mirror of
https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
synced 2026-02-21 09:27:51 +01:00
nixfmt
This commit is contained in:
Vegard Bieker Matthey
@@ -1,4 +1,9 @@
|
||||
{ pkgs, values, fp, ... }:
|
||||
{
|
||||
pkgs,
|
||||
values,
|
||||
fp,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
@@ -12,7 +17,10 @@
|
||||
|
||||
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
|
||||
matchConfig.Name = "ens18";
|
||||
address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
|
||||
address = with values.hosts.kommode; [
|
||||
(ipv4 + "/25")
|
||||
(ipv6 + "/64")
|
||||
];
|
||||
};
|
||||
|
||||
services.btrfs.autoScrub.enable = true;
|
||||
|
||||
@@ -1,14 +1,27 @@
|
||||
# Do not modify this file! It was generated by 'nixos-generate-config'
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
@@ -1,4 +1,10 @@
|
||||
{ config, pkgs, lib, fp, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
fp,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.gitea;
|
||||
in
|
||||
@@ -68,54 +74,59 @@ in
|
||||
wantedBy = [ "gitea.service" ];
|
||||
requiredBy = [ "gitea.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
};
|
||||
|
||||
script = let
|
||||
logo-svg = fp /assets/logo_blue_regular.svg;
|
||||
logo-png = fp /assets/logo_blue_regular.png;
|
||||
script =
|
||||
let
|
||||
logo-svg = fp /assets/logo_blue_regular.svg;
|
||||
logo-png = fp /assets/logo_blue_regular.png;
|
||||
|
||||
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
|
||||
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
|
||||
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
|
||||
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
|
||||
'';
|
||||
|
||||
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
|
||||
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
|
||||
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
|
||||
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
|
||||
'';
|
||||
|
||||
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
|
||||
labels = lib.importJSON ./labels/projects.json;
|
||||
};
|
||||
|
||||
customTemplates =
|
||||
pkgs.runCommandLocal "gitea-templates"
|
||||
{
|
||||
nativeBuildInputs = with pkgs; [
|
||||
coreutils
|
||||
gnused
|
||||
];
|
||||
}
|
||||
''
|
||||
# Bigger icons
|
||||
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
|
||||
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
|
||||
'';
|
||||
in
|
||||
''
|
||||
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
|
||||
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
|
||||
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
|
||||
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
|
||||
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
|
||||
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
|
||||
|
||||
install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
|
||||
install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
|
||||
install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
|
||||
install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
|
||||
|
||||
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
|
||||
'';
|
||||
|
||||
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
|
||||
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
|
||||
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
|
||||
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
|
||||
'';
|
||||
|
||||
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
|
||||
labels = lib.importJSON ./labels/projects.json;
|
||||
};
|
||||
|
||||
customTemplates = pkgs.runCommandLocal "gitea-templates" {
|
||||
nativeBuildInputs = with pkgs; [
|
||||
coreutils
|
||||
gnused
|
||||
];
|
||||
} ''
|
||||
# Bigger icons
|
||||
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
|
||||
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
|
||||
'';
|
||||
in ''
|
||||
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
|
||||
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
|
||||
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
|
||||
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
|
||||
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
|
||||
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
|
||||
|
||||
install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
|
||||
install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
|
||||
install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
|
||||
install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
|
||||
|
||||
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,9 +1,17 @@
|
||||
{ config, values, lib, pkgs, unstablePkgs, ... }:
|
||||
{
|
||||
config,
|
||||
values,
|
||||
lib,
|
||||
pkgs,
|
||||
unstablePkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.gitea;
|
||||
domain = "git.pvv.ntnu.no";
|
||||
sshPort = 2222;
|
||||
in {
|
||||
sshPort = 2222;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./customization
|
||||
./gpg.nix
|
||||
@@ -11,19 +19,21 @@ in {
|
||||
./web-secret-provider
|
||||
];
|
||||
|
||||
sops.secrets = let
|
||||
defaultConfig = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
restartUnits = [ "gitea.service" ];
|
||||
sops.secrets =
|
||||
let
|
||||
defaultConfig = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
restartUnits = [ "gitea.service" ];
|
||||
};
|
||||
in
|
||||
{
|
||||
"gitea/database" = defaultConfig;
|
||||
"gitea/email-password" = defaultConfig;
|
||||
"gitea/lfs-jwt-secret" = defaultConfig;
|
||||
"gitea/oauth2-jwt-secret" = defaultConfig;
|
||||
"gitea/secret-key" = defaultConfig;
|
||||
};
|
||||
in {
|
||||
"gitea/database" = defaultConfig;
|
||||
"gitea/email-password" = defaultConfig;
|
||||
"gitea/lfs-jwt-secret" = defaultConfig;
|
||||
"gitea/oauth2-jwt-secret" = defaultConfig;
|
||||
"gitea/secret-key" = defaultConfig;
|
||||
};
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
@@ -44,7 +54,7 @@ in {
|
||||
# https://docs.gitea.com/administration/config-cheat-sheet
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = domain;
|
||||
DOMAIN = domain;
|
||||
ROOT_URL = "https://${domain}/";
|
||||
PROTOCOL = "http+unix";
|
||||
SSH_PORT = sshPort;
|
||||
@@ -215,29 +225,33 @@ in {
|
||||
};
|
||||
|
||||
systemd.services.gitea-dump = {
|
||||
serviceConfig.ExecStart = let
|
||||
args = lib.cli.toGNUCommandLineShell { } {
|
||||
type = cfg.dump.type;
|
||||
serviceConfig.ExecStart =
|
||||
let
|
||||
args = lib.cli.toGNUCommandLineShell { } {
|
||||
type = cfg.dump.type;
|
||||
|
||||
# This should be declarative on nixos, no need to backup.
|
||||
skip-custom-dir = true;
|
||||
# This should be declarative on nixos, no need to backup.
|
||||
skip-custom-dir = true;
|
||||
|
||||
# This can be regenerated, no need to backup
|
||||
skip-index = true;
|
||||
# This can be regenerated, no need to backup
|
||||
skip-index = true;
|
||||
|
||||
# Logs are stored in the systemd journal
|
||||
skip-log = true;
|
||||
};
|
||||
in lib.mkForce "${lib.getExe cfg.package} ${args}";
|
||||
# Logs are stored in the systemd journal
|
||||
skip-log = true;
|
||||
};
|
||||
in
|
||||
lib.mkForce "${lib.getExe cfg.package} ${args}";
|
||||
|
||||
# Only keep n backup files at a time
|
||||
postStop = let
|
||||
cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
|
||||
backupCount = 3;
|
||||
in ''
|
||||
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
|
||||
${cu "rm"} "$file"
|
||||
done
|
||||
postStop =
|
||||
let
|
||||
cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
|
||||
backupCount = 3;
|
||||
in
|
||||
''
|
||||
for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
|
||||
${cu "rm"} "$file"
|
||||
done
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.gitea;
|
||||
GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.gitea;
|
||||
in
|
||||
@@ -11,7 +16,7 @@ in
|
||||
|
||||
systemd.services.gitea-import-users = lib.mkIf cfg.enable {
|
||||
enable = true;
|
||||
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
|
||||
preStart = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
|
||||
environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
|
||||
serviceConfig = {
|
||||
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
|
||||
@@ -20,12 +25,12 @@ in
|
||||
];
|
||||
libraries = with pkgs.python3Packages; [ requests ];
|
||||
} (builtins.readFile ./gitea-import-users.py);
|
||||
LoadCredential=[
|
||||
LoadCredential = [
|
||||
"sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
|
||||
"ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
|
||||
];
|
||||
DynamicUser="yes";
|
||||
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
|
||||
DynamicUser = "yes";
|
||||
EnvironmentFile = config.sops.secrets."gitea/import-user-env".path;
|
||||
RuntimeDirectory = "gitea-import-users";
|
||||
};
|
||||
};
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
organizations = [
|
||||
"Drift"
|
||||
@@ -36,7 +41,8 @@ in
|
||||
group = "gitea-web";
|
||||
restartUnits = [
|
||||
"gitea-web-secret-provider@"
|
||||
] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
|
||||
]
|
||||
++ (map (org: "gitea-web-secret-provider@${org}") organizations);
|
||||
};
|
||||
|
||||
systemd.slices.system-giteaweb = {
|
||||
@@ -48,25 +54,30 @@ in
|
||||
# %d - secrets directory
|
||||
systemd.services."gitea-web-secret-provider@" = {
|
||||
description = "Ensure all repos in %i has an SSH key to push web content";
|
||||
requires = [ "gitea.service" "network.target" ];
|
||||
requires = [
|
||||
"gitea.service"
|
||||
"network.target"
|
||||
];
|
||||
serviceConfig = {
|
||||
Slice = "system-giteaweb.slice";
|
||||
Type = "oneshot";
|
||||
ExecStart = let
|
||||
args = lib.cli.toGNUCommandLineShell { } {
|
||||
org = "%i";
|
||||
token-path = "%d/token";
|
||||
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
|
||||
key-dir = "/var/lib/gitea-web/keys/%i";
|
||||
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
|
||||
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
|
||||
mkdir -p "$1"
|
||||
${lib.getExe pkgs.rrsync} -wo "$1"
|
||||
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
|
||||
'';
|
||||
web-dir = "/var/lib/gitea-web/web";
|
||||
};
|
||||
in "${giteaWebSecretProviderScript} ${args}";
|
||||
ExecStart =
|
||||
let
|
||||
args = lib.cli.toGNUCommandLineShell { } {
|
||||
org = "%i";
|
||||
token-path = "%d/token";
|
||||
api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
|
||||
key-dir = "/var/lib/gitea-web/keys/%i";
|
||||
authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
|
||||
rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
|
||||
mkdir -p "$1"
|
||||
${lib.getExe pkgs.rrsync} -wo "$1"
|
||||
${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
|
||||
'';
|
||||
web-dir = "/var/lib/gitea-web/web";
|
||||
};
|
||||
in
|
||||
"${giteaWebSecretProviderScript} ${args}";
|
||||
|
||||
User = "gitea-web";
|
||||
Group = "gitea-web";
|
||||
@@ -85,7 +96,10 @@ in
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
];
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
@@ -105,7 +119,9 @@ in
|
||||
|
||||
systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
|
||||
|
||||
services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
|
||||
services.openssh.authorizedKeysFiles = map (
|
||||
org: "/var/lib/gitea-web/authorized_keys.d/${org}"
|
||||
) organizations;
|
||||
|
||||
users.users.nginx.extraGroups = [ "gitea-web" ];
|
||||
services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
|
||||
|
||||
Reference in New Issue
Block a user