Services: Theia services

2025-02-18 22:19:38 +02:00 · 2025-02-18 22:19:38 +02:00 · a87fd91f99
commit a87fd91f99
parent fbdcac9b5d
13 changed files with 296 additions and 0 deletions
--- a/modules/base/default.nix
+++ b/modules/base/default.nix
@ -2,5 +2,6 @@
  imports = [
    ./nix
    ./users
+    ./secrets.nix
  ];
 }
--- a/modules/base/secrets.nix
+++ b/modules/base/secrets.nix
@ -0,0 +1,19 @@
+{
+  config,
+  inputs,
+  ...
+}: let
+  inherit (config.olympus.system) mainUser;
+  #homeDir = config.home-manager.users.${mainUser}.home.homeDirectory;
+  #sshDir = homeDir + "/.ssh";
+in {
+  imports = [inputs.agenix.nixosModules.default];
+  age = {
+    # check the main users ssh key and the system key to see if it is safe
+    # to decrypt the secrets
+    identityPaths = [
+      "/etc/ssh/ssh_host_ed25519_key"
+      #"${sshDir}/id_ed25519"
+    ];
+  };
+}
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -5,6 +5,7 @@
    ./misc
    ./networking
    ./security
+    ./services

    ./remote-modules.nix
  ];
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./hosted
+    ./system
+  ];
+}
--- a/modules/nixos/services/hosted/caddy.nix
+++ b/modules/nixos/services/hosted/caddy.nix
@ -0,0 +1,19 @@
+{
+  lib,
+  haiLib,
+  config,
+  ...
+}: let
+  inherit (lib.modules) mkIf;
+  inherit (haiLib) mkServiceOption;
+
+  cfg = config.olympus.services.caddy;
+in {
+  options.olympus.services.caddy = mkServiceOption "caddy" {domain = "blahai.gay";};
+
+  config = mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+    };
+  };
+}
--- a/modules/nixos/services/hosted/default.nix
+++ b/modules/nixos/services/hosted/default.nix
@ -0,0 +1,8 @@
+{
+  imports = [
+    ./caddy.nix
+    ./forgejo.nix
+    ./uptime-kuma.nix
+    ./vaultwarden.nix
+  ];
+}
--- a/modules/nixos/services/hosted/forgejo.nix
+++ b/modules/nixos/services/hosted/forgejo.nix
@ -0,0 +1,139 @@
+{
+  lib,
+  config,
+  pkgs,
+  haiLib,
+  self,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkAfter;
+  inherit (haiLib) mkServiceOption;
+  inherit (lib.strings) removePrefix removeSuffix;
+
+  rdomain = config.networking.domain;
+  cfg = config.olympus.services.forgejo;
+
+  # stole this from https://github.com/isabelroses/dotfiles/blob/main/modules/nixos/services/selfhosted/forgejo.nix who
+  # stole this from https://git.winston.sh/winston/deployment-flake/src/branch/main/config/services/gitea.nix who
+  # stole it from https://github.com/getchoo
+  theme = pkgs.fetchzip {
+    url = "https://github.com/catppuccin/gitea/releases/download/v1.0.0/catppuccin-gitea.tar.gz";
+    hash = "sha256-UsYJJ1j9erMih4OlFon604g1LvkZI/UiLgMgdvnyvyA=";
+    stripRoot = false;
+  };
+in {
+  options.olympus.services.forgejo = mkServiceOption "forgejo" {
+    port = 3000;
+    domain = "git.${rdomain}";
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets.forgejo-runner-token = {
+      file = "${self}/secrets/forgejo-runner-token.age";
+      owner = "forgejo";
+      group = "forgejo";
+    };
+
+    olympus.services = {
+      caddy.enable = true;
+    };
+
+    systemd.services = {
+      forgejo = {
+        preStart = let
+          inherit (config.services.forgejo) stateDir;
+        in
+          mkAfter ''
+            rm -rf ${stateDir}/custom/public/assets
+            mkdir -p ${stateDir}/custom/public/assets
+            ln -sf ${theme} ${stateDir}/custom/public/assets/css
+          '';
+      };
+    };
+
+    users = {
+      groups.git = {};
+
+      users.git = {
+        isSystemUser = true;
+        createHome = false;
+        group = "git";
+      };
+    };
+
+    services = {
+      forgejo = {
+        package = pkgs.forgejo;
+        enable = true;
+        lfs.enable = true;
+        settings = {
+          DEFAULT.APP_NAME = "haigit";
+          federation.ENABLED = true;
+          service.DISABLE_REGISTRATION = true;
+          actions = {
+            ENABLED = true;
+          };
+          server = {
+            ROOT_URL = "https://${cfg.domain}";
+            DOMAIN = "${cfg.domain}";
+
+            SSH_PORT = 22;
+            SSH_LISTEN_PORT = 22;
+            BUILTIN_SSH_SERVER_USER = "forgejo";
+          };
+
+          ui = {
+            DEFAULT_THEME = "catppuccin-mocha-pink";
+            THEMES = builtins.concatStringsSep "," (
+              ["auto,forgejo-auto,forgejo-dark,forgejo-light,arc-gree,gitea"]
+              ++ (map (name: removePrefix "theme-" (removeSuffix ".css" name)) (
+                # IFD, https://github.com/catppuccin/nix/pull/179
+                builtins.attrNames (builtins.readDir theme)
+              ))
+            );
+          };
+
+          "ui.meta" = {
+            AUTHOR = "Elissa";
+            DESCRIPTION = "My own selfhosted git place for random stuff :3";
+          };
+
+          session = {
+            COOKIE_SECURE = true;
+            # Sessions last for a month
+            SESSION_LIFE_TIME = 86400 * 30;
+          };
+        };
+      };
+
+      gitea-actions-runner = {
+        package = pkgs.forgejo-actions-runner;
+        instances.default = {
+          enable = true;
+          name = "Theia";
+          url = "https://${cfg.domain}";
+          tokenFile = config.age.secrets.forgejo-runner-token.path;
+          labels = [
+            "ubuntu-latest:docker://node:22-bookworm"
+            "nixos-latest:docker://nixos/nix"
+            "lix-latest:docker://git.blahai.gay/blahai/lix"
+          ];
+        };
+      };
+
+      caddy.virtualHosts.${cfg.domain} = {
+        extraConfig = ''
+          reverse_proxy localhost:${toString cfg.port}
+        '';
+      };
+    };
+    # for forgejo runner
+    virtualisation.docker = {
+      enable = true;
+      rootless = {
+        enable = true;
+        setSocketVariable = true;
+      };
+    };
+  };
+}
--- a/modules/nixos/services/hosted/uptime-kuma.nix
+++ b/modules/nixos/services/hosted/uptime-kuma.nix
@ -0,0 +1,32 @@
+{
+  lib,
+  haiLib,
+  config,
+  ...
+}: let
+  inherit (lib.modules) mkIf;
+  inherit (haiLib) mkServiceOption;
+
+  rdomain = config.networking.domain;
+  cfg = config.olympus.services.uptime-kuma;
+in {
+  options.olympus.services.uptime-kuma = mkServiceOption "uptime-kuma" {
+    port = 3001;
+    domain = "kuma.${rdomain}";
+  };
+
+  config = mkIf cfg.enable {
+    services.uptime-kuma = {
+      enable = true;
+
+      # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
+      settings.PORT = toString cfg.port;
+    };
+
+    services.caddy.virtualHosts.${cfg.domain} = {
+      extraConfig = ''
+        reverse_proxy localhost:${toString cfg.port}
+      '';
+    };
+  };
+}
--- a/modules/nixos/services/hosted/vaultwarden.nix
+++ b/modules/nixos/services/hosted/vaultwarden.nix
@ -0,0 +1,54 @@
+{
+  lib,
+  haiLib,
+  config,
+  self,
+  ...
+}: let
+  inherit (lib.modules) mkIf;
+  inherit (haiLib) mkServiceOption;
+
+  rdomain = config.networking.domain;
+  cfg = config.olympus.services.vaultwarden;
+in {
+  options.olympus.services.vaultwarden = mkServiceOption "vaultwarden" {
+    port = 8222;
+    domain = "vault.${rdomain}";
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets.vaultwarden-env = {
+      file = "${self}/secrets/vaultwarden-env.age";
+      owner = "vaultwarden";
+      group = "vaultwarden";
+    };
+
+    services = {
+      vaultwarden = {
+        enable = true;
+        environmentFile = config.age.secrets.vaultwarden-env.path;
+
+        config = {
+          DOMAIN = "https://${cfg.domain}";
+          ROCKET_ADDRESS = cfg.host;
+          ROCKET_PORT = cfg.port;
+          extendedLogging = true;
+          invitationsAllowed = true;
+          useSyslog = true;
+          logLevel = "warn";
+          showPasswordHint = false;
+          SIGNUPS_ALLOWED = false;
+          signupsAllowed = false;
+          signupsDomainsWhitelist = "${rdomain}";
+          dataDir = "/var/lib/vaultwarden";
+        };
+      };
+
+      caddy.virtualHosts.${cfg.domain} = {
+        extraConfig = ''
+          reverse_proxy localhost:${toString cfg.port}
+        '';
+      };
+    };
+  };
+}
--- a/modules/nixos/services/system/default.nix
+++ b/modules/nixos/services/system/default.nix
@ -0,0 +1 @@
+{}
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 wxktWA OuxZ0Tu5vOZCA4WcLLJxMD9XZFCzZ0C57Mmv9fAZVW0
+3sE3V7NMUJHRyFa2XBRT5YJqSZqAYUl3OlPhCadGUcs
+--- TAhwgSih1beqhNHNlh6fA/SLiAiQolslAqUelwGueQM
+k‘,,†=“ÖïÒ([-Ão½ìD3StµÐh,ê¯=ÆãI3©ÞÏ%
 "œx%¥‰i’zœ@Œ°|û~,FÒèC"<07>)T·ÏæF
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,11 @@
+let
+  pingu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu";
+  elissa = "";
+  users = [pingu elissa];
+
+  theia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID3V7BfUmisdxsALpGc6ep2+hanPKKcrg4/es7cza4BA";
+  systems = [theia];
+in {
+  "forgejo-runner-token.age".publicKeys = [theia];
+  "vaultwarden-env.age".publicKeys = [theia];
+}
--- a/secrets/vaultwarden-env.age
+++ b/secrets/vaultwarden-env.age