gitea: Migrate to forgejo
This commit is contained in:
parent
ebc45a9af1
commit
7292e2f852
|
@ -6,12 +6,10 @@
|
|||
}: let
|
||||
domain = "gitea.${config.services.nginx.domain}";
|
||||
in {
|
||||
services.gitea = {
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
database.type = "postgres";
|
||||
|
||||
appName = "Gitea: Git with a cup of tea";
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = domain;
|
||||
|
@ -29,18 +27,18 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.gitea.serviceConfig.ExecStartPre = let
|
||||
systemd.services.forgejo.serviceConfig.ExecStartPre = let
|
||||
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
|
||||
secretPath = config.sops.secrets."gitea/metrics-token".path;
|
||||
runConfig = "${config.services.gitea.customDir}/conf/app.ini";
|
||||
secretPath = config.sops.secrets."forgejo/metrics-token".path;
|
||||
runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
|
||||
in [
|
||||
"+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
|
||||
];
|
||||
|
||||
# Set up SSL
|
||||
services.nginx.virtualHosts."${domain}" = let
|
||||
httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
|
||||
httpPort = config.services.gitea.settings.server.HTTP_PORT;
|
||||
httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
|
||||
httpPort = config.services.forgejo.settings.server.HTTP_PORT;
|
||||
in {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
@ -62,40 +60,39 @@ in {
|
|||
|
||||
# Block repeated failed login attempts
|
||||
#
|
||||
# TODO(tlater): Update to the new regex, since apparently this one
|
||||
# is deprecated (but the new one doesn't work on the current version
|
||||
# of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/gitea.conf".text = ''
|
||||
[Definition]
|
||||
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
||||
journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
|
||||
'';
|
||||
};
|
||||
# TODO(tlater): Update this - we switched to forgejo, who knows what
|
||||
# the new matches are.
|
||||
# environment.etc = {
|
||||
# "fail2ban/filter.d/gitea.conf".text = ''
|
||||
# [Definition]
|
||||
# failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
||||
# journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
|
||||
# '';
|
||||
# };
|
||||
|
||||
services.fail2ban.jails = {
|
||||
gitea = ''
|
||||
enabled = true
|
||||
'';
|
||||
};
|
||||
# services.fail2ban.jails = {
|
||||
# gitea = ''
|
||||
# enabled = true
|
||||
# '';
|
||||
# };
|
||||
|
||||
services.backups.gitea = {
|
||||
user = "gitea";
|
||||
paths = [
|
||||
"/var/lib/gitea/gitea-db.sql"
|
||||
"/var/lib/gitea/repositories/"
|
||||
"/var/lib/gitea/data/"
|
||||
"/var/lib/gitea/custom/"
|
||||
# Conf is backed up via nix
|
||||
];
|
||||
preparation = {
|
||||
packages = [config.services.postgresql.package];
|
||||
text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql";
|
||||
};
|
||||
cleanup = {
|
||||
packages = [pkgs.coreutils];
|
||||
text = "rm /var/lib/gitea/gitea-db.sql";
|
||||
};
|
||||
pauseServices = ["gitea.service"];
|
||||
};
|
||||
# services.backups.forgejo = {
|
||||
# user = "forgejo";
|
||||
# paths = [
|
||||
# "/var/lib/forgejo/forgejo-db.sql"
|
||||
# "/var/lib/forgejo/repositories/"
|
||||
# "/var/lib/forgejo/data/"
|
||||
# "/var/lib/forgejo/custom/"
|
||||
# # Conf is backed up via nix
|
||||
# ];
|
||||
# preparation = {
|
||||
# packages = [config.services.postgresql.package];
|
||||
# text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
|
||||
# };
|
||||
# cleanup = {
|
||||
# packages = [pkgs.coreutils];
|
||||
# text = "rm /var/lib/forgejo/forgejo-db.sql";
|
||||
# };
|
||||
# pauseServices = ["forgejo.service"];
|
||||
# };
|
||||
}
|
||||
|
|
|
@ -6,9 +6,9 @@
|
|||
];
|
||||
|
||||
scrapeConfigs = {
|
||||
gitea = {
|
||||
targets = ["127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"];
|
||||
extraSettings.authorization.credentials_file = config.sops.secrets."gitea/metrics-token".path;
|
||||
forgejo = {
|
||||
targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"];
|
||||
extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
|
||||
};
|
||||
coturn.targets = ["127.0.0.1:9641"];
|
||||
};
|
||||
|
|
|
@ -4,8 +4,8 @@
|
|||
|
||||
secrets = {
|
||||
# Gitea
|
||||
"gitea/metrics-token" = {
|
||||
owner = "gitea";
|
||||
"forgejo/metrics-token" = {
|
||||
owner = "forgejo";
|
||||
group = "metrics";
|
||||
mode = "0440";
|
||||
};
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
gitea:
|
||||
metrics-token: ENC[AES256_GCM,data:/7/zvVl2ZOBoekrJR32vl/QQcG5XqTmltgpHEMUpbXVeqwnq29idzE2Qyjau96ZHObmSI73/ZtW95uXF6LH9Qw==,iv:iWZECCZSh1CN7wMBqstXR5QWtriR7QLKVqhekGnpXl0=,tag:HEr9km8VYmruBzf0I/5HuA==,type:str]
|
||||
forgejo:
|
||||
metrics-token: ENC[AES256_GCM,data:WVbD5JloJlHNjeEwe1uEd4Haj6L3ilj1Pnux6yrelUQP18ZPAh90aDO1OIZHaPJR7tTeyATr8BIzZL1zkNhCuA==,iv:eTYXN3hymIN3bTX1YxNGkAYE0KVDbdz2ds8UQAHlALE=,tag:A61loGdu0pfsiez96u2Qsg==,type:str]
|
||||
grafana:
|
||||
adminPassword: ENC[AES256_GCM,data:/qw//J7cOkIGa58bG4GgdzndvKof32AmQeWB00IX8WhA22PDCOc4VdUEoB3wVJJqI/ucoHFInYyhg2rFYoYBesBjAt0QS3+O+8WblIunUuYeqlBuYJJK1TLhy6ql6+aqvfiW/rJLm4LpgA7CboyDD2OYHcAbvGSD2GWwFcHTR/Y=,iv:KK6p8GKzc9SBDZZFkEwCdIjSxriPGNMDNcr97tfbwTI=,tag:gLRNSGdJWFD+V9K5TfJvXw==,type:str]
|
||||
secretKey: ENC[AES256_GCM,data:OUXWOE6I3a26SrFEOczWNIwyR3Rx62fbsRBBcfh0xyEbxOIPhexH6lIqlVG9Ltwra9+rAldNM4/0BydtxIDj7A==,iv:fiNO/or5yZnhpDPMANDnEC5dtXmbKBZsV+BPmvCN/HI=,tag:Q0M0OtLWdWAJgQmUlL//fg==,type:str]
|
||||
|
@ -26,8 +26,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2023-10-12T18:40:26Z"
|
||||
mac: ENC[AES256_GCM,data:F+yQ20jCtLRKeQDFVKoqrYCgtwGkXxrK6aQO0MFZTIMJAnbTVPM2ZJGQ1RxXb+Zs4T+44EEc2xN4LjeANvgpE6MfOz2VTw+sEEjcYwUyB6RcXHia9XlFLa8lh7/Wx/9DxlSFjjSrxmDkNB6r+n5UF81cdRXF2E9ibdH346ST98A=,iv:xVxFN1IDKrLskaGqnWvOWx1zUII0jRSjQxEsaTf2GNw=,tag:lnp1AvgMOXXlg1vFjHEWUQ==,type:str]
|
||||
lastmodified: "2023-12-28T00:07:08Z"
|
||||
mac: ENC[AES256_GCM,data:P2bNJLjzn69Kg2bJHXmofER7J8wbEj9C4jq9ePWewXBOt45GEiqgnqIaISwZkyzQmm9cxZd95Lr780ICwoKDFdtSCCcC7CdYxYEfyyhnvU3W2qzEghvkypL8JbiEtPSlQ9xOlCk7p41A9eRrV+JziIVSv5UEUs4NubrG9Mkwv3k=,iv:Yq2gANTTgx6cFxkdustUZ1MPszxGSkao/bS1KHAkzJc=,tag:kqJibocgRQXkxTJze6O5MA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-10-12T00:46:51Z"
|
||||
enc: |
|
||||
|
@ -65,4 +65,4 @@ sops:
|
|||
-----END PGP MESSAGE-----
|
||||
fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
version: 3.8.1
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
gitea:
|
||||
metrics-token: ENC[AES256_GCM,data:T1NYXRWbruA=,iv:usgHYHwWJFbaEdHLO6JX3z/42MVheY2wu0YrXmnz2ng=,tag:W+B7pKGOc/wX/0My0dWY5w==,type:str]
|
||||
forgejo:
|
||||
metrics-token: ENC[AES256_GCM,data:HEDV/GK/WtI=,iv:ihPEusEGVUNZjjjxz2ys6Nfag/og4n7Cqmd4rroT6Ww=,tag:Brcv7XW6HfzzgF3emtuT2A==,type:str]
|
||||
grafana:
|
||||
adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
|
||||
secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
|
||||
|
@ -26,8 +26,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2023-12-29T15:14:54Z"
|
||||
mac: ENC[AES256_GCM,data:yJUprLcfw4ypsrSlhot7vsavVqzaFlJoJeEC/DdTfKDoJ0L607r6aCfXtCSg+qrR5JA2bvEATwDJM5qgA2vbMhSOqmc3zT7yBPUKC4Sk24Me3IOOum2DhNID/l/PLtxUIk3Rzz49PJZECUsIKnT7k6KvZ5nWe5sEUupCBgdKjG4=,iv:Axpml84/6wgBxld94AB+Ybdo3r/7Bym6Lsj/49P7jWE=,tag:wXAx3AoopQS7i6rbo70AYg==,type:str]
|
||||
lastmodified: "2023-12-30T14:09:03Z"
|
||||
mac: ENC[AES256_GCM,data:kuyzVV1Dhlb2LemqRzw2xPr9jtTWqSbFMv70LUEbRmsDpjwQsAIARgoaj32EXdDRTHYXBplTYieR7KvmxykL/8rkj0g4+IuRLY1TcbRS31Gi74FiXvV2apscHhQWXhHPHIHMbwZAfDSHdMrf8hPu28SC9QdbP3SXYNt28Imstrc=,iv:UALUiWGHlWEBmIVWeSyEa16ZdcDZvgtlpHETDV2CcRY=,tag:rxbd3ph+pPf11jup/CMEzw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-12-29T15:25:27Z"
|
||||
enc: |
|
||||
|
|
Loading…
Reference in a new issue