machines/magenta: restructure services

2022-10-18 00:42:23 +03:00 · 2022-10-18 00:42:23 +03:00 · c84ee9b291
parent 6460f9a1ef
commit c84ee9b291
8 changed files with 168 additions and 130 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -3,4 +3,4 @@
 secrets.config.nix filter=git-crypt diff=git-crypt
 **/*.age filter=git-crypt diff=git-crypt

-machines/magenta/mail-accounts.nix filter=git-crypt diff=git-crypt
+machines/magenta/services/mailserver-accounts.nix filter=git-crypt diff=git-crypt
--- a/flake.nix
+++ b/flake.nix
@ -128,6 +128,11 @@
                    };
                    config.deployment = { inherit targetHost; };
                  })
+                  # base home manager settings
+                  ({ ... }: {
+                    home-manager.useGlobalPkgs = true;
+                    home-manager.useUserPackages = true;
+                  })
                ];
            })
          (import ./machines inputs);
--- a/machines/magenta/default.nix
+++ b/machines/magenta/default.nix
@ -7,10 +7,11 @@ in
  imports = [
    ./hardware-configuration.nix
    ./networking.nix # generated at runtime by nixos-infect
-    ./mail-accounts.nix
    ../modules/common.nix
    ../modules/nix.nix
    ../modules/nginx.nix
+    ./services/mailserver.nix
+    ./services/gitea.nix
  ];

  boot.cleanTmpDir = true;
@ -24,121 +25,4 @@ in
    acceptTerms = true;
    defaults.email = "dmitriy@pleshevski.ru";
  };
-
-  # See: https://nixos-mailserver.readthedocs.io/en/latest/options.html
-  mailserver = {
-    enable = true;
-    fqdn = "mail.pleshevski.ru";
-    domains = [ "pleshevski.ru" ];
-
-    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
-    # down nginx and opens port 80.
-    certificateScheme = 3;
-
-    hierarchySeparator = "/";
-  };
-
-  services.postgresql = {
-    enable = true;
-    package = pkgs.postgresql_14;
-  };
-
-  programs.gnupg.agent.enable = true;
-
-  services.gitea = {
-    enable = true;
-    httpPort = 9901;
-    domain = "nix-git.pleshevski.ru";
-    rootUrl = "https://nix-git.pleshevski.ru";
-    appName = "Pleshevskiy Git Repositories";
-    mailerPasswordFile = config.age.secrets.gitea-mailserver-passfile.path;
-    database = {
-      type = "postgres";
-      host = "/run/postgresql";
-      port = config.services.postgresql.port;
-    };
-    lfs.enable = true;
-    settings = {
-      log.LEVEL = "Error";
-      metrics.ENABLED = true;
-      database.CHARSET = "utf8";
-      server.DISABLE_ROUTER_LOG = true;
-      service = {
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
-        DEFAULT_KEEP_EMAIL_PRIVATE = false;
-        DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
-        DEFAULT_ENABLE_TIMETRACKING = true;
-        DEFAULT_ENABLE_DEPENDENCIES = false;
-        DISABLE_REGISTRATION = true;
-        ENABLE_NOTIFY_MAIL = false;
-        ENABLE_CAPTCHA = false;
-        ENABLE_TIMETRACKING = false;
-        REQUIRE_SIGNIN_VIEW = false;
-        REGISTER_EMAIL_CONFIRM = false;
-        NO_REPLY_ADDRESS = "noreply.pleshevski.ru";
-      };
-      repository = {
-        DISABLE_MIGRATIONS = false;
-        DISABLE_HTTP_GIT = false;
-        DISABLE_STARS = true;
-        DEFAULT_BRANCH = "main";
-        DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = true;
-      };
-      "repository.signing" = {
-        SIGNING_KEY = "default";
-        DEFAULT_TRUST_MODEL = "collaboratorcommiter";
-        MERGES = "pubkey,basesigned,commitssigned";
-      };
-      "repository.local" = {
-        LOCAL_COPY_PATH = "${config.services.gitea.stateDir}/tmp/local-repo";
-      };
-      "repository.upload" = {
-        TEMP_PATH = "${config.services.gitea.stateDir}/uploads";
-        ALLOWED_TYPES = "image/*";
-      };
-      "repository.pull-request" = {
-        WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:";
-      };
-      indexer = {
-        ISSUE_INDEXER_PATH = "${config.services.gitea.stateDir}/indexers/issues.bleve";
-      };
-      sessions = {
-        PROVIDER = "file";
-        PROVIDER_CONFIG = "${config.services.gitea.stateDir}/sessions";
-      };
-      picture = {
-        AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/avatars";
-        REPOSITORY_AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/repo-avatars";
-        DISABLE_GRAVATAR = false;
-        ENABLE_FEDERATED_AVATAR = true;
-      };
-      attachment = {
-        PATH = "${config.services.gitea.stateDir}/attachments";
-      };
-      mailer = {
-        ENABLED = true;
-        MAILER_TYPE = "smtp";
-        FROM = "\"${config.services.gitea.appName}\" <no-reply@pleshevski.ru>";
-        USER = "dmitriy@pleshevski.ru";
-        HOST = "mail.pleshevski.ru:465";
-      };
-      openid = {
-        ENABLE_OPENID_SIGNIN = true;
-        ENABLE_OPENID_SIGNUP = false;
-      };
-    };
-  };
-
-
-  services.nginx.virtualHosts."nix-git.pleshevski.ru" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/".proxyPass = "http://localhost:${toString config.services.gitea.httpPort}/";
-  };
-
-  age.secrets.gitea-mailserver-passfile = {
-    file = ../../secrets/mailserver-users-jan-passfile.age;
-    owner = config.services.gitea.user;
-    group = "gitea";
-  };
 }
--- a/machines/magenta/mail-accounts.nix
+++ b/machines/magenta/mail-accounts.nix
--- a/machines/magenta/services/gitea.nix
+++ b/machines/magenta/services/gitea.nix
@ -0,0 +1,135 @@
+{ config, pkgs, lib, ... }:
+
+let hostname = "nix-git.pleshevski.ru"; in
+{
+  services.postgresql.package = pkgs.postgresql_14;
+
+  programs.git = {
+    enable = true;
+    config = {
+      user = {
+        email = "gitea@noreply.pleshevski.ru";
+        name = "Gitea";
+        signingKey = "7B1C00B534537C0E";
+      };
+      gpg.program = "/run/current-system/sw/bin/gpg";
+      commit.gpgSign = true;
+      tag.gpgSign = true;
+      core = {
+        quotePath = false;
+        commitGraph = true;
+      };
+      receive = {
+        advertisePushOptions = true;
+        procReceiveRefs = "refs/for";
+      };
+      gc.writeCommitGraph = true;
+    };
+  };
+
+  programs.gnupg.agent.enable = true;
+
+  services.gitea = {
+    enable = true;
+    httpPort = 9901;
+    domain = hostname;
+    rootUrl = "https://${hostname}";
+    appName = "Pleshevskiy Git Repositories";
+    mailerPasswordFile = config.age.secrets.gitea-mailserver-passfile.path;
+    database = {
+      type = "postgres";
+      host = "/run/postgresql";
+      port = config.services.postgresql.port;
+    };
+    lfs.enable = true;
+    settings = {
+      log = {
+        LEVEL = "Debug";
+        ENABLE_SSH_LOG = true;
+      };
+      database = {
+        CHARSET = "utf8";
+        LOG_SQL = false;
+      };
+      server.DISABLE_ROUTER_LOG = true;
+      service = {
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        DEFAULT_KEEP_EMAIL_PRIVATE = false;
+        DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
+        DEFAULT_ENABLE_TIMETRACKING = true;
+        DEFAULT_ENABLE_DEPENDENCIES = false;
+        DISABLE_REGISTRATION = true;
+        ENABLE_NOTIFY_MAIL = false;
+        ENABLE_CAPTCHA = false;
+        ENABLE_TIMETRACKING = false;
+        REQUIRE_SIGNIN_VIEW = false;
+        REGISTER_EMAIL_CONFIRM = false;
+        NO_REPLY_ADDRESS = "noreply.pleshevski.ru";
+      };
+      repository = {
+        DISABLE_MIGRATIONS = false;
+        DISABLE_HTTP_GIT = false;
+        DISABLE_STARS = true;
+        DEFAULT_BRANCH = "main";
+        DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = true;
+      };
+      "repository.signing" = {
+        #SIGNING_EMAIL = "gitea@noreply.pleshevski.ru";
+        #SIGNING_NAME = "Gitea";
+        #SIGNING_KEY = "E1DDBF5A1406BB987779A85F55B75599806CD426";
+        SIGNING_KEY = "default";
+        DEFAULT_TRUST_MODEL = "collaboratorcommiter";
+        MERGES = "pubkey,basesigned,commitssigned";
+      };
+      "repository.local" = {
+        LOCAL_COPY_PATH = "${config.services.gitea.stateDir}/tmp/local-repo";
+      };
+      "repository.upload" = {
+        TEMP_PATH = "${config.services.gitea.stateDir}/uploads";
+        ALLOWED_TYPES = "image/*";
+      };
+      "repository.pull-request" = {
+        WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:";
+      };
+      indexer = {
+        ISSUE_INDEXER_PATH = "${config.services.gitea.stateDir}/indexers/issues.bleve";
+      };
+      sessions = {
+        PROVIDER = "file";
+        PROVIDER_CONFIG = "${config.services.gitea.stateDir}/sessions";
+      };
+      picture = {
+        AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/avatars";
+        REPOSITORY_AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/repo-avatars";
+        DISABLE_GRAVATAR = false;
+        ENABLE_FEDERATED_AVATAR = true;
+      };
+      attachment = {
+        PATH = "${config.services.gitea.stateDir}/attachments";
+      };
+      mailer = {
+        ENABLED = true;
+        MAILER_TYPE = "smtp";
+        FROM = "\"${config.services.gitea.appName}\" <no-reply@pleshevski.ru>";
+        USER = "dmitriy@pleshevski.ru";
+        HOST = "mail.pleshevski.ru:465";
+      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = false;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts.${hostname} = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://localhost:${toString config.services.gitea.httpPort}/";
+  };
+
+  age.secrets.gitea-mailserver-passfile = {
+    file = ../../../secrets/mailserver-users-jan-passfile.age;
+    owner = config.services.gitea.user;
+    group = "gitea";
+  };
+}
--- a/machines/magenta/services/mailserver-accounts.nix
+++ b/machines/magenta/services/mailserver-accounts.nix
--- a/machines/magenta/services/mailserver.nix
+++ b/machines/magenta/services/mailserver.nix
@ -0,0 +1,18 @@
+{ ... }:
+
+{
+  imports = [ ./mailserver-accounts.nix ];
+
+  # See: https://nixos-mailserver.readthedocs.io/en/latest/options.html
+  mailserver = {
+    enable = true;
+    fqdn = "mail.pleshevski.ru";
+    domains = [ "pleshevski.ru" ];
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = 3;
+
+    hierarchySeparator = "/";
+  };
+}
--- a/users/jan/default.nix
+++ b/users/jan/default.nix
@ -21,18 +21,14 @@
    passwordFile = config.age.secrets.users-jan-passfile.path;
  };

-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    users.jan = { lib, ... }: {
-      imports = [
-        inputs.wired.homeManagerModules.default
-        ./home.nix
-        extraHomeModule
-      ];
+  home-manager.users.jan = { lib, ... }: {
+    imports = [
+      inputs.wired.homeManagerModules.default
+      ./home.nix
+      extraHomeModule
+    ];

-      home.stateVersion = config.system.stateVersion;
-    };
+    home.stateVersion = config.system.stateVersion;
  };

  nix.settings.trusted-users = lib.mkAfter [ "jan" ];