move modules to git

hosts/git.cloonar.com/configuration.nix

@@ -1,20 +1,19 @@
 { config, pkgs, ... }:
 { 
   imports = [
+    ./fleet.nix
+    ./utils/bento.nix
     ./utils/modules/sops.nix
     ./utils/modules/lego/lego.nix
-    # ./modules/gogs.nix
-    ./utils/modules/gitea.nix
-    ./utils/modules/drone/server.nix
-    ./utils/modules/drone/runner.nix
+
+    ./modules/gitea.nix
+    ./modules/drone/server.nix
+    ./modules/drone/runner.nix
+
     ./utils/modules/borgbackup.nix
     ./utils/modules/netdata.nix
     ./utils/modules/promtail
     ./utils/modules/victoriametrics
-
-    ./fleet.nix
-
-    ./utils/bento.nix
     ./utils/modules/autoupgrade.nix
 
     ./hardware-configuration.nix

hosts/git.cloonar.com/modules/drone/runner.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker.enable = true;
+
+  users.users.drone-runner = {
+    isSystemUser = true;
+    group = "drone-runner";
+    home = "/var/lib/drone-runner";
+    createHome = true;
+  };
+  users.groups.drone-runner = { };
+  users.groups.docker.members = [ "drone-runner" ];
+
+  systemd.services.drone-runner = {
+    description = "Drone Runner (CI CD Service)";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.docker ];
+
+    serviceConfig = {
+      # Type = "simple";
+      Name = "drone-runner";
+      User = "drone-runner";
+      Group = "drone-runner";
+      Restart = "always";
+      ExecStartPre= ''
+        -${pkgs.docker}/bin/docker stop %n \
+        -${pkgs.docker}/bin/docker rm %n \
+        ${pkgs.docker}/bin/docker pull drone/drone:1
+      '';
+      ExecStart= ''
+        ${pkgs.docker}/bin/docker run --rm --name %n \
+        --volume=/var/run/docker.sock:/var/run/docker.sock \
+        --env-file=/run/secrets/drone-runner \
+        --env=DRONE_RPC_PROTO=https \
+        --env=DRONE_RPC_HOST=drone.cloonar.com \
+        --env=DRONE_RUNNER_CAPACITY=2 \
+        drone/drone-runner-docker:1
+      '';
+    };
+  };
+
+  sops.secrets.drone-runner = {
+    owner = config.systemd.services.drone-runner.serviceConfig.User;
+    key = "drone";
+  };
+}

hosts/git.cloonar.com/modules/drone/secrets.yaml

@@ -0,0 +1,30 @@
+drone: ENC[AES256_GCM,data:Z1Rjso+5XYfvp2xJDXCQkI88GXl83v2oEkMLmOV/rb0DwRmhxCYzYX6fcdidk271Drf1YaPstVvm2LQB38jlBnJtg98aAGegj2fWfT44IbPIi8qDe93M2gFxFDgosoA2eOS2MjEwyBDp9GEUnKyi2gHR8khnTCvegVIntsusWOW/1tbzymKXavZAJUlX+82d/+6NWUEcnbislxhyph8P1Lgw546q,iv:SllCBHlq8ZCBqOHwMaCUcX6D/VDWsbN7uICZKb/R35w=,tag:mEb4E02VUaYGVjyI30FcXA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0OW1JN0hjYjh4cDlmLyt6
+            dHRlSjN6Y1JWUFdzNWlZZ3c0Z2F4bXBCa1NFCjM3b3pPZVhtbDdob3lsR2xlMmJI
+            bjRRMHFjQ2kwWWJKT1p5VW5NVGJuZ3MKLS0tICtRcTFoSmxyeUhaaVlxQUxRWkJl
+            SXR2M293UFBxNFovRnlTQ1o4SzloaEEK+onGdd/7aEF71ibLoLXE5/SbJQWsKigh
+            h8BhfT1z9P5UYNoGHVv8Ry6LndyrBLEv+PUBuT0XJpEVPjKLm99KbQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL3dDczRNMjNQUWVjelR5
+            TG93QUFjVGtMNFplaTErOTJjT2dHbWtWUVNzCjNTV0tUY2hpcnp1SDZ4UTB2aFNI
+            M2JwSkdNS0RFQVlPRUNzRG41aW5aS3cKLS0tIEJtaTRXdTI3NGJxZENJTk9jT1hi
+            N3RLRjdkMmZkSmZWZGlYbXRRUTJOZFEK2bJo7iyE3A5ds7tW5bAHgyfGqgH4cRjY
+            hLzYp083QYbXKAqP1w8a3JFXofv1RWd7tUb61I6R4Rd6hXZUv1a5Qw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-02-10T12:35:53Z"
+    mac: ENC[AES256_GCM,data:44J9abLbHkvjAtIUqXVZlcEAnizgg5yxKwyaZhnqIzzebWEpzqcKP6b72blaD7/jSdAiUo7bk/m4BxKVGHf9XKGxyLastbgYoFtz40rsKg9LOKpEfO2kl3JV5dj7C1f8IgsHWZ8L3Vb6KFKcrK2bzjZ5K5p22hCze4lQbK7CZTE=,iv:TE+6juCOTjTrx5nQhi8W5gaZkMFYrEDtoPrGdSTJSNE=,tag:AVsCIkzPjtfk3uSlsv6Dlg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

hosts/git.cloonar.com/modules/drone/server.nix

@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker.enable = true;
+
+  users.users.drone-server = {
+    isSystemUser = true;
+    group = "drone-server";
+    home = "/var/lib/drone-server";
+    createHome = true;
+  };
+  users.groups.drone-server = { };
+  users.groups.docker.members = [ "drone-server" ];
+
+  systemd.services.drone-server = {
+    description = "Drone Server (CI CD Service)";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.docker ];
+
+    serviceConfig = {
+      # Type = "simple";
+      Name = "drone-server";
+      User = "drone-server";
+      Group = "drone-server";
+      Restart = "always";
+      ExecStartPre= ''
+        -${pkgs.docker}/bin/docker stop %n \
+        -${pkgs.docker}/bin/docker rm %n \
+        ${pkgs.docker}/bin/docker pull drone/drone:1
+      '';
+      ExecStart= ''
+        ${pkgs.docker}/bin/docker run --rm --name %n \
+        --env-file=/run/secrets/drone-server \
+        --env=DRONE_AGENTS_ENABLED=true \
+        --env=DRONE_GITEA_SERVER=https://git.cloonar.com \
+        --env=DRONE_GITEA_CLIENT_ID=6a7b8c57-bd71-49c8-b67d-c2de68fda649 \
+        --env=DRONE_GIT_ALWAYS_AUTH=true \
+        --env=DRONE_SERVER_HOST=drone.cloonar.com \
+        --env=DRONE_SERVER_PROTO=https \
+        --env=DRONE_USER_CREATE=username:dominik.polakovics,admin:true \
+        -v /var/lib/drone:/data \
+        --publish=8080:80 \
+        drone/drone:2
+      '';
+    };
+  };
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."drone.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/" = {
+      proxyPass = "http://localhost:8080";
+    };
+  };
+
+  sops.secrets.drone-server = {
+    owner = config.systemd.services.drone-server.serviceConfig.User;
+    key = "drone";
+  };
+}

hosts/git.cloonar.com/modules/gitea.nix

@@ -0,0 +1,36 @@
+{ config, ... }:
+let
+  domain = "git.cloonar.com";
+in
+{
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:3001/";
+    };
+  };
+
+  services.gitea = {
+    enable = true;
+    appName = "Cloonar Gitea server"; # Give the site a name
+    settings = {
+      server = {
+        ROOT_URL = "https://${domain}/";
+        HTTP_PORT = 3001;
+        DOMAIN = domain;
+      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = false;
+        ENABLE_OPENID_SIGNUP = true;
+        WHITELISTED_URIS     = "auth.example.com";
+      };
+      service = {
+        DISABLE_REGISTRATION                          = false;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION              = true;
+        SHOW_REGISTRATION_BUTTON                      = false;
+      };
+      webhook.ALLOWED_HOST_LIST = "drone.cloonar.com";
+    };
+  };
+}

hosts/git.cloonar.com/secrets.yaml

@@ -1,5 +1,6 @@
 borg-passphrase: ENC[AES256_GCM,data:exjDVqrSVJzKrDrM3f8zALfrzNVDRfJP8PE8ykr21dfobYcG5q8dz45dxWt4sgChtWggfYpn4cklSfxwbbe9cw==,iv:BwST15IfZVRpYYPUbydyfTR2CVm7XmUGL+1jbnd2VUI=,tag:RS6vetOvaFMPcBKL51zH1g==,type:str]
 borg-ssh-key: ENC[AES256_GCM,data:v3L+l3mfwLtczvuvYy9JNSTYmOFb7zukqEBMAr3jmFg/axKyGAt8gkYzmFXhVOndRxoq2jbKyvATPqA5dz0p0RWFUoZ4/dcnKQ+G2qLon5kkEAaPSiXDNi2IWDx5toOueHirFjX4R/PEMfPMxLsVA+x8mNJEC03nIJ4Y8G3fATkmay7TVtGXEXzLJH6/WAD2nGmnHQbpEIntsxvM2s11lh6uetUtrQ/79SKB9iZPWCD76j2+kLsr5jDKyjSeC/xrLehtBJFuFwB3keUJGCRk1GMSYsmlJm8ADi0tIkBf2hPEFCmO0j2QEHeK9zmh9WUiy6e8472+rOm+DKAWJz2mLmwjNXqGvX+mYjl0FW/BRipodUDVC6xipfh3mN4B4OEV5vo48xhvf7Ip6ZjIC5Z9j6cpk81GG1rLnJfw6Yjn8bcjkF1uelYy9poMBxGqQLRlQSP0vFttAh5Z5omlGl7laO/1bKs6dXxpxmHBYRcnHHP1frL92bUgVbHjC8naBqS4gjRhVrANNtkuQmIZHuCmdphKMDpIRqypXNT5OdO7GkuEIxAqiUFy+QjyRSHSjroMHPqxSOSNc/d9vQVC9JR3Fb7QP2ysvL1hz0L0Yz9PNiNNh1yRc5coFQ6L0TGotCsQQE9JOscDvZsary9vghWLWo6VT2RBMMCDcwTs1W8zLCnW09D5DNgIAjn3ykDIvR5x2RjnS6RDaOJqamQpakTmKhvff+kXGbAQfDq8Hnx9nj8+27lmu1g2B41F+8fUmjXXK+5vfoL+9Xcv+XrWpIQxdvhRBKzGiVLnn5pB1QBOHBjpNqLd+Ahv82x7jxNKLie1kLy2x/VN2DP3SIYWTl9QdRngpICTy1aapMeNbNSXhhSq873laVUXPWhOcm8MphatUlyrdySjF0RM6DBp40KlCXCebNGRSv0Yjn5zxIFXXEh6o5kJtoUzgsv3Y+Fzy5VibkFAHoAvMPCJZDtfFHLrmryp+L4GzgLktCKefsASL/xDxSiu5dJceOsefj7etXr5GoEvmrteS8Hm935R9I7MycmmDKAEKOPhO1RO1p/m9f8qUmaiY8WGkPoIJVHp+fQd2WjlE7qrvIr5e5U4aUV3FvRm1TEuWNuZ4gQ3lpQFNsWcnVpBwOtIT5OsDH45oVZ8xVyK2duMvFoMYRkRW4QnCZWPt0oaLa9/GHmPd39yAfStvK0ksOQwWiQGp3feeFtTxTWiWJicnAAMB6BK7xX3A2gOF4RkVii1YyuGXaj3c0fZakO2k2pQ9TXOn29lSxBNwNvxhP8uUnPVE5izlwSiPAcIy2x3cPEOWNeQQJJZxLunOil17Le+WDtxDsbcdmcEGUQLLQJRzUxWOvaiIo9PUwVcSjHEI8+t8JN7IgMNT8QOvIextuhY4G3ApVJCkgvXs+QwTckWKDcSIiHdIt/I6SHlv6BkNfja0zqZIJ727i4huNSfoO/vq4BUA89plxVMugmS/oLXIUQuKZM1xC1sypvjxu3W430BN3tkPmtSD5n4cuP4hLN7TtNNfkFBXe9qT4bynGHJ+q5Zr0SMK/sgF+cluuR6GLljUSCv4KH4UiVIj5ZS/iDE96vAfi0LXuOLe9TZmxgPeDVqWM1392sSwE62vJ/xTVb8Smq0yMqsGTCDg5yGBcXly3FTcbe6AU8NGGWhY+n2UoV3McHSZNzVVdeD9YvhXh1YbmXoYwguiPpv16GpxL+OnWkMFXHN0p/kK/nEX7eAq/okeMc8RHSZcp91ZYW62S7QXkIsxvQj025l589ta9S95S3BdeOWHmn/lE03yxRXn5Jn60gs02fWLnqkwPO0X6nrIWWZ5SHft3owpSttjertO27d+lZ9J41JJPU7m9wgDTENtK1UqxCsSA4x0943FLcZWNM1bNwStfHpWQsCdtcCNdNSWOJ5qpTySOnzyItckOLXOlTW/9L06kQeBFZj9Ci76TtcGUfdArRMA4xumbZAdiXsNz4IM6YjERkMj4iDL+jtRpPjCynQ/NVjd1IiWaMkndFxvlqyCcI83IZaqvRqbh6zd8p86IdGcWJYiB1cRlKNeIvltzsO4X6HM1LI8PHcBb+dXoU+c7Nik/2w0N42xvdFeMpCakNRA7wtqWDnvkEAkn+gaaQCKuk+aif/rPWey0JaE/f2JLrQiuBc1CHEOclPRNOW8UnQ4nBtddL6h7KdUJb5fTt1Hamsluzmz3/rR5v08pyKIvxGHDM4YZ/2t3mbK56pJuQhhrfPD8ZuzqYaxKTojG6Sk3ollN6CbjEsdO68aaLNyK7fzfSU5NbN45uLgo1w/+JywWhYIuWEm72GhoqJyaj74NpPn8Nz4dcL15wrivnuynfQ5rr93QZbxSoTFntHMJ9AIY3aNmyzVt+VB5F1Y/I4SfZ66MuCwXyAuZCNe1cHPk/CHB9BtrO/n5KzNdVnvNvH9edQYSzP63qRmGwtQ3iiNwIo2uMmEvmzfSgcrOE5ZCaY2roqESO8sPSoasbF9STOlMT4JfWkyjAozY9eRUnbqTAl6StYmTOaJ71Qyy0okujQVxXsq7ZFshsbX5xhy+h26pUQy/951frrAPn3cIhcBXFuoW9Re9Tiyx76L5cUzGGN1AcaQ0FvlLj5V40zfvSOOFrZEqjSGTWnFuRam8lVxGZEWy5zESeeWN97S7IyDlgOfq6KsH8UEr1ePnuLG7jyTSEeNGJQ56l6ht1MVyA+4To6KIEkhepEpOMd4G5wKpJbLHSqZLxbT8Z46VTOFr7ePllmBhZeFdw7YlI7E810BTB1qx7C8gQvSC+N7CrnRGoE90SRGBKBE3smHN44hdvHWl/tS3EdC0Jt7uev4v2jLhLyriuSyal87Nf8vVTsoiTV8y40R7CCum403RAowHVuPfhRWNl4kGR4wqb9Xib2g9siq8NyaY0Z7kIZloBPezCONpfjkIAYrTf8K6g5EVk/Jl5tG/ZzkfW9z9bTiO6jcrfAnQ7B+K5hTq7I1n9xTr7tejscFWUPZnDgx8hl1BpD5TkN8UoA/TtjqdofwqgYT5so/xqXc6mCCAB/OJyh6Q/6GCthP1haAwkyQpqLPlKklIo+gFWXJG4nsf570piqQ0OdKZ5LLKcUpysmCp0OHivQr/6sfNWxMXwMdCiEBt6pLaqv6tMI7PobZNJWHeesu3sPAngFwgf1c6BGxaVWXDY/eF5OBJevq9AoKrdsnt4Nd0veVgKrp3wImvw2HQBdR4wdCVizhESgvCFY8Lv/8zCQpNhSXlfQ32F8onRuMZl/ZHJ/+N1Vec3HQ61AAwObML3vs1xrkr52QG60UZQCUUYoxYBcfPU0RXNYOvrejCIVIHWb/NnWGQ8x+l3ysjf1fvT9DDcuLtcCO3+m7Qvl9WZdNChQchEGmscDOO1geT6oZUDH+ogzKUOWInccaX7eoUjL00CUF6D27KALXN+ySbVLG+ASFe/L/ntW+P9Y/p6CNL6KLZq4isrXSQ==,iv:FV3HSPTmmRT0TeT4eYzVN+nfSqgOnfgngDALBCDRhYE=,tag:vZy57/c/xwfowvTsEZ31CA==,type:str]
+drone: ENC[AES256_GCM,data:2HfYPiXGlp/4/qnS0yvQGoBdZB49AOef/WsVgd9HKSYEDLoUVPslQ6C0rjuMbumjAfgMs48zKDx5//T0kSkf/Z+YQxs1qPJrGRuyTIWJYyRjdlk6hUogihLWzeZcBfHB2fTI7sKllJLSWJU6gRVwHz1CONqtUedNg+E4+V4alnb7mDJ1wmzHK3Ue4dkE9npOOjCvonqjWnSp8Kr6Vt86VgzObnnc,iv:+Rae9lAJS5YsBBWBB26lwRhIVi7vqyXYBPKQLtTd7sw=,tag:YiSBFZReefcedF/apaMHrw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +25,8 @@ sops:
             b3FkMi9iZjlKaDFyQ3Bid0sxSzluRkkKUgdqPYbOaWG+iSGNSIkvPc9V4O/WztQc
             ak8iaZ83KR46o1m453ZesEGDjCRyfFQomcm+WcqM0Sdj1uT+JSVJSw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-18T23:09:30Z"
-    mac: ENC[AES256_GCM,data:w9q6bJl8yWm0f3hFljfthn6/h8JWH2ZJMdQCliu85QhmtcL2jg1pJeVCxxaeQFYUia+zdpwebB6ZQ/NVmmAwqkk2Kk9CyAvIifNwOz7PrJM3uycibhl39jiSnuuPvxe8MQnkBC5N8wymCBRHDRzn4gnFOzpoHxv/Rc64dwG63fQ=,iv:CjLFjoN9StU3m7lrgQtcJtV/8KMp5UTRZWjrc3O5nio=,tag:sHmc5HcdP4Qm/xZFGO7/BA==,type:str]
+    lastmodified: "2023-08-19T12:29:53Z"
+    mac: ENC[AES256_GCM,data:Bc6CdwfVI46SKwFAORB/GOlrmIOAzLZ5uCl+TWXW0IZEfTrczyNKngwEw6iEybBVVFvF5AgqLu7rLMs5QIAHqu2A77dXzwQMsCcpK1NzUtmsxKjw3aePtv0/0xjLeUZUv4E1nTCTyg5E+PQZvLZ/JJN5vTVLyRhGIib4dv6KehA=,iv:irVZkVJ+Ivio0ar5ffKungVBSnG0X3H+Lm2lRLnUFOc=,tag:Q75b85s35RXuoBe8grYMjw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3