add gitea

flake.lock

@@ -175,11 +175,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1702312524,
-        "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=",
+        "lastModified": 1703637592,
+        "narHash": "sha256-8MXjxU0RfFfzl57Zy3OfXCITS0qWDNLzlBAdwxGZwfY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a9bf124c46ef298113270b1f84a164865987a91c",
+        "rev": "cfc3698c31b1fb9cdcf10f36c9643460264d0ca8",
         "type": "github"
       },
       "original": {

hosts/jorah.cx.ts.hillion.co.uk/default.nix

@@ -49,6 +49,7 @@
       trustedInterfaces = [ "tailscale0" ];
       allowedTCPPorts = lib.mkForce [
         22 # SSH
+        3022 # Gitea SSH (accessed via public 22)
       ];
       allowedUDPPorts = lib.mkForce [ ];
       interfaces = {

modules/default.nix

@@ -11,6 +11,7 @@
     ./locations.nix
     ./resilio.nix
     ./services/downloads.nix
+    ./services/gitea.nix
     ./services/mastodon/default.nix
     ./services/matrix.nix
     ./services/unifi.nix

modules/impermanence.nix

@@ -37,6 +37,7 @@ in
         { path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
       ];
       matrix-synapse.dataDir = "${cfg.base}/system/var/lib/matrix-synapse";
+      gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
     };
 
     environment.persistence."${cfg.base}/system" = {

modules/locations.nix

@@ -14,6 +14,7 @@ in
       default = {
         services = {
           downloads = "tywin.storage.ts.hillion.co.uk";
+          gitea = "jorah.cx.ts.hillion.co.uk";
           mastodon = "vm.strangervm.ts.hillion.co.uk";
           matrix = "jorah.cx.ts.hillion.co.uk";
           unifi = "jorah.cx.ts.hillion.co.uk";
@@ -27,6 +28,7 @@ in
 
   config = lib.mkIf cfg.autoServe {
     custom.services.downloads.enable = cfg.locations.services.downloads == config.networking.fqdn;
+    custom.services.gitea.enable = cfg.locations.services.gitea == config.networking.fqdn;
     custom.services.mastodon.enable = cfg.locations.services.mastodon == config.networking.fqdn;
     custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn;
     custom.services.unifi.enable = cfg.locations.services.unifi == config.networking.fqdn;

modules/services/gitea.nix

@@ -0,0 +1,114 @@
+{ config, pkgs, lib, nixpkgs-unstable, ... }:
+
+let
+  cfg = config.custom.services.gitea;
+in
+{
+  options.custom.services.gitea = {
+    enable = lib.mkEnableOption "gitea";
+
+    httpPort = lib.mkOption {
+      type = lib.types.port;
+      default = 3000;
+    };
+    sshPort = lib.mkOption {
+      type = lib.types.port;
+      default = 3022;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.secrets = {
+      "gitea/mailer_password" = {
+        file = ../../secrets/gitea/mailer_password.age;
+        owner = config.services.gitea.user;
+        group = config.services.gitea.group;
+      };
+      "gitea/oauth_jwt_secret" = {
+        file = ../../secrets/gitea/oauth_jwt_secret.age;
+        owner = config.services.gitea.user;
+        group = config.services.gitea.group;
+        path = "${config.services.gitea.customDir}/conf/oauth2_jwt_secret";
+      };
+      "gitea/lfs_jwt_secret" = {
+        file = ../../secrets/gitea/lfs_jwt_secret.age;
+        owner = config.services.gitea.user;
+        group = config.services.gitea.group;
+        path = "${config.services.gitea.customDir}/conf/lfs_jwt_secret";
+      };
+      "gitea/security_secret_key" = {
+        file = ../../secrets/gitea/security_secret_key.age;
+        owner = config.services.gitea.user;
+        group = config.services.gitea.group;
+        path = "${config.services.gitea.customDir}/conf/secret_key";
+      };
+      "gitea/security_internal_token" = {
+        file = ../../secrets/gitea/security_internal_token.age;
+        owner = config.services.gitea.user;
+        group = config.services.gitea.group;
+        path = "${config.services.gitea.customDir}/conf/internal_token";
+      };
+    };
+
+    services.gitea = {
+      enable = true;
+      package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
+      mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
+
+      appName = "Hillion Gitea";
+
+      database = {
+        type = "sqlite3";
+        name = "gitea";
+        path = "${config.services.gitea.stateDir}/data/gitea.db";
+      };
+      lfs.enable = true;
+
+      settings = {
+        server = {
+          DOMAIN = "gitea.hillion.co.uk";
+          HTTP_PORT = cfg.httpPort;
+          ROOT_URL = "https://gitea.hillion.co.uk/";
+          OFFLINE_MODE = false;
+          START_SSH_SERVER = true;
+          SSH_LISTEN_PORT = cfg.sshPort;
+          BUILTIN_SSH_SERVER_USER = "git";
+          SSH_DOMAIN = "ssh.gitea.hillion.co.uk";
+          SSH_PORT = 22;
+        };
+
+        mailer = {
+          ENABLED = true;
+          HOST = "smtp.mailgun.org:587";
+          FROM = "gitea@mg.hillion.co.uk";
+          USER = "gitea@mg.hillion.co.uk";
+        };
+        security = {
+          INSTALL_LOCK = true;
+        };
+        service = {
+          REGISTER_EMAIL_CONFIRM = true;
+          ENABLE_NOTIFY_MAIL = true;
+          EMAIL_DOMAIN_WHITELIST = "hillion.co.uk,cam.ac.uk,cl.cam.ac.uk";
+        };
+        session = {
+          PROVIDER = "file";
+        };
+      };
+    };
+
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+    networking.firewall.extraCommands = ''
+      # proxy all traffic on public interface to the gitea SSH server
+      iptables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
+      ip6tables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
+
+      # proxy locally originating outgoing packets
+      iptables -A OUTPUT -d 95.217.229.104 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
+      ip6tables -A OUTPUT -d 2a01:4f9:4b:3953::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
+    '';
+  };
+}

modules/www/global.nix

@@ -37,15 +37,15 @@ in
           root * /var/www/blog.hillion.co.uk
           file_server
         '';
-        "gitea.hillion.co.uk".extraConfig = ''
-          reverse_proxy http://gitea.gitea.ts.hillion.co.uk:3000
-        '';
         "homeassistant.hillion.co.uk".extraConfig = ''
           reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123
         '';
         "emby.hillion.co.uk".extraConfig = ''
           reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096
         '';
+        "gitea.hillion.co.uk".extraConfig = ''
+          reverse_proxy http://${locations.services.gitea}:3000
+        '';
         "matrix.hillion.co.uk".extraConfig = ''
           reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
           reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008

secrets/gitea/mailer_password.age

@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+gDF6kKcuWAKwIhdnB7zav8ZXdHEuq+4yYVc0ZOmpXpiRReo8yVgAcDcMIt5Wkfjk
+9quZWwFal2YZ9YH7HhG4vXVxzgL0s7oQfnzjsBwVO9lE/hly5gL9TqGY4fjuVv6Q
+kBbp+JaogGv6RsHVajNWNto1qKNJWB8JyewnIdZOVRHee21u/a3qRMHuyRhIeiWR
+QLMXxJxdvdgaCUjXMyOgMifsdklK/12kuRb6cTp9Zg+LzMUVloROSbhzofLUtjST
+GnJR8qKDIDAG6XIzi4+/VZCcHRA/NEAs965GQrK/qyvyTcFW6BUwuoHMq3Ia/9jM
+K+hgOULnfi+jIDw5U0HJKQ
+-> ssh-rsa K9mW1w
+TJKNczUv82J3W4sXH76qPmijKcOjvpLvZC7rKf85zBr2fdgOtXzXULQbFhW3l6gs
+V50Lkw3gwSBC6ckWWKqfJkSxqWgAQumy5/5yZc9zqnNDJPXCaBEOkz3IL43Eu13V
+4AihecOthSqFkfr1VsrllDckANsTse1Md/p8XDHOpNr/wyUHKRuFKnBmTG7nV2Ja
+3sqOmI9RzIArUHY868ecGqPrZXWR72vqZJ3twtivq6aQI9mTw+98VPZeAUZVSMVf
+5T7Z0XGfA3O5x8KDAtHcqUMA87vZ/NwsAHxsy7F64u4yaihIvG+8EQDmkGEP/7eG
+lPijgnL0SUte+Df3/wXt7Q
+-> ssh-ed25519 Qo6/7A 7U/6Bj8AWyHKrCZ38LOyUSr/d4HOUXPqT0FoID0ON1A
+3jqYYywJlhN/i7QuXBWb0kajeZcZyBnNXpUWCMf9Kzc
+--- pPjt0YCs2Wah1kyAp2qLbL9Q2z/K16jv4DJXAO7x2NU
+-õ?ùÌQ5©`Y›_ËÐŒ§þ£5†È,u¶.:…ÅÊ»AžoTc¿”p°ûNÝá·F[äX¿‹°‘†’f<E28099>³‘4§ê•¡ÄGs©¿

secrets/gitea/security_secret_key.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+R66aDsFfjeEm7eBOYYwf592oHT6LUhfyMY2rOX1wZEJ2JgJVUr13clzsjVb9lOTl
+Z7sb/yqpt8kB91/Rb0Tnsb9khw49sk9BOcglFKJ8iJWBvXzGx0UkxQo1ZbCMf3R7
+nZu4BFg1kbKN9GD0GP1IjhwYEt0y66iP8IuQtyOy7CH6RH1FfgaIQnfhBDcnyfX9
+H6tS6m6dRjqA9rc2l05a77nObkt7LT1A4KK5EQj8AMGrjwbFRrY0ip5uv153z+WU
+Z3LWqhTgTzbt6mB12EcLrL+8U7beJ34bru3V78gmToE/6okqRNYUNzmSAIzGbENA
+nF+58U1SPp8XzKI41ZxOwg
+-> ssh-rsa K9mW1w
+socHWl+IhFQvhia1uSJkrwYXleQ9jAS0e5a/dzQerzAC53+zyo88cDh1EH6+JftT
+3zEouOwnDhNHa+tn+xISIQnrP0Zfe+Yp4AbYyOGqbXMOH8dmAbBsIuXNRsNvnLwy
+ZzzOhGfJ0Tghpcadt8S/R307m5UFcd5krZ8iiX1B3ZyhBSakGTWvD4VKzbvhYr0u
+v3mgh4TFn0NMbhsLwFBRkmrPur+Eqg2BQKdPVUuVMMMv0Aay3fBIwe3Gb9gMYokS
+pBHxWe8efWLWU25HeBBbefAFW28+nK57tmEdFGsJ2i5pMJG25xseRlxoB40iCooa
+1VptQnvRxUcrxdQV6PcSaQ
+-> ssh-ed25519 Qo6/7A WUExaKD05NZgjnyp6jWsDuHKpc3P/bX3pN9dhsjhEUM
+viEgHYTsA3uvJgvXNqc0/idEjerFPzjnj8dSdKjzMD0
+--- TsmUg1lsb/tQEnG3czWdME6D2cASto8QZetG+RrSphU
+ƒµ	1ºß<èâð†QcÒ¡=b-¢’Mdf*Î
+‘~$etÈô•®ÄÀÕÈOPvÉx<äö-‘ì0#…cóÙdn¶]®æò)Þ²¤tãvîþWmmÕYò’ìÀ¼ßz°

secrets/secrets.nix

@@ -100,4 +100,11 @@ in
 
   # Deluge Secrets
   "deluge/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
+
+  # Gitea Secrets
+  "gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
 }