feat: add agenix and gitea

Signed-off-by: Chinmay D. Pai <chinmay.pai@zerodha.com>

flake.lock

@@ -1,5 +1,29 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": [
+          "nixpkgs"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1696775529,
+        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "beautysh": {
       "inputs": {
         "nixpkgs": [
@@ -39,6 +63,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "devenv": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -67,11 +113,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1700847529,
+        "lastModified": 1700991469,
-        "narHash": "sha256-jvTozEnNxaR7jvHc50eAfHoP8aN7+QPt1ETqr+raGSo=",
+        "narHash": "sha256-Dx0Doh515JsHUr5NUigw1DX7lNy/WyA9nATki3Nnnrg=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "d419c32b00f86aa2bdf56ad8e1f4516b796539b9",
+        "rev": "88dc6d6095da5b9436c69c47b44558230fa4fee7",
         "type": "github"
       },
       "original": {
@@ -89,11 +135,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1700842988,
+        "lastModified": 1700960417,
-        "narHash": "sha256-8quSprmWXYxMDhioKZZDGT6kPnfvXbglDQ62KtpiINQ=",
+        "narHash": "sha256-P3B7xLwsztAwJ2J13A7oCuutLg0vNJusCvvAdYsKSYI=",
         "owner": "nix-community",
         "repo": "flake-firefox-nightly",
-        "rev": "cc0e03aa0fbca12a45fa8d4278aaf96676b69fd4",
+        "rev": "6388fad4403e4f0a6ffc1162dec74939e98fccde",
         "type": "github"
       },
       "original": {
@@ -326,11 +372,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700847865,
+        "lastModified": 1700900274,
-        "narHash": "sha256-uWaOIemGl9LF813MW0AEgCBpKwFo2t1Wv3BZc6e5Frw=",
+        "narHash": "sha256-KWoKDP5I1viHR4bG3ENnJ7H1DD16tXWH4ROvS0IfXw8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8cedd63eede4c22deb192f1721dd67e7460e1ebe",
+        "rev": "a462e7315deaa8194b0821f726709bb7e51a850c",
         "type": "github"
       },
       "original": {
@@ -397,11 +443,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1698826948,
+        "lastModified": 1700997049,
-        "narHash": "sha256-Th05oofIIhsN2bmJNsb0Xev3+RJgtk8stjHZX9EdWA0=",
+        "narHash": "sha256-2dZsKz6CeKTx76krMp9WV4t+lRs2xDWw0aYNUFgnJKI=",
         "owner": "viperML",
         "repo": "nh",
-        "rev": "23d21975231d569afbe3973eb19d955c650f8f08",
+        "rev": "4298c924bb6b52607207691af30ebeccdbfa359d",
         "type": "github"
       },
       "original": {
@@ -567,11 +613,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1700678569,
+        "lastModified": 1700851152,
-        "narHash": "sha256-2Ki+2UvOidxEb3xB4ADqlbPQ2BZOF4uZMR094O8or2I=",
+        "narHash": "sha256-3PWITNJZyA3jz5IGREJRfSykM6xSLmD8u5A3WpBCyDM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8f1180704ac35baded1a74164365ac7cdfba6f38",
+        "rev": "1216a5ba22a93a4a3a3bfdb4bff0f4727c576fcc",
         "type": "github"
       },
       "original": {
@@ -599,11 +645,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1700612854,
+        "lastModified": 1700794826,
-        "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=",
+        "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614",
+        "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8",
         "type": "github"
       },
       "original": {
@@ -615,11 +661,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1700612854,
+        "lastModified": 1700794826,
-        "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=",
+        "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614",
+        "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8",
         "type": "github"
       },
       "original": {
@@ -663,11 +709,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1700612854,
+        "lastModified": 1700794826,
-        "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=",
+        "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614",
+        "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8",
         "type": "github"
       },
       "original": {
@@ -796,6 +842,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "devenv": "devenv",
         "emacs-overlay": "emacs-overlay",
         "firefox-nightly": "firefox-nightly",

flake.nix

@@ -25,6 +25,7 @@
     };
 
     commons = [
+      inputs.agenix.nixosModules.default
       inputs.nh.nixosModules.default
       inputs.nixvim.nixosModules.nixvim
     ];
@@ -83,6 +84,9 @@
   };
 
   inputs = {
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.home-manager.follows = "nixpkgs";
     devenv.url = "github:cachix/devenv";
     emacs-overlay.url = "github:nix-community/emacs-overlay";
     firefox-nightly.url = "github:nix-community/flake-firefox-nightly";

machines/trench/default.nix

@@ -6,6 +6,7 @@
     ../../modules/nixos/user-group.nix
     ../../modules/programs/nixvim
     ../../modules/programs/nomad
+    ../../modules/programs/gitea
   ];
 
   environment.systemPackages = with pkgs; [tailscale];

modules/nixos/core-server.nix

@@ -7,6 +7,7 @@
   boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;
 
   environment.systemPackages = with pkgs; [
+    agenix
     bottom
     busybox
     curl

modules/programs/gitea/default.nix

@@ -0,0 +1,82 @@
+{config, ...}:
+let
+  domain = "git.deku.moe";
+  httpPort = 3001;
+  sshPort = 22022;
+in {
+  age.secrets.gitea = {
+    file = "../../../secrets/gitea.age";
+    owner = config.services.gitea.user;
+    group = config.services.gitea.user;
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ config.services.gitea.user ];
+    ensureUsers = [
+      {
+        name = config.services.gitea.database.user;
+        ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  services.gitea = {
+    enable = true;
+    lfs.enable = true;
+
+    database = {
+      type = "postgres";
+      passwordFile = config.age.secrets.gitea.path;
+    };
+
+    settings = {
+      actions = {
+        ENABLED = true;
+      };
+      picture = {
+        DISABLE_GRAVATAR = true;
+      };
+      server = {
+        DOMAIN = domain;
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = httpPort;
+        ROOT_URL = "https://${domain}/";
+        SSH_PORT = sshPort;
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+        SHOW_REGISTRATION_BUTTON = false;
+      };
+      session = {
+        COOKIE_SECURE = true;
+      };
+      security = {
+        LOGIN_REMEMBER_DAYS = 14;
+        MIN_PASSWORD_LENGTH = 12;
+        PASSWORD_COMPLEXITY = "lower,upper,digit,spec";
+        PASSWORD_CHECK_PWN = true;
+      };
+      other = {
+        SHOW_FOOTER_VERSION = false;
+        SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "${domain}" = {
+        serverName = "${domain}";
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString httpPort}/";
+        };
+      };
+    };
+  };
+}

secrets/secrets.nix

@@ -0,0 +1,11 @@
+let
+  codingcoffee = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN cc@predator"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C cc@eden"
+  ];
+  thunderbottom = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"];
+
+  users = thunderbottom ++ codingcoffee;
+in {
+  "gitea.age".publicKeys = users;
+}