From 444d2446a666f60305802c7164d19bd12f630280 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Fri, 29 Dec 2023 16:11:16 +0100 Subject: [PATCH] WIP: gitea: Migrate to forgejo --- configuration/services/gitea.nix | 81 +++++++++---------- .../services/metrics/victoriametrics.nix | 6 +- configuration/sops.nix | 4 +- keys/production.yaml | 10 +-- 4 files changed, 49 insertions(+), 52 deletions(-) diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix index 013842e..d77d6cc 100644 --- a/configuration/services/gitea.nix +++ b/configuration/services/gitea.nix @@ -6,12 +6,10 @@ }: let domain = "gitea.${config.services.nginx.domain}"; in { - services.gitea = { + services.forgejo = { enable = true; database.type = "postgres"; - appName = "Gitea: Git with a cup of tea"; - settings = { server = { DOMAIN = domain; @@ -29,18 +27,18 @@ in { }; }; - systemd.services.gitea.serviceConfig.ExecStartPre = let + systemd.services.forgejo.serviceConfig.ExecStartPre = let replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; - secretPath = config.sops.secrets."gitea/metrics-token".path; - runConfig = "${config.services.gitea.customDir}/conf/app.ini"; + secretPath = config.sops.secrets."forgejo/metrics-token".path; + runConfig = "${config.services.forgejo.customDir}/conf/app.ini"; in [ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ]; # Set up SSL services.nginx.virtualHosts."${domain}" = let - httpAddress = config.services.gitea.settings.server.HTTP_ADDR; - httpPort = config.services.gitea.settings.server.HTTP_PORT; + httpAddress = config.services.forgejo.settings.server.HTTP_ADDR; + httpPort = config.services.forgejo.settings.server.HTTP_PORT; in { forceSSL = true; enableACME = true; @@ -62,40 +60,39 @@ in { # Block repeated failed login attempts # - # TODO(tlater): Update to the new regex, since apparently this one - # is deprecated (but the new one doesn't work on the current version - # of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/ - environment.etc = { - "fail2ban/filter.d/gitea.conf".text = '' - [Definition] - failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from - journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea - ''; - }; + # TODO(tlater): Update this - we switched to forgejo, who knows what + # the new matches are. + # environment.etc = { + # "fail2ban/filter.d/gitea.conf".text = '' + # [Definition] + # failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from + # journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo + # ''; + # }; - services.fail2ban.jails = { - gitea = '' - enabled = true - ''; - }; + # services.fail2ban.jails = { + # gitea = '' + # enabled = true + # ''; + # }; - services.backups.gitea = { - user = "gitea"; - paths = [ - "/var/lib/gitea/gitea-db.sql" - "/var/lib/gitea/repositories/" - "/var/lib/gitea/data/" - "/var/lib/gitea/custom/" - # Conf is backed up via nix - ]; - preparation = { - packages = [config.services.postgresql.package]; - text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql"; - }; - cleanup = { - packages = [pkgs.coreutils]; - text = "rm /var/lib/gitea/gitea-db.sql"; - }; - pauseServices = ["gitea.service"]; - }; + # services.backups.forgejo = { + # user = "forgejo"; + # paths = [ + # "/var/lib/forgejo/forgejo-db.sql" + # "/var/lib/forgejo/repositories/" + # "/var/lib/forgejo/data/" + # "/var/lib/forgejo/custom/" + # # Conf is backed up via nix + # ]; + # preparation = { + # packages = [config.services.postgresql.package]; + # text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql"; + # }; + # cleanup = { + # packages = [pkgs.coreutils]; + # text = "rm /var/lib/forgejo/forgejo-db.sql"; + # }; + # pauseServices = ["forgejo.service"]; + # }; } diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index 4cdc770..daf3f94 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -6,9 +6,9 @@ ]; scrapeConfigs = { - gitea = { - targets = ["127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"]; - extraSettings.authorization.credentials_file = config.sops.secrets."gitea/metrics-token".path; + forgejo = { + targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"]; + extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path; }; coturn.targets = ["127.0.0.1:9641"]; }; diff --git a/configuration/sops.nix b/configuration/sops.nix index 03faf82..c7cb1f0 100644 --- a/configuration/sops.nix +++ b/configuration/sops.nix @@ -4,8 +4,8 @@ secrets = { # Gitea - "gitea/metrics-token" = { - owner = "gitea"; + "forgejo/metrics-token" = { + owner = "forgejo"; group = "metrics"; mode = "0440"; }; diff --git a/keys/production.yaml b/keys/production.yaml index efeea6a..da53b95 100644 --- a/keys/production.yaml +++ b/keys/production.yaml @@ -1,5 +1,5 @@ -gitea: - metrics-token: ENC[AES256_GCM,data:/7/zvVl2ZOBoekrJR32vl/QQcG5XqTmltgpHEMUpbXVeqwnq29idzE2Qyjau96ZHObmSI73/ZtW95uXF6LH9Qw==,iv:iWZECCZSh1CN7wMBqstXR5QWtriR7QLKVqhekGnpXl0=,tag:HEr9km8VYmruBzf0I/5HuA==,type:str] +forgejo: + metrics-token: ENC[AES256_GCM,data:WVbD5JloJlHNjeEwe1uEd4Haj6L3ilj1Pnux6yrelUQP18ZPAh90aDO1OIZHaPJR7tTeyATr8BIzZL1zkNhCuA==,iv:eTYXN3hymIN3bTX1YxNGkAYE0KVDbdz2ds8UQAHlALE=,tag:A61loGdu0pfsiez96u2Qsg==,type:str] grafana: adminPassword: ENC[AES256_GCM,data:/qw//J7cOkIGa58bG4GgdzndvKof32AmQeWB00IX8WhA22PDCOc4VdUEoB3wVJJqI/ucoHFInYyhg2rFYoYBesBjAt0QS3+O+8WblIunUuYeqlBuYJJK1TLhy6ql6+aqvfiW/rJLm4LpgA7CboyDD2OYHcAbvGSD2GWwFcHTR/Y=,iv:KK6p8GKzc9SBDZZFkEwCdIjSxriPGNMDNcr97tfbwTI=,tag:gLRNSGdJWFD+V9K5TfJvXw==,type:str] secretKey: ENC[AES256_GCM,data:OUXWOE6I3a26SrFEOczWNIwyR3Rx62fbsRBBcfh0xyEbxOIPhexH6lIqlVG9Ltwra9+rAldNM4/0BydtxIDj7A==,iv:fiNO/or5yZnhpDPMANDnEC5dtXmbKBZsV+BPmvCN/HI=,tag:Q0M0OtLWdWAJgQmUlL//fg==,type:str] @@ -26,8 +26,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-10-12T18:40:26Z" - mac: ENC[AES256_GCM,data:F+yQ20jCtLRKeQDFVKoqrYCgtwGkXxrK6aQO0MFZTIMJAnbTVPM2ZJGQ1RxXb+Zs4T+44EEc2xN4LjeANvgpE6MfOz2VTw+sEEjcYwUyB6RcXHia9XlFLa8lh7/Wx/9DxlSFjjSrxmDkNB6r+n5UF81cdRXF2E9ibdH346ST98A=,iv:xVxFN1IDKrLskaGqnWvOWx1zUII0jRSjQxEsaTf2GNw=,tag:lnp1AvgMOXXlg1vFjHEWUQ==,type:str] + lastmodified: "2023-12-28T00:07:08Z" + mac: ENC[AES256_GCM,data:P2bNJLjzn69Kg2bJHXmofER7J8wbEj9C4jq9ePWewXBOt45GEiqgnqIaISwZkyzQmm9cxZd95Lr780ICwoKDFdtSCCcC7CdYxYEfyyhnvU3W2qzEghvkypL8JbiEtPSlQ9xOlCk7p41A9eRrV+JziIVSv5UEUs4NubrG9Mkwv3k=,iv:Yq2gANTTgx6cFxkdustUZ1MPszxGSkao/bS1KHAkzJc=,tag:kqJibocgRQXkxTJze6O5MA==,type:str] pgp: - created_at: "2022-10-12T00:46:51Z" enc: | @@ -65,4 +65,4 @@ sops: -----END PGP MESSAGE----- fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1