From 35544912503b5202dd6a54ef9ae34b21f8aaf543 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 20 Jul 2020 19:16:52 -0500 Subject: [PATCH] Switch from gitlab to gitea. --- config/fudo/git.nix | 64 ++++++++++++++++----- defaults.nix | 14 +++-- hosts/france.nix | 135 ++++++-------------------------------------- 3 files changed, 74 insertions(+), 139 deletions(-) diff --git a/config/fudo/git.nix b/config/fudo/git.nix index 9479582..68cedac 100644 --- a/config/fudo/git.nix +++ b/config/fudo/git.nix @@ -25,35 +25,50 @@ let }; }; + sshOpts = { ... }: with types; { + options = { + listen-ip = mkOption { + type = str; + description = "IP on which to listen for SSH connections."; + }; + + listen-port = mkOption { + type = port; + description = "Port on which to listen for SSH connections, on ."; + default = 22; + }; + }; + }; + in { - options.fudo.git = { + options.fudo.git = with types; { enable = mkEnableOption "Enable Fudo git web server."; hostname = mkOption { - type = types.str; + type = str; description = "Hostname at which this git server is accessible."; example = "git.fudo.org"; }; site-name = mkOption { - type = types.str; + type = str; description = "Name to use for the git server."; default = "Fudo Git"; }; database = mkOption { - type = (types.submodule databaseOpts); + type = (submodule databaseOpts); description = "Gitea database options."; }; repository-dir = mkOption { - type = types.path; + type = path; description = "Path at which to store repositories."; example = /srv/git/repo; }; state-dir = mkOption { - type = types.path; + type = path; description = "Path at which to store server state."; example = /srv/git/state; }; @@ -63,6 +78,18 @@ in { description = "System user as which to run."; default = "git"; }; + + local-port = mkOption { + type = port; + description = "Local port to which the Gitea server will bind. Not globally accessible."; + default = 3543; + }; + + ssh = mkOption { + type = nullOr (submodule sshOpts); + description = "SSH listen configuration."; + default = null; + }; }; config = mkIf cfg.enable { @@ -78,14 +105,23 @@ in { name = cfg.database.name; user = cfg.database.user; passwordFile = cfg.database.password-file; + type = "postgres"; }; domain = cfg.hostname; httpAddress = "127.0.0.1"; - httpPort = 3543; + httpPort = cfg.local-port; repositoryRoot = toString cfg.repository-dir; stateDir = toString cfg.state-dir; rootUrl = "https://${cfg.hostname}/"; user = mkIf (cfg.user != null) cfg.user; + extraConfig = mkIf (cfg.ssh != null) '' + [server] + START_SSH_SERVER = true + SSH_DOMAIN = ${cfg.hostname} + SSH_PORT = ${toString cfg.ssh.listen-port} + SSH_LISTEN_PORT = ${toString cfg.ssh.listen-port} + SSH_LISTEN_HOST = ${cfg.ssh.listen-ip} + ''; }; nginx = { @@ -97,15 +133,15 @@ in { forceSSL = true; locations."/" = { - proxyPass = "http://127.0.0.1:3543"; + proxyPass = "http://127.0.0.1:${toString cfg.local-port}"; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-By $server_addr:$server_port; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; }; }; }; diff --git a/defaults.nix b/defaults.nix index fa03dcd..8e9334b 100644 --- a/defaults.nix +++ b/defaults.nix @@ -123,6 +123,7 @@ openssh = { enable = true; startWhenNeeded = true; + permitRootLogin = "prohibit-password"; extraConfig = '' GSSAPIAuthentication yes GSSAPICleanupCredentials yes @@ -133,12 +134,13 @@ security.pam = { enableSSHAgentAuth = true; # TODO: add yubico? - services.sshd = { - # This should only ask for a code if ~/.google_authenticator exists, but it asks anyway. - # googleAuthenticator.enable = true; - makeHomeDir = true; - # Fails! - # requireWheel = true; + services = { + sshd = { + # This should only ask for a code if ~/.google_authenticator exists, but it asks anyway. + # googleAuthenticator.enable = true; + makeHomeDir = true; + sshAgentAuth = true; + }; }; }; diff --git a/hosts/france.nix b/hosts/france.nix index 17905fc..34c00ec 100644 --- a/hosts/france.nix +++ b/hosts/france.nix @@ -7,7 +7,7 @@ let mail-hostname = hostname; host_ipv4 = "208.81.3.117"; # Use a special IP for git.fudo.org, since it needs to be SSH-able - docker_ipv4 = "208.81.3.126"; + git_ipv4 = "208.81.3.126"; all-hostnames = []; acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; @@ -34,6 +34,15 @@ in { ../defaults.nix ]; + # services.openssh = { + # listenAddresses = [ + # { + # addr = host_ipv4; + # port = 22; + # } + # ]; + # }; + fudo.common = { # Sets some server-common settings. See /etc/nixos/fudo/profiles/... profile = "server"; @@ -118,12 +127,6 @@ in { fudo_git = "ALL PRIVILEGES"; }; }; - gitlab_postgres = { - password = fileContents "/srv/gitlab/secure/db.passwd"; - databases = { - gitlab = "ALL PRIVILEGES"; - }; - }; grafana = { password = fileContents "/srv/grafana/secure/db.passwd"; databases = { @@ -151,7 +154,6 @@ in { databases = { fudo_git = ["niten"]; - gitlab = ["niten"]; grafana = ["niten"]; mattermost = ["niten"]; webmail = ["niten"]; @@ -314,7 +316,7 @@ in { fudo.git = { enable = true; - hostname = "git.test.fudo.org"; + hostname = "git.fudo.org"; site-name = "Fudo Git"; user = "fudo_git"; database = { @@ -325,6 +327,10 @@ in { }; repository-dir = /srv/git/repo; state-dir = /srv/git/state; + ssh = { + listen-ip = git_ipv4; + listen-port = 2222; + }; }; networking = { @@ -368,7 +374,7 @@ in { macAddress = "02:6d:e2:e1:ad:ca"; ipv4.addresses = [ { - address = docker_ipv4; + address = git_ipv4; prefixLength = 28; } ]; @@ -449,42 +455,7 @@ in { isNormalUser = false; uid = 8006; }; - - gitlab = { - isNormalUser = false; - uid = 8002; - }; - - gitlab_postgres = { - isNormalUser = false; - group = config.fudo.postgresql.socket-group; - uid = 8003; - }; - - gitlab_redis = { - isNormalUser = false; - group = "redis-local"; - uid = 8004; - }; - - gitlab_www = { - isNormalUser = false; - group = "nogroup"; - uid = 8005; - }; }; - - extraGroups = { - redis-local = { - members = ["redis"]; - gid = 7001; - }; - }; - }; - - boot.kernel.sysctl = { - # For Redis - "vm.overcommit_memory" = 1; }; fudo.system = { @@ -492,10 +463,6 @@ in { postHugePageServices = ["redis.service"]; }; - systemd.services.redis.postStart = '' - chgrp redis-local ${config.services.redis.unixSocket} - ''; - security.acme.certs = { "archiva.fudo.org".email = config.fudo.common.admin-email; "git.fudo.org".email = config.fudo.common.admin-email; @@ -503,15 +470,6 @@ in { services = { - redis = { - enable = true; - bind = "127.0.0.1"; - unixSocket = "/run/redis/redis.socket"; - extraConfig = '' - unixsocketperm 770 - ''; - }; - nginx = { enable = true; recommendedGzipSettings = true; @@ -534,22 +492,6 @@ in { ''; }; }; - - "git.fudo.org" = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:8002"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-By $server_addr:$server_port; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - }; }; }; }; @@ -568,53 +510,8 @@ in { SSL_ENABLED = "false"; }; }; - - gitlab = { - image = "gitlab/gitlab-ce:12.8.1-ce.0"; - ports = [ - "127.0.0.1:8002:80" - "${docker_ipv4}::22" - ]; - # user = toString config.users.users.gitlab.uid; - volumes = [ - "/run/redis:/var/opt/gitlab/redis" - "/srv/gitlab/builds:/var/opt/gitlab/gitlab-ci/builds" - "/srv/gitlab/config:/etc/gitlab" - "/srv/gitlab/logs:/var/log/gitlab" - "/srv/gitlab/gitlab:/var/opt/gitlab" - "${config.fudo.postgresql.socket-directory}:/run/postgresql" - "${config.fudo.postgresql.socket-directory}:/var/opt/gitlab/postgresql" - ]; - extraDockerOptions = [ - "--hostname=git.fudo.org" - ]; - }; }; - systemd.services.docker-gitlab-config = let - gitlab-config = pkgs.writeText "gitlab-config.rb" '' - gitlab_rails['db_adapter'] = "postgresql" - gitlab_rails['db_encoding'] = "unicode" - gitlab_rails['db_database'] = "gitlab" - gitlab_rails['db_username'] = "gitlab_postgres" - gitlab_rails['db_password'] = "${fileContents /srv/gitlab/secure/db.passwd}" - - user['uid'] = "${toString config.users.users.gitlab.uid}" - user['gid'] = "${toString config.users.groups.redis-local.gid}" - - # Provided externally - redis['enable'] = false - postgresql['enable'] = false - - web_server['uid'] = "${toString config.users.users.gitlab_www.uid}" - web_server['gid'] = "${toString config.users.groups.nogroup.gid}" - ''; - in { - # before = ["docker-gitlab.service"]; - script = "cp -f ${gitlab-config} /srv/gitlab/config/gitlab.rb"; - }; - systemd.services.docker-gitlab.requires = ["docker-gitlab-config.service"]; - ### # Minecraft ###