machines/magenta: restructure services
This commit is contained in:
parent
6460f9a1ef
commit
c84ee9b291
8 changed files with 168 additions and 130 deletions
2
.gitattributes
vendored
2
.gitattributes
vendored
|
@ -3,4 +3,4 @@
|
|||
secrets.config.nix filter=git-crypt diff=git-crypt
|
||||
**/*.age filter=git-crypt diff=git-crypt
|
||||
|
||||
machines/magenta/mail-accounts.nix filter=git-crypt diff=git-crypt
|
||||
machines/magenta/services/mailserver-accounts.nix filter=git-crypt diff=git-crypt
|
||||
|
|
|
@ -128,6 +128,11 @@
|
|||
};
|
||||
config.deployment = { inherit targetHost; };
|
||||
})
|
||||
# base home manager settings
|
||||
({ ... }: {
|
||||
home-manager.useGlobalPkgs = true;
|
||||
home-manager.useUserPackages = true;
|
||||
})
|
||||
];
|
||||
})
|
||||
(import ./machines inputs);
|
||||
|
|
|
@ -7,10 +7,11 @@ in
|
|||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./networking.nix # generated at runtime by nixos-infect
|
||||
./mail-accounts.nix
|
||||
../modules/common.nix
|
||||
../modules/nix.nix
|
||||
../modules/nginx.nix
|
||||
./services/mailserver.nix
|
||||
./services/gitea.nix
|
||||
];
|
||||
|
||||
boot.cleanTmpDir = true;
|
||||
|
@ -24,121 +25,4 @@ in
|
|||
acceptTerms = true;
|
||||
defaults.email = "dmitriy@pleshevski.ru";
|
||||
};
|
||||
|
||||
# See: https://nixos-mailserver.readthedocs.io/en/latest/options.html
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.pleshevski.ru";
|
||||
domains = [ "pleshevski.ru" ];
|
||||
|
||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||
# down nginx and opens port 80.
|
||||
certificateScheme = 3;
|
||||
|
||||
hierarchySeparator = "/";
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_14;
|
||||
};
|
||||
|
||||
programs.gnupg.agent.enable = true;
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
httpPort = 9901;
|
||||
domain = "nix-git.pleshevski.ru";
|
||||
rootUrl = "https://nix-git.pleshevski.ru";
|
||||
appName = "Pleshevskiy Git Repositories";
|
||||
mailerPasswordFile = config.age.secrets.gitea-mailserver-passfile.path;
|
||||
database = {
|
||||
type = "postgres";
|
||||
host = "/run/postgresql";
|
||||
port = config.services.postgresql.port;
|
||||
};
|
||||
lfs.enable = true;
|
||||
settings = {
|
||||
log.LEVEL = "Error";
|
||||
metrics.ENABLED = true;
|
||||
database.CHARSET = "utf8";
|
||||
server.DISABLE_ROUTER_LOG = true;
|
||||
service = {
|
||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = false;
|
||||
DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
|
||||
DEFAULT_ENABLE_TIMETRACKING = true;
|
||||
DEFAULT_ENABLE_DEPENDENCIES = false;
|
||||
DISABLE_REGISTRATION = true;
|
||||
ENABLE_NOTIFY_MAIL = false;
|
||||
ENABLE_CAPTCHA = false;
|
||||
ENABLE_TIMETRACKING = false;
|
||||
REQUIRE_SIGNIN_VIEW = false;
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
NO_REPLY_ADDRESS = "noreply.pleshevski.ru";
|
||||
};
|
||||
repository = {
|
||||
DISABLE_MIGRATIONS = false;
|
||||
DISABLE_HTTP_GIT = false;
|
||||
DISABLE_STARS = true;
|
||||
DEFAULT_BRANCH = "main";
|
||||
DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = true;
|
||||
};
|
||||
"repository.signing" = {
|
||||
SIGNING_KEY = "default";
|
||||
DEFAULT_TRUST_MODEL = "collaboratorcommiter";
|
||||
MERGES = "pubkey,basesigned,commitssigned";
|
||||
};
|
||||
"repository.local" = {
|
||||
LOCAL_COPY_PATH = "${config.services.gitea.stateDir}/tmp/local-repo";
|
||||
};
|
||||
"repository.upload" = {
|
||||
TEMP_PATH = "${config.services.gitea.stateDir}/uploads";
|
||||
ALLOWED_TYPES = "image/*";
|
||||
};
|
||||
"repository.pull-request" = {
|
||||
WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:";
|
||||
};
|
||||
indexer = {
|
||||
ISSUE_INDEXER_PATH = "${config.services.gitea.stateDir}/indexers/issues.bleve";
|
||||
};
|
||||
sessions = {
|
||||
PROVIDER = "file";
|
||||
PROVIDER_CONFIG = "${config.services.gitea.stateDir}/sessions";
|
||||
};
|
||||
picture = {
|
||||
AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/avatars";
|
||||
REPOSITORY_AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/repo-avatars";
|
||||
DISABLE_GRAVATAR = false;
|
||||
ENABLE_FEDERATED_AVATAR = true;
|
||||
};
|
||||
attachment = {
|
||||
PATH = "${config.services.gitea.stateDir}/attachments";
|
||||
};
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
MAILER_TYPE = "smtp";
|
||||
FROM = "\"${config.services.gitea.appName}\" <no-reply@pleshevski.ru>";
|
||||
USER = "dmitriy@pleshevski.ru";
|
||||
HOST = "mail.pleshevski.ru:465";
|
||||
};
|
||||
openid = {
|
||||
ENABLE_OPENID_SIGNIN = true;
|
||||
ENABLE_OPENID_SIGNUP = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
services.nginx.virtualHosts."nix-git.pleshevski.ru" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString config.services.gitea.httpPort}/";
|
||||
};
|
||||
|
||||
age.secrets.gitea-mailserver-passfile = {
|
||||
file = ../../secrets/mailserver-users-jan-passfile.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = "gitea";
|
||||
};
|
||||
}
|
||||
|
|
Binary file not shown.
135
machines/magenta/services/gitea.nix
Normal file
135
machines/magenta/services/gitea.nix
Normal file
|
@ -0,0 +1,135 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let hostname = "nix-git.pleshevski.ru"; in
|
||||
{
|
||||
services.postgresql.package = pkgs.postgresql_14;
|
||||
|
||||
programs.git = {
|
||||
enable = true;
|
||||
config = {
|
||||
user = {
|
||||
email = "gitea@noreply.pleshevski.ru";
|
||||
name = "Gitea";
|
||||
signingKey = "7B1C00B534537C0E";
|
||||
};
|
||||
gpg.program = "/run/current-system/sw/bin/gpg";
|
||||
commit.gpgSign = true;
|
||||
tag.gpgSign = true;
|
||||
core = {
|
||||
quotePath = false;
|
||||
commitGraph = true;
|
||||
};
|
||||
receive = {
|
||||
advertisePushOptions = true;
|
||||
procReceiveRefs = "refs/for";
|
||||
};
|
||||
gc.writeCommitGraph = true;
|
||||
};
|
||||
};
|
||||
|
||||
programs.gnupg.agent.enable = true;
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
httpPort = 9901;
|
||||
domain = hostname;
|
||||
rootUrl = "https://${hostname}";
|
||||
appName = "Pleshevskiy Git Repositories";
|
||||
mailerPasswordFile = config.age.secrets.gitea-mailserver-passfile.path;
|
||||
database = {
|
||||
type = "postgres";
|
||||
host = "/run/postgresql";
|
||||
port = config.services.postgresql.port;
|
||||
};
|
||||
lfs.enable = true;
|
||||
settings = {
|
||||
log = {
|
||||
LEVEL = "Debug";
|
||||
ENABLE_SSH_LOG = true;
|
||||
};
|
||||
database = {
|
||||
CHARSET = "utf8";
|
||||
LOG_SQL = false;
|
||||
};
|
||||
server.DISABLE_ROUTER_LOG = true;
|
||||
service = {
|
||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = false;
|
||||
DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
|
||||
DEFAULT_ENABLE_TIMETRACKING = true;
|
||||
DEFAULT_ENABLE_DEPENDENCIES = false;
|
||||
DISABLE_REGISTRATION = true;
|
||||
ENABLE_NOTIFY_MAIL = false;
|
||||
ENABLE_CAPTCHA = false;
|
||||
ENABLE_TIMETRACKING = false;
|
||||
REQUIRE_SIGNIN_VIEW = false;
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
NO_REPLY_ADDRESS = "noreply.pleshevski.ru";
|
||||
};
|
||||
repository = {
|
||||
DISABLE_MIGRATIONS = false;
|
||||
DISABLE_HTTP_GIT = false;
|
||||
DISABLE_STARS = true;
|
||||
DEFAULT_BRANCH = "main";
|
||||
DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = true;
|
||||
};
|
||||
"repository.signing" = {
|
||||
#SIGNING_EMAIL = "gitea@noreply.pleshevski.ru";
|
||||
#SIGNING_NAME = "Gitea";
|
||||
#SIGNING_KEY = "E1DDBF5A1406BB987779A85F55B75599806CD426";
|
||||
SIGNING_KEY = "default";
|
||||
DEFAULT_TRUST_MODEL = "collaboratorcommiter";
|
||||
MERGES = "pubkey,basesigned,commitssigned";
|
||||
};
|
||||
"repository.local" = {
|
||||
LOCAL_COPY_PATH = "${config.services.gitea.stateDir}/tmp/local-repo";
|
||||
};
|
||||
"repository.upload" = {
|
||||
TEMP_PATH = "${config.services.gitea.stateDir}/uploads";
|
||||
ALLOWED_TYPES = "image/*";
|
||||
};
|
||||
"repository.pull-request" = {
|
||||
WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:";
|
||||
};
|
||||
indexer = {
|
||||
ISSUE_INDEXER_PATH = "${config.services.gitea.stateDir}/indexers/issues.bleve";
|
||||
};
|
||||
sessions = {
|
||||
PROVIDER = "file";
|
||||
PROVIDER_CONFIG = "${config.services.gitea.stateDir}/sessions";
|
||||
};
|
||||
picture = {
|
||||
AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/avatars";
|
||||
REPOSITORY_AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/repo-avatars";
|
||||
DISABLE_GRAVATAR = false;
|
||||
ENABLE_FEDERATED_AVATAR = true;
|
||||
};
|
||||
attachment = {
|
||||
PATH = "${config.services.gitea.stateDir}/attachments";
|
||||
};
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
MAILER_TYPE = "smtp";
|
||||
FROM = "\"${config.services.gitea.appName}\" <no-reply@pleshevski.ru>";
|
||||
USER = "dmitriy@pleshevski.ru";
|
||||
HOST = "mail.pleshevski.ru:465";
|
||||
};
|
||||
openid = {
|
||||
ENABLE_OPENID_SIGNIN = true;
|
||||
ENABLE_OPENID_SIGNUP = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${hostname} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString config.services.gitea.httpPort}/";
|
||||
};
|
||||
|
||||
age.secrets.gitea-mailserver-passfile = {
|
||||
file = ../../../secrets/mailserver-users-jan-passfile.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = "gitea";
|
||||
};
|
||||
}
|
BIN
machines/magenta/services/mailserver-accounts.nix
Normal file
BIN
machines/magenta/services/mailserver-accounts.nix
Normal file
Binary file not shown.
18
machines/magenta/services/mailserver.nix
Normal file
18
machines/magenta/services/mailserver.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [ ./mailserver-accounts.nix ];
|
||||
|
||||
# See: https://nixos-mailserver.readthedocs.io/en/latest/options.html
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.pleshevski.ru";
|
||||
domains = [ "pleshevski.ru" ];
|
||||
|
||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||
# down nginx and opens port 80.
|
||||
certificateScheme = 3;
|
||||
|
||||
hierarchySeparator = "/";
|
||||
};
|
||||
}
|
|
@ -21,18 +21,14 @@
|
|||
passwordFile = config.age.secrets.users-jan-passfile.path;
|
||||
};
|
||||
|
||||
home-manager = {
|
||||
useGlobalPkgs = true;
|
||||
useUserPackages = true;
|
||||
users.jan = { lib, ... }: {
|
||||
imports = [
|
||||
inputs.wired.homeManagerModules.default
|
||||
./home.nix
|
||||
extraHomeModule
|
||||
];
|
||||
home-manager.users.jan = { lib, ... }: {
|
||||
imports = [
|
||||
inputs.wired.homeManagerModules.default
|
||||
./home.nix
|
||||
extraHomeModule
|
||||
];
|
||||
|
||||
home.stateVersion = config.system.stateVersion;
|
||||
};
|
||||
home.stateVersion = config.system.stateVersion;
|
||||
};
|
||||
|
||||
nix.settings.trusted-users = lib.mkAfter [ "jan" ];
|
||||
|
|
Loading…
Reference in a new issue