From f59824ad62c30595392bcc7faffda695ec1b7a61 Mon Sep 17 00:00:00 2001 From: Jake Hillion Date: Sun, 12 May 2024 11:33:08 +0100 Subject: [PATCH] gitea: move jorah->boron --- hosts/boron.cx.ts.hillion.co.uk/default.nix | 2 ++ hosts/jorah.cx.ts.hillion.co.uk/default.nix | 5 +-- modules/ids.nix | 2 ++ modules/locations.nix | 2 +- modules/services/gitea/gitea.nix | 3 ++ secrets/gitea/lfs_jwt_secret.age | Bin 988 -> 988 bytes secrets/gitea/mailer_password.age | 32 ++++++++++---------- secrets/gitea/oauth_jwt_secret.age | Bin 988 -> 988 bytes secrets/gitea/security_internal_token.age | Bin 1050 -> 1050 bytes secrets/gitea/security_secret_key.age | Bin 1009 -> 1009 bytes secrets/secrets.nix | 10 +++--- 11 files changed, 30 insertions(+), 26 deletions(-) diff --git a/hosts/boron.cx.ts.hillion.co.uk/default.nix b/hosts/boron.cx.ts.hillion.co.uk/default.nix index 49615a0..bac1155 100644 --- a/hosts/boron.cx.ts.hillion.co.uk/default.nix +++ b/hosts/boron.cx.ts.hillion.co.uk/default.nix @@ -106,6 +106,8 @@ interfaces = { eth0 = { allowedTCPPorts = lib.mkForce [ + 22 # SSH + 3022 # SSH (Gitea) - redirected to 22 53 # DNS 80 # HTTP 1-2 443 # HTTPS 1-2 diff --git a/hosts/jorah.cx.ts.hillion.co.uk/default.nix b/hosts/jorah.cx.ts.hillion.co.uk/default.nix index fc6d4ee..d74668d 100644 --- a/hosts/jorah.cx.ts.hillion.co.uk/default.nix +++ b/hosts/jorah.cx.ts.hillion.co.uk/default.nix @@ -82,10 +82,7 @@ networking.firewall = { trustedInterfaces = [ "tailscale0" ]; - allowedTCPPorts = lib.mkForce [ - 22 # SSH - 3022 # Gitea SSH (accessed via public 22) - ]; + allowedTCPPorts = lib.mkForce [ ]; allowedUDPPorts = lib.mkForce [ ]; interfaces = { eth0 = { diff --git a/modules/ids.nix b/modules/ids.nix index 92d1d4a..929acfc 100644 --- a/modules/ids.nix +++ b/modules/ids.nix @@ -6,6 +6,7 @@ ## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix) unifi = 183; chia = 185; + gitea = 186; ## Consistent People jake = 1000; @@ -15,6 +16,7 @@ ## Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix) unifi = 183; chia = 185; + gitea = 186; ## Consistent Groups mediaaccess = 1200; diff --git a/modules/locations.nix b/modules/locations.nix index 9c51f8a..5cf8630 100644 --- a/modules/locations.nix +++ b/modules/locations.nix @@ -24,7 +24,7 @@ in "jorah.cx.ts.hillion.co.uk" ]; downloads = "tywin.storage.ts.hillion.co.uk"; - gitea = "jorah.cx.ts.hillion.co.uk"; + gitea = "boron.cx.ts.hillion.co.uk"; homeassistant = "microserver.home.ts.hillion.co.uk"; mastodon = ""; matrix = "jorah.cx.ts.hillion.co.uk"; diff --git a/modules/services/gitea/gitea.nix b/modules/services/gitea/gitea.nix index eb7520f..68f895e 100644 --- a/modules/services/gitea/gitea.nix +++ b/modules/services/gitea/gitea.nix @@ -50,6 +50,9 @@ in }; }; + users.users.gitea.uid = config.ids.uids.gitea; + users.groups.gitea.gid = config.ids.gids.gitea; + services.gitea = { enable = true; package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea; diff --git a/secrets/gitea/lfs_jwt_secret.age b/secrets/gitea/lfs_jwt_secret.age index 40a2930200807b5051de4a98e47d1356363468f4..acf41125ec579344866bfad10edcd0071a05502f 100644 GIT binary patch literal 988 zcmYk&IScD_003}Ma0o7fn~23V)HKb#h-sUfK6iCW-T?M3(;K)|Awq6ub zY}nO&?Drww*tSp2qj;kgc^A26u#*n{){QSBFt_Ek8XcK*)Y7(?VcvU41lk9YY4uv^8tJvGNr=usvC_m2+)I^f*vKCm=FM!Dw=L*g{Y~ z#LbMSv26W+TjOdMpO6ll(e?4r-?tR+W4Ly|@%|v5)yyHS9ya-5D$rC!Y24N>J;pW# z4uo>#i}RF`tBA{yi(yI-1Nl688DBC?$#s?8#c zt{~W`2-|95qn)e^R)X6IzQ9-fzTlE^x}`?6tl)O9(#O*Nx(H#+3#H+ z8qqWL5p13N{H_vKzssROFTwrxp<$D&fwZRzd*R=Y@tNvn*ax z$2)j3jqN;zSmxW&gCJ`q^9HsITfBwZGCFB3PE5|}>fGI^Lfz|ofI0V`&(Sz`iP12H z&pVer`1k*7%XHZG!glZ8qEoBCv^E zpl@ikrc0f;TIvFK2A>;s3dYt~!kIs+G0##FYhYw~VAmjJaWOVb9jis@A;??|fADzK zULzk_?Q58b08!{GeVQ0_xEA#g<%5h`<-HYG9Xbm=U+;~M4%Zy^x?G<$Q65`*M_ANx za3mc$Su=3jS0=%q9I`9}uTPH>d&1X@5wh!{fE6g7T0>n6(gIsXn~@<(M|!M%`)(QB zTn{J=@DtTi%y2;LTyEBh;81n1`eY;zAue3tknYcSn>4OfKQc#@XhesmCa8~?tHOXe zhX8(XFHLuk`nWZlRCoZh_+VfD(@tUp$6Bm9t1n*eieDKrb&xT(g_0K ssh-rsa GxPFJQ -gDF6kKcuWAKwIhdnB7zav8ZXdHEuq+4yYVc0ZOmpXpiRReo8yVgAcDcMIt5Wkfjk -9quZWwFal2YZ9YH7HhG4vXVxzgL0s7oQfnzjsBwVO9lE/hly5gL9TqGY4fjuVv6Q -kBbp+JaogGv6RsHVajNWNto1qKNJWB8JyewnIdZOVRHee21u/a3qRMHuyRhIeiWR -QLMXxJxdvdgaCUjXMyOgMifsdklK/12kuRb6cTp9Zg+LzMUVloROSbhzofLUtjST -GnJR8qKDIDAG6XIzi4+/VZCcHRA/NEAs965GQrK/qyvyTcFW6BUwuoHMq3Ia/9jM -K+hgOULnfi+jIDw5U0HJKQ +EpPN7UHHRuytMr2vXy9CHzjVkH1iCt9LiTLhFsqXbL03Rk+X82q233Lm12f0sQvz +Hqjukkh9bU90TLKcEOFpKrU5FQwKUjzEy85A+4UoovWdJ8VwACOzoJf29Ys1bX3i +Xp4gUT7ne5+4afNwKXVFDS1YCPjIoQPu2cGw6iTNIYwVY5fNxz5y5ZHLkI9lOqJD +mT7jCgLLdkK8vJiDcu4Ofr21GaziQh93YXK69i3gyAt6pqSRyQdAfhMGkykOWdrO +FXMtpzT82UCvfbFbbRCRuSFga0uq5zx2cwvBD4Xagw8Dfg9RQO0rX9NAbbgcoyfG +qnk+0bYAk3pWfdXW9Z/psQ -> ssh-rsa K9mW1w -TJKNczUv82J3W4sXH76qPmijKcOjvpLvZC7rKf85zBr2fdgOtXzXULQbFhW3l6gs -V50Lkw3gwSBC6ckWWKqfJkSxqWgAQumy5/5yZc9zqnNDJPXCaBEOkz3IL43Eu13V -4AihecOthSqFkfr1VsrllDckANsTse1Md/p8XDHOpNr/wyUHKRuFKnBmTG7nV2Ja -3sqOmI9RzIArUHY868ecGqPrZXWR72vqZJ3twtivq6aQI9mTw+98VPZeAUZVSMVf -5T7Z0XGfA3O5x8KDAtHcqUMA87vZ/NwsAHxsy7F64u4yaihIvG+8EQDmkGEP/7eG -lPijgnL0SUte+Df3/wXt7Q --> ssh-ed25519 Qo6/7A 7U/6Bj8AWyHKrCZ38LOyUSr/d4HOUXPqT0FoID0ON1A -3jqYYywJlhN/i7QuXBWb0kajeZcZyBnNXpUWCMf9Kzc ---- pPjt0YCs2Wah1kyAp2qLbL9Q2z/K16jv4DJXAO7x2NU - -?Q5`Y_Ќ5,u.:ʻAoT cpNF[X f4Gs \ No newline at end of file +NaR245c+88dGflT9cG73bQOBxQsVi5x8JkMTrqjabzwzHpRiBUdtP+Ou1w+klOI4 +cv1RLngEZH9jsSiEdvpvRkzE2ILOR/abgABXZi/4vl7iXiC8T23QSOPXnMxrAgpH +RV9B3GcSClb70+Lf3pJtPBVHVENhFVFvj5JgxQ2Zi6eMpcMuL18r/Szn4erk8zXQ +330oEau80X6WoPtRaSqSxVRrMGecGHdIE9chLosCf1x8CgIcYBTtviky+fDQMkKZ +iwueW1luuBj1AuP33jUqjeyyMaJ6SqSmaxGqGHGXA/ayxF8HnHU9AJlhPH+tEEbs +84Xu2vwg9ikUz7B1tTBYeA +-> ssh-ed25519 iWiFbA CuUeGNUBc5K+AkXBRvp7SUTJNoMDW0bWRnYs3ZhFSGM +UwwyxNA2L9q6yYK+BqYcqOq6F5CF+iCUpuceWsEj7ck +--- 3XKIweSg0UFqbadbOP0APwaLyquaEdoanlvndvxcQkk +u _nTx#H-7y琨BujZH'&_#3Hͽ0f  B֙Lz \ No newline at end of file diff --git a/secrets/gitea/oauth_jwt_secret.age b/secrets/gitea/oauth_jwt_secret.age index 22c59660bf310bf081de3af9bbc4e10b90c3834a..bbebf6c2c35b939f91979603466a2136612630fe 100644 GIT binary patch literal 988 zcmYk&xys}O007`VE|&6lP9J8I$(_Fta!#&ECif(unERT{WG2U-jO=Rb16WwuXk{US zkD!GXS}MAT*sUmRCn%y;;`az&RAlSylw6l?sLrRy=W78?8({s~s_)D7wU1WYc`qs^ z&=5#oCMM^kR^4|SqiBr=Y6`eV!`>$g?7R~}Hch*oB+<7}44gWCSQHYmN8V%!W&%>5 z#mr7Rsy%`W+Z*MeL#g-~bMYuhU^Q3p8&pruIz%~aC+az;kF!-8$-L-+-uftDmWDDb zB9wRoF%g)}+SpE?j>#$NL{OABPLuPBQwK$;UNf14T4;)^LUc90St3Vf0Ba;SiFm%H3~INqdC>e~ zf2=aGOaYI(46qr(jViN(?>saU+p#x0erNM|V>yZoMtN{G7x=9%LNMcx zw(U|tRtgl3GZCZ(yp}bFNfHh5aEpY*soll9k>16`LNtNP4&5DatF7!b_h7!p1|0FhCRPh{Ht)j7KW(@EWV&)%G$5G|wz(7Detjxif7kLns65^?H?D zF)13gP};bqB;#s0fL|p RJo@_2=U=^e`?q(fe*na)Pv8Im literal 988 zcmYk&xytNh002-C6$x7C6a1Y*n44v?OqvVXGfOhrGYMBP>z8D*O(w}?(%V_t2!cL> zHe#b<_k)e4C}Jn~DuS)8Hi9p3iW7o#l{RsI?}nmnp0qtcCJb6VeYjrpReud1llD_upj+Pc)wVfc;#z04s2d2Lzw=3aYNa zJci3~-*&FW&~rv;9JZyvD3u``BSn1h&enac^g7z>+%Achx}7S+KTiP@#nK7VJlWk( z{C+n&3fio3k`i2j5l37t-O~4yQ#NC~OauOy8*wzyA#pq#Cj_}!wy@!d3gTpC!;mB) zPP7Z+g4)iJ~;3Qb~X5)>vg0KHid z7CwkG$1=UNXB|(0O1`tK{d(SLY^Y~>*}DEw3jrqh;!Z_k|5VcOS|09&WhRz0Dr;L3 zGkZcTgPlVdH6e{w%OvXDC0Sy0C*3OIdKz>uOsT@~Nd|9Cx}%S!!;S3?NjC{UBH48? zc9>iN^n@;uR)u$)C3NiKvN=+PHGyD58JNd@O7m)4>9*3ODiusizvyIqkkxujI4~5K z(P={&hVHD#am>ao8r2yqe@4z>a)Mhv+fqsp*PhMafU%DJdG_41C8*lc1-0M|bNeq1 zcP!M3_1!|{6t_AK^;5er@!n$p+fEalBr)c}XeoqdACQWk(Hg#7BQYy=H;Ws@=WeK_ z*et2!=@Qr1+Dv$j@c?v8dj>%|7;$XXzpF>KzHA)Aw50T=jdi|0NE#ct2NzRCXti2B zG&;~@qPTQ67U*Ul5TNJdu8pv?lB7jusxlPeHd#c&f&AZp{4INdz4Y|)C;OZCUjK9d z@?T#L@VC!Dddxq5H!Sk6K7UmWetGAW?D5$bfB*d1*Ka%z;SWEZKY8{C@j>*WegEyZ P#P0+0hu6Yi-~8?$k}6LH diff --git a/secrets/gitea/security_internal_token.age b/secrets/gitea/security_internal_token.age index 6ba7b1965d060d15b5852820cb78d8d772273d94..8605173bb4a425c677010d825f6f23cccafaccc6 100644 GIT binary patch literal 1050 zcmYk&$&2d*0Dy75JT&q^1$_fviijRcCrg_R7iiLEnPzL7CTTz+O`5gY+U%lp5WL94 zlNXOF9y}>{kpUU-;7!Go^3Vql<>7O1K@TE>I4AKB_`bu>^0tF*V(;6m2-4&@-FsjK z1A`ZOhl4-ZAFLkRD9p(m5C|9@Wxh6bNk-m|iy0Q;>wR1#H0X>;7M3=YLg5>x6J&~5 zpnZsJD2*jTtfW_&VCjH4_Z5|~cw^VuT-axtxo3fSYgPV2^(2lT7Y$PjY5_Gy>?$Q~ zuI!ScSyz;8l?NRSn99c9rsgTN8$ozdM^L^s>dm3GcBPM^>pp0CTvm$nHWe@(FY6d# zNrN}oe3xhKy2}AJ!`fjB?u|X>|n#GG|WY1+7jSFTz?K{PCl7}0YgvA`&sJ>=V z^sF=&f@T1U8B>X%i6GDI0z`52X}NU0|7*|4SchvMRh^Z^xnnOHbFe4Xaty1ikaoB^ z3)Z=@-j%LMxGE^{Y9~=CUPRs`3tP(wrL50vbKnpLK9cY)K|4%PP@^uu^g@kD7Nvb* z$SyMvsrXgo3V5Jpnk$i|W6CSqCN>^qh=&m1*K9pS>Lfel+c*m|ei76mNSd6(XNMUF zt0&Xl0*%8CrEs~sN)XP)P}_^Oc(~bAHZXKFh%Q_Y;?g-T8RC@C%+W#;WZz#;Jmw(C z0>Kj=sTyH3_qlE|gNHV%Gm=t9WEk`TWT$y#5*0is_G=c;R)&j~$+B_!fmNeACa)(c zF)6P0K~b(5k)OMB)uAcF2;+joo%S}!cnts*Bv z=fM2A$BxP$J{q2$z4`I+<)<%y$iM%^=U;zvJ!fv4(?8zY4(_|Sc=z|q55Bwk{X1H5 z?@oPbToeDi|NQM67e6nL^Ut1qE$$G<)B;_02AF1qNEhkos_o89yO+)5um`s(ke y&L4jDoAY1ZgI+)T^8D^gXV)JcJ{{e9Mm)blXl{V_(!XB$_KD!fXJ0$&U;7tMQFB-T literal 1050 zcmYk&%gfsY003~efl5w-2NgxWPj7}UX__ahs)mu}eCN#rN?mqxThod< zPGZj1Wl9=kp_&f?dpaZ6NZ*pAS+K=hR|D4pr&vThFKS*9-Hn=o4u%mknHYn}CZdrB z&&CQ*tk4c_lMDd0f-S;^L?z$QV7@T5B1g%Fi$s}GmYx~q0}Up-!PF~a^pGG;1B*O^ zj8d87gU!GOU}nPWh>px;b}Wbl=xMSF(nX9hrn5k#LH{r}H?|*&uw~9|jEmH!OejWb zmX)!NsT9b4TyjELNeacX$c&%ODo~*Rzb#Q4yWavni;(ysq5axK`7-DFv*6I}U|kTY zy^9KqLkr8>y>-BCWXRL}S^^cpo0XHWcCf8ZOF-Q*+TNvOtaKcuCgzlF>K?)=^USa) zwLuy|H@00^lvtAG*0RQHx*O1?kPiE(8}GJ24mBY;j3SGId@^4awz0v-DeY25IadQ~bw&Lo?IkeC3=fpkD|N8Cj*TL$x#LC62v|JzIIib?a>cFly)&^JHCFdNkoVn>v(I z)DmLQDi@9-@c`C#fi4jUD*QsnMb{X)rA;0+hp8 z9b-raoV#=R8ujtnuV*iuo;TmfgAcCU&Y$?~*14Z^_eFh+<)=%-IM!&yBU4*=ke)dC!hZV DM(%2S diff --git a/secrets/gitea/security_secret_key.age b/secrets/gitea/security_secret_key.age index d1954f382eaa79888762d8e7f20e46bfd135ffd2..eeecfd04803bded9d673ce862c03b93f12dd9b0e 100644 GIT binary patch literal 1009 zcmYk&yX)h0003||CHNSAs5l5+rPeh0<~b;&ZPMn^JeoF5svhLkZ__;c&7)1Z!9h?* z;ar@AgBu(i#DBm=JdWQYiYN$o;wCtWgVRldpFiQ_!*~=IA?m9pDT}vC1o4i*M(+&j z`Y=MZKbT)kNwKgLsJY&8C@ZPr=r&{<$(1Ua=%S}~Y}I;V!x?UfN@!Tr_7F|O-85kZ z1Gjo>MRSgedA4V_DLqGwWu;4eKdD7tg3YXNwV>W5^Wh~gm&E=w$Bi)?PBK0A)bo&| ziA3duj5%Sb=ZY5kc-9{U*UPOs*Ic&ZgVl-_XB@gtH*jlH3YAUlzGHJUXW3=%sG`t> zO?nD5OuO1zLXtCL3<7=4>_|VTJO)g)bLW(2y%v#9nyXS86JZA=ygn{<2WC*+j$M{y z$5+fYjYUe*3IkhcQn2DcNUMxIT;#gss3%?Wj5eJzwd{!*E43!259NF*t>ey-)JDEy z!-J{$M&v6{HW1%}e#!7#`2TH{&$q-GYaF`}Wtj`Zl#>#_l&J|vv{q5KZF&|owmPDN zO9fQXuv&EHoMLMg$UhzfoLUeyXJLScbWmJeBQM#B4$Mq9_LDWxC=F5ja7r3ut8aGK zSP^|nHvwwbn^0kACF=+MHKAo}M{&-^B-Dh<%;{{&D2BI*kmo3?(B7xjshWY*49b4# z&vxWwEmy}ad1|R^O4ze$Hg7OnIY)seRP3rC2y>-_g>Dj8CfyCo1*Cm0-D;QXvSPek z64j~#WrlBTW4Wx-t&+6-1!G_p*M_|JLwG_wjMr&8?;0o`PZyj4^Qu!b1!-J@RQqz7 zY@)QeQcl~h0+rC&bp$ZYSWSdBVFgP%^F#{$^ zTOrHNIZ&+J!m*KWuhEPSfgl8M%#Xo&1;?1cZrF|nPS#8*d0v@elz@^pSYT6jt4=CjwIz4P)f-@pIS`EC5~`tu)N`QZ0Y-+l1otG`AE4n2AA5$WAL>fXr4_g{Pd z`t6@D{>92nd?SqHez1utY?tU_P;j4rDCjaFhU%d20f9`AH<9~mLDy3}x99+wx?Lh`>nF1cJTugfLikasS*JTC8Ka1q^G z@B=8$MFbthp@TzR9E1)o7F5Kch*WWub`ksvKYnf;F2cgEr>Z@b#XDskFMAkR+`ej> zWKlQn6+iAdQ3W&{ch?OUr6HRWA*0y#5MdNj3I@J4lW3A{q*jjb;IJYh#^S-OVbnj* zO?vRCvtpb9hiJUzbg5c0V<>p3d5}>w9+f4-ifS^7QT+JKNg{a?Ev7%t{0N!ZsFtwf zUCR-w5kTQ|D~5~V%#(H$zlQidyh)S6W?N{&@zb8%bZR>(6LBrzngDZA>~7Q|N|?1@ zOwo}71iaPp91pbgLQ}PmoFU95h(htQme?9Fy^yj9;F?%hZGcdyX+jo3Az zKf3k%&wsx9@<*!w(htwy_~c!0@#$STh~EAlxbyy7Vf*0kkMDhZ|KS5=-+wpW`t_g1 zoyX7%Z+`fS|JRSt1;tnI-TUpy&7Z#b>_+?AFK_gJ{A=a;L;K0y$M?T^G=KgS+1y*e diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fffbea9..404dddc 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -110,11 +110,11 @@ in "deluge/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ]; # Gitea Secrets - "gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; - "gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; - "gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; - "gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; - "gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; + "gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ]; + "gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.boron ]; + "gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ]; + "gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.boron ]; + "gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.boron ]; "gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ]; "gitea/actions/jorah.age".publicKeys = jake_users ++ [ ts.cx.jorah ];