 machines/gitea/default.nix

diff --git a/common/users/default.nix b/common/users/default.nix
index e82de4b..e6c50c9 100644
--- a/common/users/default.nix
+++ b/common/users/default.nix
@@ -4,6 +4,7 @@
   environment.systemPackages = with pkgs; [ git curl ];
   programs.neovim.enable = true;
   programs.neovim.viAlias = true;
+  programs.neovim.vimAlias = true;
   programs.fish.shellInit = "set -U fish_greeting";
 
   users.defaultUserShell = pkgs.fish;
diff --git a/flake.nix b/flake.nix
index e6d6d67..3a0e4c7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -24,12 +24,12 @@
       packages.x86_64-linux.register = let
         lxc = nixos-generators.nixosGenerate {
           pkgs = pkgs;
-          modules = [ ./machines/base.nix ];
+          modules = [ ./machines/base ];
           format = "lxc";
         };
         metadata = nixos-generators.nixosGenerate {
           pkgs = pkgs;
-          modules = [ ./machines/base.nix ];
+          modules = [ ./machines/base ];
           format = "lxc-metadata";
         };
       in with import nixpkgs { system = "x86_64-linux"; };
@@ -61,6 +61,14 @@
             tags = [ "database" ];
           };
         };
+        gitea = {
+          imports = [ ./machines/gitea ];
+          deployment = {
+            targetUser = "jdejeu";
+            targetHost = "gitea.lxd";
+            tags = [ "website" "system" ];
+          };
+        };
       };
 
       devShells.x86_64-linux.default = pkgs.mkShell {
diff --git a/machines/base.nix b/machines/base/default.nix
similarity index 64%
rename from machines/base.nix
rename to machines/base/default.nix
index 3d2304d..4a3ac66 100644
--- a/machines/base.nix
+++ b/machines/base/default.nix
@@ -1,5 +1,5 @@
 { config, pkgs, ... }: {
-  imports = [ ../common ../common/lxc.nix ];
+  imports = [ ../../common ../../common/lxc.nix ];
   networking.hostName = "base";
   system.stateVersion = "21.11";
 }
diff --git a/machines/gitea/default.nix b/machines/gitea/default.nix
new file mode 100644
index 0000000..399ed68
--- /dev/null
+++ b/machines/gitea/default.nix
@@ -0,0 +1,40 @@
+{ config, pkgs, ... }: {
+  imports = [ ../../common ../../common/lxc.nix ];
+  networking.hostName = "gitea";
+  system.stateVersion = "21.11";
+
+  environment.systemPackages = with pkgs; [ gnupg unzip ];
+
+  networking.firewall.enable = false;
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+  services.openssh.permitRootLogin = "no";
+  services.openssh.passwordAuthentication = false;
+
+  # The db can only be accessed from the machine anyways
+  # so the password is just set to x
+  environment.etc.giteaPass = {
+    enable = true;
+    text = "x";
+  };
+
+  services.gitea = {
+    enable = true;
+    ssh = { clonePort = 4321; };
+    lfs.enable = true;
+
+    appName = "Voidcorp Gitea";
+    domain = "git.asraphiel.dev";
+    rootUrl = "https://git.asraphiel.dev/";
+    database = {
+      type = "postgres";
+      host = "postgres.lxd";
+      name = "gitea";
+      user = "gitea";
+      passwordFile = "/etc/giteaPass";
+      createDatabase = false;
+    };
+
+    cookieSecure = true;
+    disableRegistration = true;
+  };
+}
diff --git a/machines/nginx/default.nix b/machines/nginx/default.nix
index 28a29f1..65fbde0 100644
--- a/machines/nginx/default.nix
+++ b/machines/nginx/default.nix
@@ -17,6 +17,15 @@
       enableACME = true;
       root = "/etc/main";
     };
+    virtualHosts."git.asraphiel.dev" = {
+      forceSSL = true;
+      enableACME = true;
+      http2 = true;
+      locations."/" = {
+        proxyPass = "http://gitea.lxd:3000";
+        proxyWebsockets = true;
+      };
+    };
   };
   security.acme.email = "acme@voidcorp.nl";
   security.acme.acceptTerms = true;
diff --git a/machines/postgres/default.nix b/machines/postgres/default.nix
index f0a4e4b..7e9919f 100644
--- a/machines/postgres/default.nix
+++ b/machines/postgres/default.nix
@@ -3,18 +3,27 @@
   networking.hostName = "postgres";
   system.stateVersion = "21.11";
 
+  environment.systemPackages = with pkgs; [ rsync ];
+
   networking.firewall.enable = true;
   networking.firewall.allowedTCPPorts = [ 5432 ];
 
   services.postgresql = {
     enable = true;
+    package = pkgs.postgresql_13;
     # yes scuffed, but technically lxd can do whatever with the ip's it gives
-    authentication = "host all all 10.0.0.0/24 trust";
+    authentication = ''
+      local all all trust
+      host all all 10.0.0.0/8 trust
+    '';
     ensureDatabases = [ "gitea" ];
-    ensureUsers = [{
-      name = "gitea";
-      ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; };
-    }];
+    ensureUsers = [
+      {
+        name = "gitea";
+        ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; };
+      }
+    ];
+
     enableTCPIP = true;
   };
 }