diff --git a/flake.nix b/flake.nix index 6854754..4100899 100644 --- a/flake.nix +++ b/flake.nix @@ -49,7 +49,7 @@ in { nixosModules = aspect.modules; nixosConfigurations = - (lib.genAttrs [ "styx" "meet" ] mkNixOS); + (lib.genAttrs [ "styx" "meet" "git" ] mkNixOS); deploy.nodes = with deploy-rs-lib; { styx = { @@ -66,6 +66,13 @@ path = activate.nixos self.nixosConfigurations.meet; }; }; + git = { + hostname = "git.services.privatevoid.net"; + profiles.system = { + user = "root"; + path = activate.nixos self.nixosConfigurations.git; + }; + }; }; packages.${system} = import ./packages { diff --git a/hosts/default.nix b/hosts/default.nix index 8080e94..10dd4ed 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -5,6 +5,7 @@ in with tools.dns; { # NixOS machines styx = import ./styx tools; meet = import ./meet tools; + git = import ./git tools; # Non-NixOS machine metadata VEGAS = { diff --git a/hosts/git/default.nix b/hosts/git/default.nix new file mode 100644 index 0000000..e2a9847 --- /dev/null +++ b/hosts/git/default.nix @@ -0,0 +1,7 @@ +tools: { + ssh.id = with tools.dns; { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0rChVEO9Qt7hr7vyiyOP7N45CjaxssFCZNOPCszEQi"; + hostNames = subResolve "git" "services"; + }; + nixos = import ./system.nix; +} diff --git a/hosts/git/system.nix b/hosts/git/system.nix new file mode 100644 index 0000000..4b0e866 --- /dev/null +++ b/hosts/git/system.nix @@ -0,0 +1,55 @@ +{ config, pkgs, lib, modulesPath, aspect, inputs, ... }: +{ + imports = [ + (modulesPath + "/virtualisation/lxc-container.nix") + inputs.agenix.nixosModules.age + ] + ++ (import ../../users "server").groups.admin + ++ aspect.sets.server + ++ (with aspect.modules; [ ]); + + age.secrets = { + giteaDBPassword = { + file = ../../secrets/gitea-db-credentials.age; + owner = "git"; + group = "gitea"; + mode = "0400"; + }; + }; + + networking.hostName = "git"; + networking.firewall.enable = false; + + nix.trustedUsers = [ "root" "@wheel" ]; + + security.sudo.wheelNeedsPassword = false; + + services.gitea = { + enable = true; + appName = "Private Void Gitea"; + domain = "git"; + rootUrl = "https://git.privatevoid.net"; + disableRegistration = true; + ssh.enable = true; + user = "git"; + log.level = "Warn"; + + database = { + createDatabase = false; + type = "postgres"; + host = "10.1.0.1"; + port = 5432; + name = "gitea"; + user = "gitea"; + passwordFile = config.age.secrets.giteaDBPassword.path; + }; + }; + + users.users.git = { + description = "Git Service"; + home = config.services.gitea.stateDir; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; + }; +} diff --git a/secrets/gitea-db-credentials.age b/secrets/gitea-db-credentials.age new file mode 100644 index 0000000..1556d38 --- /dev/null +++ b/secrets/gitea-db-credentials.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 NO562A j3g3B6nxxM4B6XgW2CYesr7YtTKyBfHfAb6YAMKqQxI +aTMvut/NvicYKVCUzRORzZKgu8leWC1iZUbg0hwFGEo +-> ssh-ed25519 5/zT0w k4fXusdfpmtXvWVsB69FcAWU8YE/Q+WprFc95cgNFz4 +PNpWtqiIG7JnFcAW65+OPfajs8e7QuMj28sNXxx1PX8 +-> ssh-ed25519 eDiawA SKR14VRaUDLPoqMQ0BrFKUAAYmoemRf3L2Lx/cyZmA8 +bVQmN6Fvd/01TBQaxJ32bGD2/2hNxJUcsJ5+qyX3HHU +-> [-grease +7BlcEQVarNdjNBXT9gjmT6Fe80zDiHoj/hU28aww0II3keIJGRfROduIhQSgvpN1 +bs5DjtZtdeCPWNjJu8UWFR9n4LJN2wPHsg4Wds8+bqGJ8qgRfUt+FITNNilw56V9 + +--- 8xO2TEohEHzFQ9nw1Loj/6640hEjF5ue5/fhhAqWMlA +7 )펧ҟ2~+G< 2lϣs$B#GK>% -`&zΨ* DOGΚD\( \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 40e1e7d..6eb0778 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,4 +6,5 @@ in with hosts; { "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ]; "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ]; + "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ git ]; }