diff --git a/flake.lock b/flake.lock index f102385..0230edc 100644 --- a/flake.lock +++ b/flake.lock @@ -175,11 +175,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1702312524, - "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=", + "lastModified": 1703637592, + "narHash": "sha256-8MXjxU0RfFfzl57Zy3OfXCITS0qWDNLzlBAdwxGZwfY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a9bf124c46ef298113270b1f84a164865987a91c", + "rev": "cfc3698c31b1fb9cdcf10f36c9643460264d0ca8", "type": "github" }, "original": { diff --git a/hosts/jorah.cx.ts.hillion.co.uk/default.nix b/hosts/jorah.cx.ts.hillion.co.uk/default.nix index ea9dd62..0ec6942 100644 --- a/hosts/jorah.cx.ts.hillion.co.uk/default.nix +++ b/hosts/jorah.cx.ts.hillion.co.uk/default.nix @@ -49,6 +49,7 @@ trustedInterfaces = [ "tailscale0" ]; allowedTCPPorts = lib.mkForce [ 22 # SSH + 3022 # Gitea SSH (accessed via public 22) ]; allowedUDPPorts = lib.mkForce [ ]; interfaces = { diff --git a/modules/default.nix b/modules/default.nix index af5456a..78df3b0 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -11,6 +11,7 @@ ./locations.nix ./resilio.nix ./services/downloads.nix + ./services/gitea.nix ./services/mastodon/default.nix ./services/matrix.nix ./services/unifi.nix diff --git a/modules/impermanence.nix b/modules/impermanence.nix index 9b329ee..9e27e01 100644 --- a/modules/impermanence.nix +++ b/modules/impermanence.nix @@ -37,6 +37,7 @@ in { path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } ]; matrix-synapse.dataDir = "${cfg.base}/system/var/lib/matrix-synapse"; + gitea.stateDir = "${cfg.base}/system/var/lib/gitea"; }; environment.persistence."${cfg.base}/system" = { diff --git a/modules/locations.nix b/modules/locations.nix index 37797bd..46cc729 100644 --- a/modules/locations.nix +++ b/modules/locations.nix @@ -14,6 +14,7 @@ in default = { services = { downloads = "tywin.storage.ts.hillion.co.uk"; + gitea = "jorah.cx.ts.hillion.co.uk"; mastodon = "vm.strangervm.ts.hillion.co.uk"; matrix = "jorah.cx.ts.hillion.co.uk"; unifi = "jorah.cx.ts.hillion.co.uk"; @@ -27,6 +28,7 @@ in config = lib.mkIf cfg.autoServe { custom.services.downloads.enable = cfg.locations.services.downloads == config.networking.fqdn; + custom.services.gitea.enable = cfg.locations.services.gitea == config.networking.fqdn; custom.services.mastodon.enable = cfg.locations.services.mastodon == config.networking.fqdn; custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn; custom.services.unifi.enable = cfg.locations.services.unifi == config.networking.fqdn; diff --git a/modules/services/gitea.nix b/modules/services/gitea.nix new file mode 100644 index 0000000..3f0a9f5 --- /dev/null +++ b/modules/services/gitea.nix @@ -0,0 +1,114 @@ +{ config, pkgs, lib, nixpkgs-unstable, ... }: + +let + cfg = config.custom.services.gitea; +in +{ + options.custom.services.gitea = { + enable = lib.mkEnableOption "gitea"; + + httpPort = lib.mkOption { + type = lib.types.port; + default = 3000; + }; + sshPort = lib.mkOption { + type = lib.types.port; + default = 3022; + }; + }; + + config = lib.mkIf cfg.enable { + age.secrets = { + "gitea/mailer_password" = { + file = ../../secrets/gitea/mailer_password.age; + owner = config.services.gitea.user; + group = config.services.gitea.group; + }; + "gitea/oauth_jwt_secret" = { + file = ../../secrets/gitea/oauth_jwt_secret.age; + owner = config.services.gitea.user; + group = config.services.gitea.group; + path = "${config.services.gitea.customDir}/conf/oauth2_jwt_secret"; + }; + "gitea/lfs_jwt_secret" = { + file = ../../secrets/gitea/lfs_jwt_secret.age; + owner = config.services.gitea.user; + group = config.services.gitea.group; + path = "${config.services.gitea.customDir}/conf/lfs_jwt_secret"; + }; + "gitea/security_secret_key" = { + file = ../../secrets/gitea/security_secret_key.age; + owner = config.services.gitea.user; + group = config.services.gitea.group; + path = "${config.services.gitea.customDir}/conf/secret_key"; + }; + "gitea/security_internal_token" = { + file = ../../secrets/gitea/security_internal_token.age; + owner = config.services.gitea.user; + group = config.services.gitea.group; + path = "${config.services.gitea.customDir}/conf/internal_token"; + }; + }; + + services.gitea = { + enable = true; + package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea; + mailerPasswordFile = config.age.secrets."gitea/mailer_password".path; + + appName = "Hillion Gitea"; + + database = { + type = "sqlite3"; + name = "gitea"; + path = "${config.services.gitea.stateDir}/data/gitea.db"; + }; + lfs.enable = true; + + settings = { + server = { + DOMAIN = "gitea.hillion.co.uk"; + HTTP_PORT = cfg.httpPort; + ROOT_URL = "https://gitea.hillion.co.uk/"; + OFFLINE_MODE = false; + START_SSH_SERVER = true; + SSH_LISTEN_PORT = cfg.sshPort; + BUILTIN_SSH_SERVER_USER = "git"; + SSH_DOMAIN = "ssh.gitea.hillion.co.uk"; + SSH_PORT = 22; + }; + + mailer = { + ENABLED = true; + HOST = "smtp.mailgun.org:587"; + FROM = "gitea@mg.hillion.co.uk"; + USER = "gitea@mg.hillion.co.uk"; + }; + security = { + INSTALL_LOCK = true; + }; + service = { + REGISTER_EMAIL_CONFIRM = true; + ENABLE_NOTIFY_MAIL = true; + EMAIL_DOMAIN_WHITELIST = "hillion.co.uk,cam.ac.uk,cl.cam.ac.uk"; + }; + session = { + PROVIDER = "file"; + }; + }; + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + networking.firewall.extraCommands = '' + # proxy all traffic on public interface to the gitea SSH server + iptables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort} + ip6tables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort} + + # proxy locally originating outgoing packets + iptables -A OUTPUT -d 95.217.229.104 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort} + ip6tables -A OUTPUT -d 2a01:4f9:4b:3953::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort} + ''; + }; +} diff --git a/modules/www/global.nix b/modules/www/global.nix index 340d203..a9df42f 100644 --- a/modules/www/global.nix +++ b/modules/www/global.nix @@ -37,15 +37,15 @@ in root * /var/www/blog.hillion.co.uk file_server ''; - "gitea.hillion.co.uk".extraConfig = '' - reverse_proxy http://gitea.gitea.ts.hillion.co.uk:3000 - ''; "homeassistant.hillion.co.uk".extraConfig = '' reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123 ''; "emby.hillion.co.uk".extraConfig = '' reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096 ''; + "gitea.hillion.co.uk".extraConfig = '' + reverse_proxy http://${locations.services.gitea}:3000 + ''; "matrix.hillion.co.uk".extraConfig = '' reverse_proxy /_matrix/* http://${locations.services.matrix}:8008 reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008 diff --git a/secrets/gitea/lfs_jwt_secret.age b/secrets/gitea/lfs_jwt_secret.age new file mode 100644 index 0000000..40a2930 Binary files /dev/null and b/secrets/gitea/lfs_jwt_secret.age differ diff --git a/secrets/gitea/mailer_password.age b/secrets/gitea/mailer_password.age new file mode 100644 index 0000000..8cc0537 --- /dev/null +++ b/secrets/gitea/mailer_password.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-rsa GxPFJQ +gDF6kKcuWAKwIhdnB7zav8ZXdHEuq+4yYVc0ZOmpXpiRReo8yVgAcDcMIt5Wkfjk +9quZWwFal2YZ9YH7HhG4vXVxzgL0s7oQfnzjsBwVO9lE/hly5gL9TqGY4fjuVv6Q +kBbp+JaogGv6RsHVajNWNto1qKNJWB8JyewnIdZOVRHee21u/a3qRMHuyRhIeiWR +QLMXxJxdvdgaCUjXMyOgMifsdklK/12kuRb6cTp9Zg+LzMUVloROSbhzofLUtjST +GnJR8qKDIDAG6XIzi4+/VZCcHRA/NEAs965GQrK/qyvyTcFW6BUwuoHMq3Ia/9jM +K+hgOULnfi+jIDw5U0HJKQ +-> ssh-rsa K9mW1w +TJKNczUv82J3W4sXH76qPmijKcOjvpLvZC7rKf85zBr2fdgOtXzXULQbFhW3l6gs +V50Lkw3gwSBC6ckWWKqfJkSxqWgAQumy5/5yZc9zqnNDJPXCaBEOkz3IL43Eu13V +4AihecOthSqFkfr1VsrllDckANsTse1Md/p8XDHOpNr/wyUHKRuFKnBmTG7nV2Ja +3sqOmI9RzIArUHY868ecGqPrZXWR72vqZJ3twtivq6aQI9mTw+98VPZeAUZVSMVf +5T7Z0XGfA3O5x8KDAtHcqUMA87vZ/NwsAHxsy7F64u4yaihIvG+8EQDmkGEP/7eG +lPijgnL0SUte+Df3/wXt7Q +-> ssh-ed25519 Qo6/7A 7U/6Bj8AWyHKrCZ38LOyUSr/d4HOUXPqT0FoID0ON1A +3jqYYywJlhN/i7QuXBWb0kajeZcZyBnNXpUWCMf9Kzc +--- pPjt0YCs2Wah1kyAp2qLbL9Q2z/K16jv4DJXAO7x2NU + -?Q5`Y_Ќ5,u.:ʻAoT cpNF[X f4Gs \ No newline at end of file diff --git a/secrets/gitea/oauth_jwt_secret.age b/secrets/gitea/oauth_jwt_secret.age new file mode 100644 index 0000000..22c5966 Binary files /dev/null and b/secrets/gitea/oauth_jwt_secret.age differ diff --git a/secrets/gitea/security_internal_token.age b/secrets/gitea/security_internal_token.age new file mode 100644 index 0000000..6ba7b19 Binary files /dev/null and b/secrets/gitea/security_internal_token.age differ diff --git a/secrets/gitea/security_secret_key.age b/secrets/gitea/security_secret_key.age new file mode 100644 index 0000000..d1954f3 --- /dev/null +++ b/secrets/gitea/security_secret_key.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-rsa GxPFJQ +R66aDsFfjeEm7eBOYYwf592oHT6LUhfyMY2rOX1wZEJ2JgJVUr13clzsjVb9lOTl +Z7sb/yqpt8kB91/Rb0Tnsb9khw49sk9BOcglFKJ8iJWBvXzGx0UkxQo1ZbCMf3R7 +nZu4BFg1kbKN9GD0GP1IjhwYEt0y66iP8IuQtyOy7CH6RH1FfgaIQnfhBDcnyfX9 +H6tS6m6dRjqA9rc2l05a77nObkt7LT1A4KK5EQj8AMGrjwbFRrY0ip5uv153z+WU +Z3LWqhTgTzbt6mB12EcLrL+8U7beJ34bru3V78gmToE/6okqRNYUNzmSAIzGbENA +nF+58U1SPp8XzKI41ZxOwg +-> ssh-rsa K9mW1w +socHWl+IhFQvhia1uSJkrwYXleQ9jAS0e5a/dzQerzAC53+zyo88cDh1EH6+JftT +3zEouOwnDhNHa+tn+xISIQnrP0Zfe+Yp4AbYyOGqbXMOH8dmAbBsIuXNRsNvnLwy +ZzzOhGfJ0Tghpcadt8S/R307m5UFcd5krZ8iiX1B3ZyhBSakGTWvD4VKzbvhYr0u +v3mgh4TFn0NMbhsLwFBRkmrPur+Eqg2BQKdPVUuVMMMv0Aay3fBIwe3Gb9gMYokS +pBHxWe8efWLWU25HeBBbefAFW28+nK57tmEdFGsJ2i5pMJG25xseRlxoB40iCooa +1VptQnvRxUcrxdQV6PcSaQ +-> ssh-ed25519 Qo6/7A WUExaKD05NZgjnyp6jWsDuHKpc3P/bX3pN9dhsjhEUM +viEgHYTsA3uvJgvXNqc0/idEjerFPzjnj8dSdKjzMD0 +--- TsmUg1lsb/tQEnG3czWdME6D2cASto8QZetG+RrSphU + 1<Qc =b-Mdf* +~$etOPvx<-0#cdn])޲tvWmmYz \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f3731c2..f12ad64 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -100,4 +100,11 @@ in # Deluge Secrets "deluge/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ]; + + # Gitea Secrets + "gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; + "gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; + "gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; + "gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; + "gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; }