{ config, ... }: let cids = import ../modules/staticids.nix; domain = "git.cloonar.com"; ip = "10.42.97.3"; user = { isSystemUser = true; uid = cids.uids.gitea; group = "gitea"; home = "/var/lib/gitea"; createHome = true; }; group = { gid = cids.gids.gitea; }; runner-user = { isSystemUser = true; uid = cids.uids.gitea-runner; group = "gitea-runner"; home = "/var/lib/gitea-runner"; createHome = true; extraGroups = [ "docker" "podman" ]; }; runner-group = { gid = cids.gids.gitea-runner; }; in { nixpkgs.config.permittedInsecurePackages = [ "gitea-1.19.4" ]; users.users.gitea = user; users.groups.gitea = group; security.acme.certs."${domain}" = { group = "nginx"; }; containers.git = { autoStart = true; ephemeral = false; # because of ssh key macvlans = [ "vserver" ]; bindMounts = { "/var/lib/gitea" = { hostPath = "/var/lib/gitea/"; isReadOnly = false; }; "/var/lib/acme/gitea/" = { hostPath = "${config.security.acme.certs.${domain}.directory}"; isReadOnly = true; }; }; config = { lib, config, pkgs, ... }: { networking = { hostName = "git"; nameservers = [ "10.42.97.10" ]; interfaces.mv-vserver = { useDHCP = true; }; firewall = { enable = true; allowedTCPPorts = [ 22 80 443 ]; }; }; services.nginx.enable = true; services.nginx.virtualHosts."${domain}" = { sslCertificate = "/var/lib/acme/gitea/fullchain.pem"; sslCertificateKey = "/var/lib/acme/gitea/key.pem"; sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:3001/"; }; }; nixpkgs.config.permittedInsecurePackages = [ "gitea-1.19.4" ]; services.gitea = { enable = true; appName = "Cloonar Gitea server"; # Give the site a name settings = { server = { ROOT_URL = "https://${domain}/"; HTTP_PORT = 3001; DOMAIN = domain; }; openid = { ENABLE_OPENID_SIGNIN = false; ENABLE_OPENID_SIGNUP = true; WHITELISTED_URIS = "auth.cloonar.com"; }; service = { DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; }; actions.ENABLED=true; webhook.ALLOWED_HOST_LIST = "drone.cloonar.com"; }; }; services.openssh.enable = true; users.users.gitea = user; users.groups.gitea = group; system.stateVersion = "23.05"; }; }; users.users.gitea-runner = runner-user; users.groups.gitea-runner = runner-group; sops.secrets.gitea-runner-token = { owner = "gitea-runner"; }; services.gitea-actions-runner.instances.main = { enable = true; url = "https://git.cloonar.com"; name = "main"; tokenFile = "/run/secrets/gitea-runner-token"; labels = [ "ubuntu-latest:docker://shivammathur/node:latest" ]; settings = { runner = { envs = { DOCKER_DAEMON_CONFIG = '' { "dns": ["10.42.97.10"] } ''; }; }; # container = { # options = "--network=server"; # }; }; }; # containers.git-runner = { # autoStart = true; # ephemeral = false; # because of ssh key # macvlans = [ "vserver" ]; # bindMounts = { # "/run/secrets/gitea-runner-token" = { # hostPath = config.sops.secrets.gitea-runner-token.path; # isReadOnly = true; # }; # "/run/podman/podman.sock" = { # hostPath = "/run/podman/podman.sock"; # isReadOnly = false; # }; # }; # config = { lib, config, pkgs, ... }: { # networking = { # hostName = "git-runner"; # nameservers = [ "10.42.97.10" ]; # interfaces.mv-vserver = { # useDHCP = true; # }; # firewall = { # enable = true; # }; # }; # # virtualisation.podman.enable = true; # # # users.groups.podman.gid = cids.gids.podman; # users.users.gitea-runner = runner-user; # users.groups.gitea-runner = runner-group; # # system.stateVersion = "23.05"; # }; # }; }