diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw.cloonar.com/modules/gitea.nix index 4022eb1..19834ed 100644 --- a/hosts/fw.cloonar.com/modules/gitea.nix +++ b/hosts/fw.cloonar.com/modules/gitea.nix @@ -14,70 +14,152 @@ in users.groups.gitea = { gid = 989; }; - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "https://${ip}:443/"; - extraConfig = '' - proxy_set_header=Host ${domain} - ''; - }; - }; + # services.nginx.virtualHosts."${domain}" = { + # enableACME = true; + # forceSSL = true; + # locations."/" = { + # proxyPass = "https://${ip}:443/"; + # extraConfig = '' + # proxy_set_header=Host ${domain} + # ''; + # }; + # }; + # + # environment.etc."gitea/app.ini".text = '' + # APP_NAME = Cloonar Gitea server + # RUN_MODE = prod + # + # [cron.update_checker] + # ENABLED=false + # + # [database] + # DB_TYPE=sqlite3 + # PATH=/bitnami/gitea/data/gitea.db + # + # [openid] + # ENABLE_OPENID_SIGNIN=false + # ENABLE_OPENID_SIGNUP=true + # WHITELISTED_URIS=auth.cloonar.com + # + # [server] + # DISABLE_SSH=false + # DOMAIN=git.cloonar.com + # HTTP_ADDR=0.0.0.0 + # HTTP_PORT=443 + # PROTOCOL=https + # ROOT_URL=https://git.cloonar.com/ + # SSH_PORT=22 + # CERT_FILE=/ssl/fullchain.pem + # KEY_FILE=/ssl/key.pem + # + # [service] + # ALLOW_ONLY_EXTERNAL_REGISTRATION=true + # DISABLE_REGISTRATION=false + # SHOW_REGISTRATION_BUTTON=false + # + # [webhook] + # ALLOWED_HOST_LIST=drone.cloonar.com + # ''; + # + # virtualisation = { + # oci-containers.containers = { + # gitea = { + # image = "gitea/gitea:1"; + # volumes = [ + # "/var/lib/gitea:/data" + # "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro" + # "/var/lib/acme/git.cloonar.com:/ssl:ro" + # ]; + # environment = { + # USER_UID = builtins.toString config.users.users.gitea.uid; + # USER_GID = builtins.toString config.users.groups.gitea.gid; + # }; + # extraOptions = [ + # "--ip=${ip}" + # ]; + # }; + # gitea = { + # image = "gitea/gitea:1"; + # volumes = [ + # "/var/lib/gitea:/data" + # "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro" + # "/var/lib/acme/git.cloonar.com:/ssl:ro" + # ]; + # environment = { + # USER_UID = builtins.toString config.users.users.gitea.uid; + # USER_GID = builtins.toString config.users.groups.gitea.gid; + # }; + # extraOptions = [ + # "--ip=${ip}" + # ]; + # }; + # }; + # }; - environment.etc."gitea/app.ini".text = '' - APP_NAME = Cloonar Gitea server - RUN_MODE = prod - - [cron.update_checker] - ENABLED=false - - [database] - DB_TYPE=sqlite3 - PATH=/bitnami/gitea/data/gitea.db - - [openid] - ENABLE_OPENID_SIGNIN=false - ENABLE_OPENID_SIGNUP=true - WHITELISTED_URIS=auth.cloonar.com - - [server] - DISABLE_SSH=false - DOMAIN=git.cloonar.com - HTTP_ADDR=0.0.0.0 - HTTP_PORT=443 - PROTOCOL=https - ROOT_URL=https://git.cloonar.com/ - SSH_PORT=22 - CERT_FILE=/ssl/fullchain.pem - KEY_FILE=/ssl/key.pem - - [service] - ALLOW_ONLY_EXTERNAL_REGISTRATION=true - DISABLE_REGISTRATION=false - SHOW_REGISTRATION_BUTTON=false - - [webhook] - ALLOWED_HOST_LIST=drone.cloonar.com - ''; - - virtualisation = { - oci-containers.containers = { - gitea = { - image = "gitea/gitea:1"; - volumes = [ - "/var/lib/gitea:/data" - "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro" - "/var/lib/acme/git.cloonar.com:/ssl:ro" - ]; - environment = { - USER_UID = builtins.toString config.users.users.gitea.uid; - USER_GID = builtins.toString config.users.groups.gitea.gid; - }; - extraOptions = [ - "--ip=${ip}" - ]; + containers.gitea = { + autoStart = true; + macvlans = [ "server" ]; + bindMounts = { + "/var/lib/gitea" = { + hostPath = "/var/lib/gitea/"; + isReadOnly = false; }; }; + bindMounts = { + "${security.acme.certs.${domain}.directory}" = { + hostPath = "/var/lib/acme/gitea/"; + isReadOnly = true; + }; + }; + config = { config, pkgs, ... }: { + networking.hostName = "fw"; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + sslCertificate = "/var/lib/acme/gitea/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/gitea/key.pem"; + sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem"; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3001/"; + }; + }; + + services.gitea = { + enable = true; + appName = "Cloonar Gitea server"; # Give the site a name + settings = { + server = { + ROOT_URL = "https://${domain}/"; + HTTP_PORT = 3001; + DOMAIN = domain; + }; + openid = { + ENABLE_OPENID_SIGNIN = false; + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "auth.example.com"; + }; + service = { + DISABLE_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + webhook.ALLOWED_HOST_LIST = "drone.cloonar.com"; + }; + }; + + system.stateVersion = "23.05"; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + # Use systemd-resolved inside the container + useHostResolvConf = mkForce false; + }; + + services.resolved.enable = true; + }; }; } diff --git a/utils/pkgs/sysbox.nix b/utils/pkgs/sysbox.nix index d3a5ee6..1cc455b 100644 --- a/utils/pkgs/sysbox.nix +++ b/utils/pkgs/sysbox.nix @@ -24,8 +24,6 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ dpkg makeWrapper ]; - # buildInputs = [ openssl ]; - unpackPhase = '' runHook preUnpack @@ -40,14 +38,7 @@ stdenv.mkDerivation rec { mkdir -p "$out" cp -r src/* "$out" - # Flatten /usr and manually merge lib/ and usr/lib/, since mv refuses to. - # mv "$out/lib" "$out/orig_lib" mv "$out/usr/"* "$out/" - # mkdir -p "$out/lib/systemd/system/" - # mv "$out/orig_lib/systemd/system/"* "$out/lib/systemd/system/" - # rmdir "$out/orig_lib/systemd/system" - # rmdir "$out/orig_lib/systemd" - # rmdir "$out/orig_lib" rmdir "$out/usr" for f in "$out/lib/systemd/system/"*.service; do