diff --git a/flake.lock b/flake.lock index 4e3da90..a8cb4d5 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,29 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": [ + "nixpkgs" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696775529, + "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "beautysh": { "inputs": { "nixpkgs": [ @@ -39,6 +63,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "devenv": { "inputs": { "flake-compat": "flake-compat", @@ -67,11 +113,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1700847529, - "narHash": "sha256-jvTozEnNxaR7jvHc50eAfHoP8aN7+QPt1ETqr+raGSo=", + "lastModified": 1700991469, + "narHash": "sha256-Dx0Doh515JsHUr5NUigw1DX7lNy/WyA9nATki3Nnnrg=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "d419c32b00f86aa2bdf56ad8e1f4516b796539b9", + "rev": "88dc6d6095da5b9436c69c47b44558230fa4fee7", "type": "github" }, "original": { @@ -89,11 +135,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1700842988, - "narHash": "sha256-8quSprmWXYxMDhioKZZDGT6kPnfvXbglDQ62KtpiINQ=", + "lastModified": 1700960417, + "narHash": "sha256-P3B7xLwsztAwJ2J13A7oCuutLg0vNJusCvvAdYsKSYI=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "cc0e03aa0fbca12a45fa8d4278aaf96676b69fd4", + "rev": "6388fad4403e4f0a6ffc1162dec74939e98fccde", "type": "github" }, "original": { @@ -326,11 +372,11 @@ ] }, "locked": { - "lastModified": 1700847865, - "narHash": "sha256-uWaOIemGl9LF813MW0AEgCBpKwFo2t1Wv3BZc6e5Frw=", + "lastModified": 1700900274, + "narHash": "sha256-KWoKDP5I1viHR4bG3ENnJ7H1DD16tXWH4ROvS0IfXw8=", "owner": "nix-community", "repo": "home-manager", - "rev": "8cedd63eede4c22deb192f1721dd67e7460e1ebe", + "rev": "a462e7315deaa8194b0821f726709bb7e51a850c", "type": "github" }, "original": { @@ -397,11 +443,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1698826948, - "narHash": "sha256-Th05oofIIhsN2bmJNsb0Xev3+RJgtk8stjHZX9EdWA0=", + "lastModified": 1700997049, + "narHash": "sha256-2dZsKz6CeKTx76krMp9WV4t+lRs2xDWw0aYNUFgnJKI=", "owner": "viperML", "repo": "nh", - "rev": "23d21975231d569afbe3973eb19d955c650f8f08", + "rev": "4298c924bb6b52607207691af30ebeccdbfa359d", "type": "github" }, "original": { @@ -567,11 +613,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1700678569, - "narHash": "sha256-2Ki+2UvOidxEb3xB4ADqlbPQ2BZOF4uZMR094O8or2I=", + "lastModified": 1700851152, + "narHash": "sha256-3PWITNJZyA3jz5IGREJRfSykM6xSLmD8u5A3WpBCyDM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8f1180704ac35baded1a74164365ac7cdfba6f38", + "rev": "1216a5ba22a93a4a3a3bfdb4bff0f4727c576fcc", "type": "github" }, "original": { @@ -599,11 +645,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1700612854, - "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=", + "lastModified": 1700794826, + "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614", + "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8", "type": "github" }, "original": { @@ -615,11 +661,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1700612854, - "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=", + "lastModified": 1700794826, + "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614", + "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8", "type": "github" }, "original": { @@ -663,11 +709,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1700612854, - "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=", + "lastModified": 1700794826, + "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614", + "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8", "type": "github" }, "original": { @@ -796,6 +842,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "devenv": "devenv", "emacs-overlay": "emacs-overlay", "firefox-nightly": "firefox-nightly", diff --git a/flake.nix b/flake.nix index 92857b0..f784583 100644 --- a/flake.nix +++ b/flake.nix @@ -25,6 +25,7 @@ }; commons = [ + inputs.agenix.nixosModules.default inputs.nh.nixosModules.default inputs.nixvim.nixosModules.nixvim ]; @@ -83,6 +84,9 @@ }; inputs = { + agenix.url = "github:ryantm/agenix"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; + agenix.inputs.home-manager.follows = "nixpkgs"; devenv.url = "github:cachix/devenv"; emacs-overlay.url = "github:nix-community/emacs-overlay"; firefox-nightly.url = "github:nix-community/flake-firefox-nightly"; diff --git a/machines/trench/default.nix b/machines/trench/default.nix index 82873c9..b28b025 100644 --- a/machines/trench/default.nix +++ b/machines/trench/default.nix @@ -6,6 +6,7 @@ ../../modules/nixos/user-group.nix ../../modules/programs/nixvim ../../modules/programs/nomad + ../../modules/programs/gitea ]; environment.systemPackages = with pkgs; [tailscale]; diff --git a/modules/nixos/core-server.nix b/modules/nixos/core-server.nix index b8b8f04..46934ca 100644 --- a/modules/nixos/core-server.nix +++ b/modules/nixos/core-server.nix @@ -7,6 +7,7 @@ boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10; environment.systemPackages = with pkgs; [ + agenix bottom busybox curl diff --git a/modules/programs/gitea/default.nix b/modules/programs/gitea/default.nix new file mode 100644 index 0000000..3f08d99 --- /dev/null +++ b/modules/programs/gitea/default.nix @@ -0,0 +1,82 @@ +{config, ...}: +let + domain = "git.deku.moe"; + httpPort = 3001; + sshPort = 22022; +in { + age.secrets.gitea = { + file = "../../../secrets/gitea.age"; + owner = config.services.gitea.user; + group = config.services.gitea.user; + }; + + services.postgresql = { + ensureDatabases = [ config.services.gitea.user ]; + ensureUsers = [ + { + name = config.services.gitea.database.user; + ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES"; + } + ]; + }; + + services.gitea = { + enable = true; + lfs.enable = true; + + database = { + type = "postgres"; + passwordFile = config.age.secrets.gitea.path; + }; + + settings = { + actions = { + ENABLED = true; + }; + picture = { + DISABLE_GRAVATAR = true; + }; + server = { + DOMAIN = domain; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = httpPort; + ROOT_URL = "https://${domain}/"; + SSH_PORT = sshPort; + }; + service = { + DISABLE_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + session = { + COOKIE_SECURE = true; + }; + security = { + LOGIN_REMEMBER_DAYS = 14; + MIN_PASSWORD_LENGTH = 12; + PASSWORD_COMPLEXITY = "lower,upper,digit,spec"; + PASSWORD_CHECK_PWN = true; + }; + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "${domain}" = { + serverName = "${domain}"; + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString httpPort}/"; + }; + }; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..16d7ac9 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,11 @@ +let + codingcoffee = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN cc@predator" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C cc@eden" + ]; + thunderbottom = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"]; + + users = thunderbottom ++ codingcoffee; +in { + "gitea.age".publicKeys = users; +}