From a87fd91f99d04fbfdf8f1eb439a32e3097f7c160 Mon Sep 17 00:00:00 2001 From: blahai Date: Tue, 18 Feb 2025 22:19:38 +0200 Subject: [PATCH] Services: Theia services --- modules/base/default.nix | 1 + modules/base/secrets.nix | 19 +++ modules/nixos/default.nix | 1 + modules/nixos/services/default.nix | 6 + modules/nixos/services/hosted/caddy.nix | 19 +++ modules/nixos/services/hosted/default.nix | 8 + modules/nixos/services/hosted/forgejo.nix | 139 ++++++++++++++++++ modules/nixos/services/hosted/uptime-kuma.nix | 32 ++++ modules/nixos/services/hosted/vaultwarden.nix | 54 +++++++ modules/nixos/services/system/default.nix | 1 + secrets/forgejo-runner-token.age | 5 + secrets/secrets.nix | 11 ++ secrets/vaultwarden-env.age | Bin 0 -> 345 bytes 13 files changed, 296 insertions(+) create mode 100644 modules/base/secrets.nix create mode 100644 modules/nixos/services/default.nix create mode 100644 modules/nixos/services/hosted/caddy.nix create mode 100644 modules/nixos/services/hosted/default.nix create mode 100644 modules/nixos/services/hosted/forgejo.nix create mode 100644 modules/nixos/services/hosted/uptime-kuma.nix create mode 100644 modules/nixos/services/hosted/vaultwarden.nix create mode 100644 modules/nixos/services/system/default.nix create mode 100644 secrets/forgejo-runner-token.age create mode 100644 secrets/secrets.nix create mode 100644 secrets/vaultwarden-env.age diff --git a/modules/base/default.nix b/modules/base/default.nix index bd72ff3..29959b1 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -2,5 +2,6 @@ imports = [ ./nix ./users + ./secrets.nix ]; } diff --git a/modules/base/secrets.nix b/modules/base/secrets.nix new file mode 100644 index 0000000..4850c05 --- /dev/null +++ b/modules/base/secrets.nix @@ -0,0 +1,19 @@ +{ + config, + inputs, + ... +}: let + inherit (config.olympus.system) mainUser; + #homeDir = config.home-manager.users.${mainUser}.home.homeDirectory; + #sshDir = homeDir + "/.ssh"; +in { + imports = [inputs.agenix.nixosModules.default]; + age = { + # check the main users ssh key and the system key to see if it is safe + # to decrypt the secrets + identityPaths = [ + "/etc/ssh/ssh_host_ed25519_key" + #"${sshDir}/id_ed25519" + ]; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0f20541..8ba292c 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -5,6 +5,7 @@ ./misc ./networking ./security + ./services ./remote-modules.nix ]; diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix new file mode 100644 index 0000000..18e5c33 --- /dev/null +++ b/modules/nixos/services/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./hosted + ./system + ]; +} diff --git a/modules/nixos/services/hosted/caddy.nix b/modules/nixos/services/hosted/caddy.nix new file mode 100644 index 0000000..d52ce59 --- /dev/null +++ b/modules/nixos/services/hosted/caddy.nix @@ -0,0 +1,19 @@ +{ + lib, + haiLib, + config, + ... +}: let + inherit (lib.modules) mkIf; + inherit (haiLib) mkServiceOption; + + cfg = config.olympus.services.caddy; +in { + options.olympus.services.caddy = mkServiceOption "caddy" {domain = "blahai.gay";}; + + config = mkIf cfg.enable { + services.caddy = { + enable = true; + }; + }; +} diff --git a/modules/nixos/services/hosted/default.nix b/modules/nixos/services/hosted/default.nix new file mode 100644 index 0000000..3e982cf --- /dev/null +++ b/modules/nixos/services/hosted/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./caddy.nix + ./forgejo.nix + ./uptime-kuma.nix + ./vaultwarden.nix + ]; +} diff --git a/modules/nixos/services/hosted/forgejo.nix b/modules/nixos/services/hosted/forgejo.nix new file mode 100644 index 0000000..5eb9a99 --- /dev/null +++ b/modules/nixos/services/hosted/forgejo.nix @@ -0,0 +1,139 @@ +{ + lib, + config, + pkgs, + haiLib, + self, + ... +}: let + inherit (lib.modules) mkIf mkAfter; + inherit (haiLib) mkServiceOption; + inherit (lib.strings) removePrefix removeSuffix; + + rdomain = config.networking.domain; + cfg = config.olympus.services.forgejo; + + # stole this from https://github.com/isabelroses/dotfiles/blob/main/modules/nixos/services/selfhosted/forgejo.nix who + # stole this from https://git.winston.sh/winston/deployment-flake/src/branch/main/config/services/gitea.nix who + # stole it from https://github.com/getchoo + theme = pkgs.fetchzip { + url = "https://github.com/catppuccin/gitea/releases/download/v1.0.0/catppuccin-gitea.tar.gz"; + hash = "sha256-UsYJJ1j9erMih4OlFon604g1LvkZI/UiLgMgdvnyvyA="; + stripRoot = false; + }; +in { + options.olympus.services.forgejo = mkServiceOption "forgejo" { + port = 3000; + domain = "git.${rdomain}"; + }; + + config = mkIf cfg.enable { + age.secrets.forgejo-runner-token = { + file = "${self}/secrets/forgejo-runner-token.age"; + owner = "forgejo"; + group = "forgejo"; + }; + + olympus.services = { + caddy.enable = true; + }; + + systemd.services = { + forgejo = { + preStart = let + inherit (config.services.forgejo) stateDir; + in + mkAfter '' + rm -rf ${stateDir}/custom/public/assets + mkdir -p ${stateDir}/custom/public/assets + ln -sf ${theme} ${stateDir}/custom/public/assets/css + ''; + }; + }; + + users = { + groups.git = {}; + + users.git = { + isSystemUser = true; + createHome = false; + group = "git"; + }; + }; + + services = { + forgejo = { + package = pkgs.forgejo; + enable = true; + lfs.enable = true; + settings = { + DEFAULT.APP_NAME = "haigit"; + federation.ENABLED = true; + service.DISABLE_REGISTRATION = true; + actions = { + ENABLED = true; + }; + server = { + ROOT_URL = "https://${cfg.domain}"; + DOMAIN = "${cfg.domain}"; + + SSH_PORT = 22; + SSH_LISTEN_PORT = 22; + BUILTIN_SSH_SERVER_USER = "forgejo"; + }; + + ui = { + DEFAULT_THEME = "catppuccin-mocha-pink"; + THEMES = builtins.concatStringsSep "," ( + ["auto,forgejo-auto,forgejo-dark,forgejo-light,arc-gree,gitea"] + ++ (map (name: removePrefix "theme-" (removeSuffix ".css" name)) ( + # IFD, https://github.com/catppuccin/nix/pull/179 + builtins.attrNames (builtins.readDir theme) + )) + ); + }; + + "ui.meta" = { + AUTHOR = "Elissa"; + DESCRIPTION = "My own selfhosted git place for random stuff :3"; + }; + + session = { + COOKIE_SECURE = true; + # Sessions last for a month + SESSION_LIFE_TIME = 86400 * 30; + }; + }; + }; + + gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "Theia"; + url = "https://${cfg.domain}"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:22-bookworm" + "nixos-latest:docker://nixos/nix" + "lix-latest:docker://git.blahai.gay/blahai/lix" + ]; + }; + }; + + caddy.virtualHosts.${cfg.domain} = { + extraConfig = '' + reverse_proxy localhost:${toString cfg.port} + ''; + }; + }; + # for forgejo runner + virtualisation.docker = { + enable = true; + rootless = { + enable = true; + setSocketVariable = true; + }; + }; + }; +} diff --git a/modules/nixos/services/hosted/uptime-kuma.nix b/modules/nixos/services/hosted/uptime-kuma.nix new file mode 100644 index 0000000..5890326 --- /dev/null +++ b/modules/nixos/services/hosted/uptime-kuma.nix @@ -0,0 +1,32 @@ +{ + lib, + haiLib, + config, + ... +}: let + inherit (lib.modules) mkIf; + inherit (haiLib) mkServiceOption; + + rdomain = config.networking.domain; + cfg = config.olympus.services.uptime-kuma; +in { + options.olympus.services.uptime-kuma = mkServiceOption "uptime-kuma" { + port = 3001; + domain = "kuma.${rdomain}"; + }; + + config = mkIf cfg.enable { + services.uptime-kuma = { + enable = true; + + # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables + settings.PORT = toString cfg.port; + }; + + services.caddy.virtualHosts.${cfg.domain} = { + extraConfig = '' + reverse_proxy localhost:${toString cfg.port} + ''; + }; + }; +} diff --git a/modules/nixos/services/hosted/vaultwarden.nix b/modules/nixos/services/hosted/vaultwarden.nix new file mode 100644 index 0000000..c1f1317 --- /dev/null +++ b/modules/nixos/services/hosted/vaultwarden.nix @@ -0,0 +1,54 @@ +{ + lib, + haiLib, + config, + self, + ... +}: let + inherit (lib.modules) mkIf; + inherit (haiLib) mkServiceOption; + + rdomain = config.networking.domain; + cfg = config.olympus.services.vaultwarden; +in { + options.olympus.services.vaultwarden = mkServiceOption "vaultwarden" { + port = 8222; + domain = "vault.${rdomain}"; + }; + + config = mkIf cfg.enable { + age.secrets.vaultwarden-env = { + file = "${self}/secrets/vaultwarden-env.age"; + owner = "vaultwarden"; + group = "vaultwarden"; + }; + + services = { + vaultwarden = { + enable = true; + environmentFile = config.age.secrets.vaultwarden-env.path; + + config = { + DOMAIN = "https://${cfg.domain}"; + ROCKET_ADDRESS = cfg.host; + ROCKET_PORT = cfg.port; + extendedLogging = true; + invitationsAllowed = true; + useSyslog = true; + logLevel = "warn"; + showPasswordHint = false; + SIGNUPS_ALLOWED = false; + signupsAllowed = false; + signupsDomainsWhitelist = "${rdomain}"; + dataDir = "/var/lib/vaultwarden"; + }; + }; + + caddy.virtualHosts.${cfg.domain} = { + extraConfig = '' + reverse_proxy localhost:${toString cfg.port} + ''; + }; + }; + }; +} diff --git a/modules/nixos/services/system/default.nix b/modules/nixos/services/system/default.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/modules/nixos/services/system/default.nix @@ -0,0 +1 @@ +{} diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age new file mode 100644 index 0000000..b91aa61 --- /dev/null +++ b/secrets/forgejo-runner-token.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 wxktWA OuxZ0Tu5vOZCA4WcLLJxMD9XZFCzZ0C57Mmv9fAZVW0 +3sE3V7NMUJHRyFa2XBRT5YJqSZqAYUl3OlPhCadGUcs +--- TAhwgSih1beqhNHNlh6fA/SLiAiQolslAqUelwGueQM +k,,=([-oD3Sth,=I3% "x%iz@|~,FC")T F \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..6ba7637 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,11 @@ +let + pingu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu"; + elissa = ""; + users = [pingu elissa]; + + theia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID3V7BfUmisdxsALpGc6ep2+hanPKKcrg4/es7cza4BA"; + systems = [theia]; +in { + "forgejo-runner-token.age".publicKeys = [theia]; + "vaultwarden-env.age".publicKeys = [theia]; +} diff --git a/secrets/vaultwarden-env.age b/secrets/vaultwarden-env.age new file mode 100644 index 0000000000000000000000000000000000000000..b82d8df9d418d2947421f66659c5ef901ba26bee GIT binary patch literal 345 zcmV-f0jB<8XJsvAZewzJaCB*JZZ2XGfr|>cQsaUL^KLSc4lQnT1iYn zdP_rML}@ioFGoXbNJ(%uQZ+(ZQD!e!YgbMyHg;N6GgS&LEiE8bGI41{T2wG`Oj=KL zb7CY zpy~v)m7{G5GYj6y~Y9#IZ<+JH5QH^ddV6@6xNc3Y4X;Z5q9ky1Agg{p2r;Uvv ruKMjAjNU?ll;JQWesyH<+X6U3wuHbPrm47kxfg;RdcFBzhplx7IhKus literal 0 HcmV?d00001