{ nixpkgs, pkgs, ... }: let hostname = "git-02"; json = pkgs.formats.json { }; in { microvm.vms = { gitea = { config = { microvm = { hypervisor = "cloud-hypervisor"; shares = [ { source = "/nix/store"; mountPoint = "/nix/.ro-store"; tag = "ro-store"; proto = "virtiofs"; } { source = "/var/lib/acme/git.cloonar.com"; mountPoint = "/var/lib/acme/${hostname}.cloonar.com"; tag = "ro-cert"; proto = "virtiofs"; } ]; interfaces = [ { type = "tap"; id = "vm-${hostname}"; mac = "02:00:00:00:00:01"; } ]; }; imports = [ ../fleet.nix ]; environment.systemPackages = with pkgs; [ vim # my preferred editor ]; networking = { hostName = hostname; firewall = { enable = true; allowedTCPPorts = [ 22 80 443 ]; }; }; services.nginx.enable = true; services.nginx.virtualHosts."${hostname}.cloonar.com" = { sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem"; sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:3001/"; }; }; services.gitea = { enable = true; appName = "Cloonar Gitea server"; # Give the site a name settings = { server = { ROOT_URL = "https://${hostname}.cloonar.com/"; HTTP_PORT = 3001; DOMAIN = "${hostname}.cloonar.com"; }; openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; WHITELISTED_URIS = "auth.cloonar.com"; }; service = { DISABLE_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; }; actions.ENABLED=true; }; }; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" ]; system.stateVersion = "22.05"; }; }; gitea-runner = { config = { microvm = { mem = 12288; shares = [ { source = "/nix/store"; mountPoint = "/nix/.ro-store"; tag = "ro-store"; proto = "virtiofs"; } { source = "/run/secrets"; mountPoint = "/run/secrets"; tag = "ro-token"; proto = "virtiofs"; } ]; volumes = [ { image = "rootfs.img"; mountPoint = "/"; size = 102400; } ]; interfaces = [ { type = "tap"; id = "vm-gitea-runner"; mac = "02:00:00:00:00:02"; } ]; }; environment.systemPackages = with pkgs; [ vim # my preferred editor ]; networking.hostName = "gitea-runner"; virtualisation.podman.enable = true; services.gitea-actions-runner.instances.vm = { enable = true; url = "https://git.cloonar.com"; name = "vm"; tokenFile = "/run/secrets/gitea-runner-token"; labels = [ "ubuntu-latest:docker://shivammathur/node:latest" ]; settings = { container = { network = "podman"; }; }; }; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" ]; system.stateVersion = "22.05"; }; }; }; sops.secrets.gitea-runner-token = {}; environment = { systemPackages = [ pkgs.qemu pkgs.quickemu ]; }; }