gitea: move jorah->boron

2024-05-12 11:33:08 +01:00 · 2024-05-12 11:33:08 +01:00 · f59824ad62
commit f59824ad62
parent bff93529aa
11 changed files with 30 additions and 26 deletions
--- a/hosts/boron.cx.ts.hillion.co.uk/default.nix
+++ b/hosts/boron.cx.ts.hillion.co.uk/default.nix
@ -106,6 +106,8 @@
      interfaces = {
        eth0 = {
          allowedTCPPorts = lib.mkForce [
+            22 # SSH
+            3022 # SSH (Gitea) - redirected to 22
            53 # DNS
            80 # HTTP 1-2
            443 # HTTPS 1-2
--- a/hosts/jorah.cx.ts.hillion.co.uk/default.nix
+++ b/hosts/jorah.cx.ts.hillion.co.uk/default.nix
@ -82,10 +82,7 @@

    networking.firewall = {
      trustedInterfaces = [ "tailscale0" ];
-      allowedTCPPorts = lib.mkForce [
-        22 # SSH
-        3022 # Gitea SSH (accessed via public 22)
-      ];
+      allowedTCPPorts = lib.mkForce [ ];
      allowedUDPPorts = lib.mkForce [ ];
      interfaces = {
        eth0 = {
--- a/modules/ids.nix
+++ b/modules/ids.nix
@ -6,6 +6,7 @@
      ## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
      unifi = 183;
      chia = 185;
+      gitea = 186;

      ## Consistent People
      jake = 1000;
@ -15,6 +16,7 @@
      ## Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
      unifi = 183;
      chia = 185;
+      gitea = 186;

      ## Consistent Groups
      mediaaccess = 1200;
--- a/modules/locations.nix
+++ b/modules/locations.nix
@ -24,7 +24,7 @@ in
            "jorah.cx.ts.hillion.co.uk"
          ];
          downloads = "tywin.storage.ts.hillion.co.uk";
-          gitea = "jorah.cx.ts.hillion.co.uk";
+          gitea = "boron.cx.ts.hillion.co.uk";
          homeassistant = "microserver.home.ts.hillion.co.uk";
          mastodon = "";
          matrix = "jorah.cx.ts.hillion.co.uk";
--- a/modules/services/gitea/gitea.nix
+++ b/modules/services/gitea/gitea.nix
@ -50,6 +50,9 @@ in
      };
    };

+    users.users.gitea.uid = config.ids.uids.gitea;
+    users.groups.gitea.gid = config.ids.gids.gitea;
+
    services.gitea = {
      enable = true;
      package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
--- a/secrets/gitea/lfs_jwt_secret.age
+++ b/secrets/gitea/lfs_jwt_secret.age
--- a/secrets/gitea/mailer_password.age
+++ b/secrets/gitea/mailer_password.age
@ -1,19 +1,19 @@
 age-encryption.org/v1
 -> ssh-rsa GxPFJQ
-gDF6kKcuWAKwIhdnB7zav8ZXdHEuq+4yYVc0ZOmpXpiRReo8yVgAcDcMIt5Wkfjk
-9quZWwFal2YZ9YH7HhG4vXVxzgL0s7oQfnzjsBwVO9lE/hly5gL9TqGY4fjuVv6Q
-kBbp+JaogGv6RsHVajNWNto1qKNJWB8JyewnIdZOVRHee21u/a3qRMHuyRhIeiWR
-QLMXxJxdvdgaCUjXMyOgMifsdklK/12kuRb6cTp9Zg+LzMUVloROSbhzofLUtjST
-GnJR8qKDIDAG6XIzi4+/VZCcHRA/NEAs965GQrK/qyvyTcFW6BUwuoHMq3Ia/9jM
-K+hgOULnfi+jIDw5U0HJKQ
+EpPN7UHHRuytMr2vXy9CHzjVkH1iCt9LiTLhFsqXbL03Rk+X82q233Lm12f0sQvz
+Hqjukkh9bU90TLKcEOFpKrU5FQwKUjzEy85A+4UoovWdJ8VwACOzoJf29Ys1bX3i
+Xp4gUT7ne5+4afNwKXVFDS1YCPjIoQPu2cGw6iTNIYwVY5fNxz5y5ZHLkI9lOqJD
+mT7jCgLLdkK8vJiDcu4Ofr21GaziQh93YXK69i3gyAt6pqSRyQdAfhMGkykOWdrO
+FXMtpzT82UCvfbFbbRCRuSFga0uq5zx2cwvBD4Xagw8Dfg9RQO0rX9NAbbgcoyfG
+qnk+0bYAk3pWfdXW9Z/psQ
 -> ssh-rsa K9mW1w
-TJKNczUv82J3W4sXH76qPmijKcOjvpLvZC7rKf85zBr2fdgOtXzXULQbFhW3l6gs
-V50Lkw3gwSBC6ckWWKqfJkSxqWgAQumy5/5yZc9zqnNDJPXCaBEOkz3IL43Eu13V
-4AihecOthSqFkfr1VsrllDckANsTse1Md/p8XDHOpNr/wyUHKRuFKnBmTG7nV2Ja
-3sqOmI9RzIArUHY868ecGqPrZXWR72vqZJ3twtivq6aQI9mTw+98VPZeAUZVSMVf
-5T7Z0XGfA3O5x8KDAtHcqUMA87vZ/NwsAHxsy7F64u4yaihIvG+8EQDmkGEP/7eG
-lPijgnL0SUte+Df3/wXt7Q
-> ssh-ed25519 Qo6/7A 7U/6Bj8AWyHKrCZ38LOyUSr/d4HOUXPqT0FoID0ON1A
-3jqYYywJlhN/i7QuXBWb0kajeZcZyBnNXpUWCMf9Kzc
--- pPjt0YCs2Wah1kyAp2qLbL9Q2z/K16jv4DJXAO7x2NU
-õ?ùÌQ5©`Y›_ËÐŒ§þ£5†È,u¶.:…ÅÊ»AžoTc¿”p°ûNÝá·F[äX¿‹°‘†’f<E28099>³‘4§ê•¡ÄGs©¿
+NaR245c+88dGflT9cG73bQOBxQsVi5x8JkMTrqjabzwzHpRiBUdtP+Ou1w+klOI4
+cv1RLngEZH9jsSiEdvpvRkzE2ILOR/abgABXZi/4vl7iXiC8T23QSOPXnMxrAgpH
+RV9B3GcSClb70+Lf3pJtPBVHVENhFVFvj5JgxQ2Zi6eMpcMuL18r/Szn4erk8zXQ
+330oEau80X6WoPtRaSqSxVRrMGecGHdIE9chLosCf1x8CgIcYBTtviky+fDQMkKZ
+iwueW1luuBj1AuP33jUqjeyyMaJ6SqSmaxGqGHGXA/ayxF8HnHU9AJlhPH+tEEbs
+84Xu2vwg9ikUz7B1tTBYeA
+-> ssh-ed25519 iWiFbA CuUeGNUBc5K+AkXBRvp7SUTJNoMDW0bWRnYs3ZhFSGM
+UwwyxNA2L9q6yYK+BqYcqOq6F5CF+iCUpuceWsEj7ck
+--- 3XKIweSg0UFqbadbOP0APwaLyquaEdoanlvndvxcQkk
+ßüu_śnTx#H-7<>‰yó—Îç<>¨—B„ô»uµŐÉîj<C3AE>ZHĐ'&÷_đś#‘ľĽ3ŕHÍ˝0‘f

šBęą×Ö™ýčÂLĽî–z
--- a/secrets/gitea/oauth_jwt_secret.age
+++ b/secrets/gitea/oauth_jwt_secret.age
--- a/secrets/gitea/security_internal_token.age
+++ b/secrets/gitea/security_internal_token.age
--- a/secrets/gitea/security_secret_key.age
+++ b/secrets/gitea/security_secret_key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -110,11 +110,11 @@ in
  "deluge/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];

  # Gitea Secrets
-  "gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
-  "gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
-  "gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
-  "gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
-  "gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
+  "gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.boron ];
+  "gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
+  "gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
+  "gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.boron ];

  "gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
  "gitea/actions/jorah.age".publicKeys = jake_users ++ [ ts.cx.jorah ];