New host: git.services.privatevoid.net

2021-06-25 04:11:26 +02:00 · 2021-06-25 04:11:26 +02:00 · fd905e5a04
commit fd905e5a04
parent 96acf122c9
6 changed files with 85 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -49,7 +49,7 @@
    in {
      nixosModules = aspect.modules;
      nixosConfigurations = 
-      (lib.genAttrs [ "styx" "meet" ] mkNixOS);
+      (lib.genAttrs [ "styx" "meet" "git" ] mkNixOS);

      deploy.nodes = with deploy-rs-lib; {
        styx = {
@ -66,6 +66,13 @@
            path = activate.nixos self.nixosConfigurations.meet;
          };
        };
+        git = {
+          hostname = "git.services.privatevoid.net";
+          profiles.system = {
+            user = "root";
+            path = activate.nixos self.nixosConfigurations.git;
+          };
+        };
      };

      packages.${system} = import ./packages {
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -5,6 +5,7 @@ in with tools.dns; {
  # NixOS machines
  styx = import ./styx tools;
  meet = import ./meet tools;
+  git = import ./git tools;

  # Non-NixOS machine metadata
  VEGAS = {
--- a/hosts/git/default.nix
+++ b/hosts/git/default.nix
@ -0,0 +1,7 @@
+tools: {
+  ssh.id = with tools.dns; {
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0rChVEO9Qt7hr7vyiyOP7N45CjaxssFCZNOPCszEQi";
+    hostNames = subResolve "git" "services";
+  };
+  nixos = import ./system.nix;
+}
--- a/hosts/git/system.nix
+++ b/hosts/git/system.nix
@ -0,0 +1,55 @@
+{ config, pkgs, lib, modulesPath, aspect, inputs, ... }:
+{
+  imports = [
+    (modulesPath + "/virtualisation/lxc-container.nix")
+    inputs.agenix.nixosModules.age
+  ]
+  ++ (import ../../users "server").groups.admin
+  ++ aspect.sets.server
+  ++ (with aspect.modules; [ ]);
+
+  age.secrets = {
+    giteaDBPassword = {
+      file = ../../secrets/gitea-db-credentials.age;
+      owner = "git";
+      group = "gitea";
+      mode = "0400";
+    };
+  };
+
+  networking.hostName = "git";
+  networking.firewall.enable = false;
+
+  nix.trustedUsers = [ "root" "@wheel" ];
+
+  security.sudo.wheelNeedsPassword = false;
+  
+  services.gitea = {
+    enable = true;
+    appName = "Private Void Gitea";
+    domain = "git";
+    rootUrl = "https://git.privatevoid.net";
+    disableRegistration = true;
+    ssh.enable = true;
+    user = "git";
+    log.level = "Warn";
+    
+    database = {
+      createDatabase = false;
+      type = "postgres";
+      host = "10.1.0.1";
+      port = 5432;
+      name = "gitea";
+      user = "gitea";
+      passwordFile = config.age.secrets.giteaDBPassword.path;
+    };
+  };
+
+  users.users.git = {
+    description = "Git Service";
+    home = config.services.gitea.stateDir;
+    useDefaultShell = true;
+    group = "gitea";
+    isSystemUser = true;
+  };
+}
--- a/secrets/gitea-db-credentials.age
+++ b/secrets/gitea-db-credentials.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A j3g3B6nxxM4B6XgW2CYesr7YtTKyBfHfAb6YAMKqQxI
+aTMvut/NvicYKVCUzRORzZKgu8leWC1iZUbg0hwFGEo
+-> ssh-ed25519 5/zT0w k4fXusdfpmtXvWVsB69FcAWU8YE/Q+WprFc95cgNFz4
+PNpWtqiIG7JnFcAW65+OPfajs8e7QuMj28sNXxx1PX8
+-> ssh-ed25519 eDiawA SKR14VRaUDLPoqMQ0BrFKUAAYmoemRf3L2Lx/cyZmA8
+bVQmN6Fvd/01TBQaxJ32bGD2/2hNxJUcsJ5+qyX3HHU
+-> [-grease
+7BlcEQVarNdjNBXT9gjmT6Fe80zDiHoj/hU28aww0II3keIJGRfROduIhQSgvpN1
+bs5DjtZtdeCPWNjJu8UWFR9n4LJN2wPHsg4Wds8+bqGJ8qgRfUt+FITNNilw56V9
+
+--- 8xO2TEohEHzFQ9nw1Loj/6640hEjF5ue5/fhhAqWMlA
+ÿç›7
Ñ)íŽ§ÒŸÙ2‘~Õ+ýÀG<˜
2lÏ£¥sð§$B#GæK>’%
-ÿ`&ãz´ÜÎ¨*DÏOGÎšDð\<5C>ç(
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -6,4 +6,5 @@ in with hosts;
 {
  "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ];
  "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
+  "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ git ];
 }