Gitea Lives!

common/users/default.nix

@@ -4,6 +4,7 @@
   environment.systemPackages = with pkgs; [ git curl ];
   programs.neovim.enable = true;
   programs.neovim.viAlias = true;
+  programs.neovim.vimAlias = true;
   programs.fish.shellInit = "set -U fish_greeting";
 
   users.defaultUserShell = pkgs.fish;

flake.lock

@@ -77,11 +77,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1652559422,
+        "lastModified": 1652881001,
-        "narHash": "sha256-jPVTNImBTUIFdtur+d4IVot6eXmsvtOcBm0TzxmhWPk=",
+        "narHash": "sha256-k9JmPCojaJnqGz4aRXXT1HZqJKHCXijoMfBAb24abXk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8b3398bc7587ebb79f93dfeea1b8c574d3c6dba1",
+        "rev": "2d474d6a4a43a0348b78db68dc00c491032cf5cf",
         "type": "github"
       },
       "original": {

flake.nix

@@ -24,12 +24,12 @@
       packages.x86_64-linux.register = let
         lxc = nixos-generators.nixosGenerate {
           pkgs = pkgs;
-          modules = [ ./machines/base.nix ];
+          modules = [ ./machines/base ];
           format = "lxc";
         };
         metadata = nixos-generators.nixosGenerate {
           pkgs = pkgs;
-          modules = [ ./machines/base.nix ];
+          modules = [ ./machines/base ];
           format = "lxc-metadata";
         };
       in with import nixpkgs { system = "x86_64-linux"; };
@@ -61,6 +61,14 @@
             tags = [ "database" ];
           };
         };
+        gitea = {
+          imports = [ ./machines/gitea ];
+          deployment = {
+            targetUser = "jdejeu";
+            targetHost = "gitea.lxd";
+            tags = [ "website" "system" ];
+          };
+        };
       };
 
       devShells.x86_64-linux.default = pkgs.mkShell {

machines/base/default.nix

@@ -1,5 +1,5 @@
 { config, pkgs, ... }: {
-  imports = [ ../common ../common/lxc.nix ];
+  imports = [ ../../common ../../common/lxc.nix ];
   networking.hostName = "base";
   system.stateVersion = "21.11";
 }

machines/gitea/default.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, ... }: {
+  imports = [ ../../common ../../common/lxc.nix ];
+  networking.hostName = "gitea";
+  system.stateVersion = "21.11";
+
+  environment.systemPackages = with pkgs; [ gnupg unzip ];
+
+  networking.firewall.enable = false;
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+  services.openssh.permitRootLogin = "no";
+  services.openssh.passwordAuthentication = false;
+
+  # The db can only be accessed from the machine anyways
+  # so the password is just set to x
+  environment.etc.giteaPass = {
+    enable = true;
+    text = "x";
+  };
+
+  services.gitea = {
+    enable = true;
+    ssh = { clonePort = 4321; };
+    lfs.enable = true;
+
+    appName = "Voidcorp Gitea";
+    domain = "git.asraphiel.dev";
+    rootUrl = "https://git.asraphiel.dev/";
+    database = {
+      type = "postgres";
+      host = "postgres.lxd";
+      name = "gitea";
+      user = "gitea";
+      passwordFile = "/etc/giteaPass";
+      createDatabase = false;
+    };
+
+    cookieSecure = true;
+    disableRegistration = true;
+  };
+}

machines/nginx/default.nix

@@ -17,6 +17,15 @@
       enableACME = true;
       root = "/etc/main";
     };
+    virtualHosts."git.asraphiel.dev" = {
+      forceSSL = true;
+      enableACME = true;
+      http2 = true;
+      locations."/" = {
+        proxyPass = "http://gitea.lxd:3000/";
+        proxyWebsockets = true;
+      };
+    };
   };
   security.acme.email = "acme@voidcorp.nl";
   security.acme.acceptTerms = true;

machines/postgres/default.nix

@@ -3,18 +3,28 @@
   networking.hostName = "postgres";
   system.stateVersion = "21.11";
 
+  environment.systemPackages = with pkgs; [ rsync ];
+
   networking.firewall.enable = true;
   networking.firewall.allowedTCPPorts = [ 5432 ];
 
   services.postgresql = {
     enable = true;
+    package = pkgs.postgresql_13;
     # yes scuffed, but technically lxd can do whatever with the ip's it gives
-    authentication = "host all all 10.0.0.0/24 trust";
+    authentication = ''
+      local all all trust
+      host all all 10.0.0.0/8 trust
+      host all all fd42:14c:5baf:51ec:216:3eff:fe6e:32a7/96 trust
+    '';
     ensureDatabases = [ "gitea" ];
-    ensureUsers = [{
+    ensureUsers = [
-      name = "gitea";
+      {
-      ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; };
+        name = "gitea";
-    }];
+        ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; };
+      }
+    ];
+
     enableTCPIP = true;
   };
 }