tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 9 Pull requests Releases Activity

WIP: gitea: Migrate to forgejo

Browse source
This commit is contained in:
Tristan Daniël Maat 2023-12-29 16:11:16 +01:00
parent 920e0eb28a
commit 9449518b2e
Signed by: tlater
GPG key ID: 49670FD774E43268
4 changed files with 49 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
configuration/services/gitea.nix
View file

@ -6,12 +6,10 @@
}: let }: let
domain = "gitea.${config.services.nginx.domain}"; domain = "gitea.${config.services.nginx.domain}";
in { in {
services.gitea = { services.forgejo = {
enable = true; enable = true;
database.type = "postgres"; database.type = "postgres";
appName = "Gitea: Git with a cup of tea";
settings = { settings = {
server = { server = {
DOMAIN = domain; DOMAIN = domain;
@ -29,18 +27,18 @@ in {
}; };
}; };
systemd.services.gitea.serviceConfig.ExecStartPre = let systemd.services.forgejo.serviceConfig.ExecStartPre = let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
secretPath = config.sops.secrets."gitea/metrics-token".path; secretPath = config.sops.secrets."forgejo/metrics-token".path;
runConfig = "${config.services.gitea.customDir}/conf/app.ini"; runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
in [ in [
"+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
]; ];
# Set up SSL # Set up SSL
services.nginx.virtualHosts."${domain}" = let services.nginx.virtualHosts."${domain}" = let
httpAddress = config.services.gitea.settings.server.HTTP_ADDR; httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
httpPort = config.services.gitea.settings.server.HTTP_PORT; httpPort = config.services.forgejo.settings.server.HTTP_PORT;
in { in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -62,40 +60,39 @@ in {
# Block repeated failed login attempts # Block repeated failed login attempts
# #
# TODO(tlater): Update to the new regex, since apparently this one # TODO(tlater): Update this - we switched to forgejo, who knows what
# is deprecated (but the new one doesn't work on the current version # the new matches are.
# of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/ # environment.etc = {
environment.etc = { # "fail2ban/filter.d/gitea.conf".text = ''
"fail2ban/filter.d/gitea.conf".text = '' # [Definition]
[Definition] # failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST> # journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea # '';
''; # };
};
services.fail2ban.jails = { # services.fail2ban.jails = {
gitea = '' # gitea = ''
enabled = true # enabled = true
''; # '';
}; # };
services.backups.gitea = { # services.backups.forgejo = {
user = "gitea"; # user = "forgejo";
paths = [ # paths = [
"/var/lib/gitea/gitea-db.sql" # "/var/lib/forgejo/forgejo-db.sql"
"/var/lib/gitea/repositories/" # "/var/lib/forgejo/repositories/"
"/var/lib/gitea/data/" # "/var/lib/forgejo/data/"
"/var/lib/gitea/custom/" # "/var/lib/forgejo/custom/"
# Conf is backed up via nix # # Conf is backed up via nix
]; # ];
preparation = { # preparation = {
packages = [config.services.postgresql.package]; # packages = [config.services.postgresql.package];
text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql"; # text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
}; # };
cleanup = { # cleanup = {
packages = [pkgs.coreutils]; # packages = [pkgs.coreutils];
text = "rm /var/lib/gitea/gitea-db.sql"; # text = "rm /var/lib/forgejo/forgejo-db.sql";
}; # };
pauseServices = ["gitea.service"]; # pauseServices = ["forgejo.service"];
}; # };
} }

6
configuration/services/metrics/victoriametrics.nix
View file

@ -6,9 +6,9 @@
]; ];
scrapeConfigs = { scrapeConfigs = {
gitea = { forgejo = {
targets = ["127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"]; targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"];
extraSettings.authorization.credentials_file = config.sops.secrets."gitea/metrics-token".path; extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
}; };
coturn.targets = ["127.0.0.1:9641"]; coturn.targets = ["127.0.0.1:9641"];
}; };

4
configuration/sops.nix
View file

@ -4,8 +4,8 @@
secrets = { secrets = {
# Gitea # Gitea
"gitea/metrics-token" = { "forgejo/metrics-token" = {
owner = "gitea"; owner = "forgejo";
group = "metrics"; group = "metrics";
mode = "0440"; mode = "0440";
}; };

10
keys/production.yaml
View file

@ -1,5 +1,5 @@
gitea: forgejo:
metrics-token: ENC[AES256_GCM,data:/7/zvVl2ZOBoekrJR32vl/QQcG5XqTmltgpHEMUpbXVeqwnq29idzE2Qyjau96ZHObmSI73/ZtW95uXF6LH9Qw==,iv:iWZECCZSh1CN7wMBqstXR5QWtriR7QLKVqhekGnpXl0=,tag:HEr9km8VYmruBzf0I/5HuA==,type:str] metrics-token: ENC[AES256_GCM,data:WVbD5JloJlHNjeEwe1uEd4Haj6L3ilj1Pnux6yrelUQP18ZPAh90aDO1OIZHaPJR7tTeyATr8BIzZL1zkNhCuA==,iv:eTYXN3hymIN3bTX1YxNGkAYE0KVDbdz2ds8UQAHlALE=,tag:A61loGdu0pfsiez96u2Qsg==,type:str]
grafana: grafana:
adminPassword: ENC[AES256_GCM,data:/qw//J7cOkIGa58bG4GgdzndvKof32AmQeWB00IX8WhA22PDCOc4VdUEoB3wVJJqI/ucoHFInYyhg2rFYoYBesBjAt0QS3+O+8WblIunUuYeqlBuYJJK1TLhy6ql6+aqvfiW/rJLm4LpgA7CboyDD2OYHcAbvGSD2GWwFcHTR/Y=,iv:KK6p8GKzc9SBDZZFkEwCdIjSxriPGNMDNcr97tfbwTI=,tag:gLRNSGdJWFD+V9K5TfJvXw==,type:str] adminPassword: ENC[AES256_GCM,data:/qw//J7cOkIGa58bG4GgdzndvKof32AmQeWB00IX8WhA22PDCOc4VdUEoB3wVJJqI/ucoHFInYyhg2rFYoYBesBjAt0QS3+O+8WblIunUuYeqlBuYJJK1TLhy6ql6+aqvfiW/rJLm4LpgA7CboyDD2OYHcAbvGSD2GWwFcHTR/Y=,iv:KK6p8GKzc9SBDZZFkEwCdIjSxriPGNMDNcr97tfbwTI=,tag:gLRNSGdJWFD+V9K5TfJvXw==,type:str]
secretKey: ENC[AES256_GCM,data:OUXWOE6I3a26SrFEOczWNIwyR3Rx62fbsRBBcfh0xyEbxOIPhexH6lIqlVG9Ltwra9+rAldNM4/0BydtxIDj7A==,iv:fiNO/or5yZnhpDPMANDnEC5dtXmbKBZsV+BPmvCN/HI=,tag:Q0M0OtLWdWAJgQmUlL//fg==,type:str] secretKey: ENC[AES256_GCM,data:OUXWOE6I3a26SrFEOczWNIwyR3Rx62fbsRBBcfh0xyEbxOIPhexH6lIqlVG9Ltwra9+rAldNM4/0BydtxIDj7A==,iv:fiNO/or5yZnhpDPMANDnEC5dtXmbKBZsV+BPmvCN/HI=,tag:Q0M0OtLWdWAJgQmUlL//fg==,type:str]
@ -26,8 +26,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2023-10-12T18:40:26Z" lastmodified: "2023-12-28T00:07:08Z"
mac: ENC[AES256_GCM,data:F+yQ20jCtLRKeQDFVKoqrYCgtwGkXxrK6aQO0MFZTIMJAnbTVPM2ZJGQ1RxXb+Zs4T+44EEc2xN4LjeANvgpE6MfOz2VTw+sEEjcYwUyB6RcXHia9XlFLa8lh7/Wx/9DxlSFjjSrxmDkNB6r+n5UF81cdRXF2E9ibdH346ST98A=,iv:xVxFN1IDKrLskaGqnWvOWx1zUII0jRSjQxEsaTf2GNw=,tag:lnp1AvgMOXXlg1vFjHEWUQ==,type:str] mac: ENC[AES256_GCM,data:P2bNJLjzn69Kg2bJHXmofER7J8wbEj9C4jq9ePWewXBOt45GEiqgnqIaISwZkyzQmm9cxZd95Lr780ICwoKDFdtSCCcC7CdYxYEfyyhnvU3W2qzEghvkypL8JbiEtPSlQ9xOlCk7p41A9eRrV+JziIVSv5UEUs4NubrG9Mkwv3k=,iv:Yq2gANTTgx6cFxkdustUZ1MPszxGSkao/bS1KHAkzJc=,tag:kqJibocgRQXkxTJze6O5MA==,type:str]
pgp: pgp:
- created_at: "2022-10-12T00:46:51Z" - created_at: "2022-10-12T00:46:51Z"
enc: | enc: |
@ -65,4 +65,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.8.1