diff --git a/.gitattributes b/.gitattributes index f3daf0d..b79f44d 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,4 +3,4 @@ secrets.config.nix filter=git-crypt diff=git-crypt **/*.age filter=git-crypt diff=git-crypt -machines/magenta/mail-accounts.nix filter=git-crypt diff=git-crypt +machines/magenta/services/mailserver-accounts.nix filter=git-crypt diff=git-crypt diff --git a/flake.nix b/flake.nix index bd229f9..6ce9a14 100644 --- a/flake.nix +++ b/flake.nix @@ -128,6 +128,11 @@ }; config.deployment = { inherit targetHost; }; }) + # base home manager settings + ({ ... }: { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + }) ]; }) (import ./machines inputs); diff --git a/machines/magenta/default.nix b/machines/magenta/default.nix index cd3f674..4b484f4 100644 --- a/machines/magenta/default.nix +++ b/machines/magenta/default.nix @@ -7,10 +7,11 @@ in imports = [ ./hardware-configuration.nix ./networking.nix # generated at runtime by nixos-infect - ./mail-accounts.nix ../modules/common.nix ../modules/nix.nix ../modules/nginx.nix + ./services/mailserver.nix + ./services/gitea.nix ]; boot.cleanTmpDir = true; @@ -24,121 +25,4 @@ in acceptTerms = true; defaults.email = "dmitriy@pleshevski.ru"; }; - - # See: https://nixos-mailserver.readthedocs.io/en/latest/options.html - mailserver = { - enable = true; - fqdn = "mail.pleshevski.ru"; - domains = [ "pleshevski.ru" ]; - - # Use Let's Encrypt certificates. Note that this needs to set up a stripped - # down nginx and opens port 80. - certificateScheme = 3; - - hierarchySeparator = "/"; - }; - - services.postgresql = { - enable = true; - package = pkgs.postgresql_14; - }; - - programs.gnupg.agent.enable = true; - - services.gitea = { - enable = true; - httpPort = 9901; - domain = "nix-git.pleshevski.ru"; - rootUrl = "https://nix-git.pleshevski.ru"; - appName = "Pleshevskiy Git Repositories"; - mailerPasswordFile = config.age.secrets.gitea-mailserver-passfile.path; - database = { - type = "postgres"; - host = "/run/postgresql"; - port = config.services.postgresql.port; - }; - lfs.enable = true; - settings = { - log.LEVEL = "Error"; - metrics.ENABLED = true; - database.CHARSET = "utf8"; - server.DISABLE_ROUTER_LOG = true; - service = { - ALLOW_ONLY_EXTERNAL_REGISTRATION = false; - DEFAULT_KEEP_EMAIL_PRIVATE = false; - DEFAULT_ALLOW_CREATE_ORGANIZATION = true; - DEFAULT_ENABLE_TIMETRACKING = true; - DEFAULT_ENABLE_DEPENDENCIES = false; - DISABLE_REGISTRATION = true; - ENABLE_NOTIFY_MAIL = false; - ENABLE_CAPTCHA = false; - ENABLE_TIMETRACKING = false; - REQUIRE_SIGNIN_VIEW = false; - REGISTER_EMAIL_CONFIRM = false; - NO_REPLY_ADDRESS = "noreply.pleshevski.ru"; - }; - repository = { - DISABLE_MIGRATIONS = false; - DISABLE_HTTP_GIT = false; - DISABLE_STARS = true; - DEFAULT_BRANCH = "main"; - DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = true; - }; - "repository.signing" = { - SIGNING_KEY = "default"; - DEFAULT_TRUST_MODEL = "collaboratorcommiter"; - MERGES = "pubkey,basesigned,commitssigned"; - }; - "repository.local" = { - LOCAL_COPY_PATH = "${config.services.gitea.stateDir}/tmp/local-repo"; - }; - "repository.upload" = { - TEMP_PATH = "${config.services.gitea.stateDir}/uploads"; - ALLOWED_TYPES = "image/*"; - }; - "repository.pull-request" = { - WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:"; - }; - indexer = { - ISSUE_INDEXER_PATH = "${config.services.gitea.stateDir}/indexers/issues.bleve"; - }; - sessions = { - PROVIDER = "file"; - PROVIDER_CONFIG = "${config.services.gitea.stateDir}/sessions"; - }; - picture = { - AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/avatars"; - REPOSITORY_AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/repo-avatars"; - DISABLE_GRAVATAR = false; - ENABLE_FEDERATED_AVATAR = true; - }; - attachment = { - PATH = "${config.services.gitea.stateDir}/attachments"; - }; - mailer = { - ENABLED = true; - MAILER_TYPE = "smtp"; - FROM = "\"${config.services.gitea.appName}\" "; - USER = "dmitriy@pleshevski.ru"; - HOST = "mail.pleshevski.ru:465"; - }; - openid = { - ENABLE_OPENID_SIGNIN = true; - ENABLE_OPENID_SIGNUP = false; - }; - }; - }; - - - services.nginx.virtualHosts."nix-git.pleshevski.ru" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://localhost:${toString config.services.gitea.httpPort}/"; - }; - - age.secrets.gitea-mailserver-passfile = { - file = ../../secrets/mailserver-users-jan-passfile.age; - owner = config.services.gitea.user; - group = "gitea"; - }; } diff --git a/machines/magenta/mail-accounts.nix b/machines/magenta/mail-accounts.nix deleted file mode 100644 index 27d2a69..0000000 Binary files a/machines/magenta/mail-accounts.nix and /dev/null differ diff --git a/machines/magenta/services/gitea.nix b/machines/magenta/services/gitea.nix new file mode 100644 index 0000000..27deb90 --- /dev/null +++ b/machines/magenta/services/gitea.nix @@ -0,0 +1,135 @@ +{ config, pkgs, lib, ... }: + +let hostname = "nix-git.pleshevski.ru"; in +{ + services.postgresql.package = pkgs.postgresql_14; + + programs.git = { + enable = true; + config = { + user = { + email = "gitea@noreply.pleshevski.ru"; + name = "Gitea"; + signingKey = "7B1C00B534537C0E"; + }; + gpg.program = "/run/current-system/sw/bin/gpg"; + commit.gpgSign = true; + tag.gpgSign = true; + core = { + quotePath = false; + commitGraph = true; + }; + receive = { + advertisePushOptions = true; + procReceiveRefs = "refs/for"; + }; + gc.writeCommitGraph = true; + }; + }; + + programs.gnupg.agent.enable = true; + + services.gitea = { + enable = true; + httpPort = 9901; + domain = hostname; + rootUrl = "https://${hostname}"; + appName = "Pleshevskiy Git Repositories"; + mailerPasswordFile = config.age.secrets.gitea-mailserver-passfile.path; + database = { + type = "postgres"; + host = "/run/postgresql"; + port = config.services.postgresql.port; + }; + lfs.enable = true; + settings = { + log = { + LEVEL = "Debug"; + ENABLE_SSH_LOG = true; + }; + database = { + CHARSET = "utf8"; + LOG_SQL = false; + }; + server.DISABLE_ROUTER_LOG = true; + service = { + ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + DEFAULT_KEEP_EMAIL_PRIVATE = false; + DEFAULT_ALLOW_CREATE_ORGANIZATION = true; + DEFAULT_ENABLE_TIMETRACKING = true; + DEFAULT_ENABLE_DEPENDENCIES = false; + DISABLE_REGISTRATION = true; + ENABLE_NOTIFY_MAIL = false; + ENABLE_CAPTCHA = false; + ENABLE_TIMETRACKING = false; + REQUIRE_SIGNIN_VIEW = false; + REGISTER_EMAIL_CONFIRM = false; + NO_REPLY_ADDRESS = "noreply.pleshevski.ru"; + }; + repository = { + DISABLE_MIGRATIONS = false; + DISABLE_HTTP_GIT = false; + DISABLE_STARS = true; + DEFAULT_BRANCH = "main"; + DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = true; + }; + "repository.signing" = { + #SIGNING_EMAIL = "gitea@noreply.pleshevski.ru"; + #SIGNING_NAME = "Gitea"; + #SIGNING_KEY = "E1DDBF5A1406BB987779A85F55B75599806CD426"; + SIGNING_KEY = "default"; + DEFAULT_TRUST_MODEL = "collaboratorcommiter"; + MERGES = "pubkey,basesigned,commitssigned"; + }; + "repository.local" = { + LOCAL_COPY_PATH = "${config.services.gitea.stateDir}/tmp/local-repo"; + }; + "repository.upload" = { + TEMP_PATH = "${config.services.gitea.stateDir}/uploads"; + ALLOWED_TYPES = "image/*"; + }; + "repository.pull-request" = { + WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:"; + }; + indexer = { + ISSUE_INDEXER_PATH = "${config.services.gitea.stateDir}/indexers/issues.bleve"; + }; + sessions = { + PROVIDER = "file"; + PROVIDER_CONFIG = "${config.services.gitea.stateDir}/sessions"; + }; + picture = { + AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/avatars"; + REPOSITORY_AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/repo-avatars"; + DISABLE_GRAVATAR = false; + ENABLE_FEDERATED_AVATAR = true; + }; + attachment = { + PATH = "${config.services.gitea.stateDir}/attachments"; + }; + mailer = { + ENABLED = true; + MAILER_TYPE = "smtp"; + FROM = "\"${config.services.gitea.appName}\" "; + USER = "dmitriy@pleshevski.ru"; + HOST = "mail.pleshevski.ru:465"; + }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = false; + }; + }; + }; + + services.nginx.virtualHosts.${hostname} = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:${toString config.services.gitea.httpPort}/"; + }; + + age.secrets.gitea-mailserver-passfile = { + file = ../../../secrets/mailserver-users-jan-passfile.age; + owner = config.services.gitea.user; + group = "gitea"; + }; +} diff --git a/machines/magenta/services/mailserver-accounts.nix b/machines/magenta/services/mailserver-accounts.nix new file mode 100644 index 0000000..f6190fc Binary files /dev/null and b/machines/magenta/services/mailserver-accounts.nix differ diff --git a/machines/magenta/services/mailserver.nix b/machines/magenta/services/mailserver.nix new file mode 100644 index 0000000..dcde596 --- /dev/null +++ b/machines/magenta/services/mailserver.nix @@ -0,0 +1,18 @@ +{ ... }: + +{ + imports = [ ./mailserver-accounts.nix ]; + + # See: https://nixos-mailserver.readthedocs.io/en/latest/options.html + mailserver = { + enable = true; + fqdn = "mail.pleshevski.ru"; + domains = [ "pleshevski.ru" ]; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = 3; + + hierarchySeparator = "/"; + }; +} diff --git a/users/jan/default.nix b/users/jan/default.nix index 1b53bf1..0a82b48 100644 --- a/users/jan/default.nix +++ b/users/jan/default.nix @@ -21,18 +21,14 @@ passwordFile = config.age.secrets.users-jan-passfile.path; }; - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - users.jan = { lib, ... }: { - imports = [ - inputs.wired.homeManagerModules.default - ./home.nix - extraHomeModule - ]; + home-manager.users.jan = { lib, ... }: { + imports = [ + inputs.wired.homeManagerModules.default + ./home.nix + extraHomeModule + ]; - home.stateVersion = config.system.stateVersion; - }; + home.stateVersion = config.system.stateVersion; }; nix.settings.trusted-users = lib.mkAfter [ "jan" ];