diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix index 013842e..d77d6cc 100644 --- a/configuration/services/gitea.nix +++ b/configuration/services/gitea.nix @@ -6,12 +6,10 @@ }: let domain = "gitea.${config.services.nginx.domain}"; in { - services.gitea = { + services.forgejo = { enable = true; database.type = "postgres"; - appName = "Gitea: Git with a cup of tea"; - settings = { server = { DOMAIN = domain; @@ -29,18 +27,18 @@ in { }; }; - systemd.services.gitea.serviceConfig.ExecStartPre = let + systemd.services.forgejo.serviceConfig.ExecStartPre = let replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; - secretPath = config.sops.secrets."gitea/metrics-token".path; - runConfig = "${config.services.gitea.customDir}/conf/app.ini"; + secretPath = config.sops.secrets."forgejo/metrics-token".path; + runConfig = "${config.services.forgejo.customDir}/conf/app.ini"; in [ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ]; # Set up SSL services.nginx.virtualHosts."${domain}" = let - httpAddress = config.services.gitea.settings.server.HTTP_ADDR; - httpPort = config.services.gitea.settings.server.HTTP_PORT; + httpAddress = config.services.forgejo.settings.server.HTTP_ADDR; + httpPort = config.services.forgejo.settings.server.HTTP_PORT; in { forceSSL = true; enableACME = true; @@ -62,40 +60,39 @@ in { # Block repeated failed login attempts # - # TODO(tlater): Update to the new regex, since apparently this one - # is deprecated (but the new one doesn't work on the current version - # of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/ - environment.etc = { - "fail2ban/filter.d/gitea.conf".text = '' - [Definition] - failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from - journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea - ''; - }; + # TODO(tlater): Update this - we switched to forgejo, who knows what + # the new matches are. + # environment.etc = { + # "fail2ban/filter.d/gitea.conf".text = '' + # [Definition] + # failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from + # journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo + # ''; + # }; - services.fail2ban.jails = { - gitea = '' - enabled = true - ''; - }; + # services.fail2ban.jails = { + # gitea = '' + # enabled = true + # ''; + # }; - services.backups.gitea = { - user = "gitea"; - paths = [ - "/var/lib/gitea/gitea-db.sql" - "/var/lib/gitea/repositories/" - "/var/lib/gitea/data/" - "/var/lib/gitea/custom/" - # Conf is backed up via nix - ]; - preparation = { - packages = [config.services.postgresql.package]; - text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql"; - }; - cleanup = { - packages = [pkgs.coreutils]; - text = "rm /var/lib/gitea/gitea-db.sql"; - }; - pauseServices = ["gitea.service"]; - }; + # services.backups.forgejo = { + # user = "forgejo"; + # paths = [ + # "/var/lib/forgejo/forgejo-db.sql" + # "/var/lib/forgejo/repositories/" + # "/var/lib/forgejo/data/" + # "/var/lib/forgejo/custom/" + # # Conf is backed up via nix + # ]; + # preparation = { + # packages = [config.services.postgresql.package]; + # text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql"; + # }; + # cleanup = { + # packages = [pkgs.coreutils]; + # text = "rm /var/lib/forgejo/forgejo-db.sql"; + # }; + # pauseServices = ["forgejo.service"]; + # }; } diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index 4cdc770..daf3f94 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -6,9 +6,9 @@ ]; scrapeConfigs = { - gitea = { - targets = ["127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"]; - extraSettings.authorization.credentials_file = config.sops.secrets."gitea/metrics-token".path; + forgejo = { + targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"]; + extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path; }; coturn.targets = ["127.0.0.1:9641"]; }; diff --git a/configuration/sops.nix b/configuration/sops.nix index 03faf82..c7cb1f0 100644 --- a/configuration/sops.nix +++ b/configuration/sops.nix @@ -4,8 +4,8 @@ secrets = { # Gitea - "gitea/metrics-token" = { - owner = "gitea"; + "forgejo/metrics-token" = { + owner = "forgejo"; group = "metrics"; mode = "0440"; }; diff --git a/flake.lock b/flake.lock index b64bc75..94d712d 100644 --- a/flake.lock +++ b/flake.lock @@ -41,11 +41,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1694513707, - "narHash": "sha256-wE5kHco3+FQjc+MwTPwLVqYz4hM7uno2CgXDXUFMCpc=", + "lastModified": 1702460489, + "narHash": "sha256-H6s6oVLvx7PCjUcvfkB89Bb+kbaiJxTAgWfMjiQTjA0=", "owner": "serokell", "repo": "deploy-rs", - "rev": "31c32fb2959103a796e07bbe47e0a5e287c343a8", + "rev": "915327515f5fd1b7719c06e2f1eb304ee0bdd803", "type": "github" }, "original": { @@ -160,11 +160,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -229,7 +229,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1692799911, @@ -267,11 +267,11 @@ ] }, "locked": { - "lastModified": 1691701569, - "narHash": "sha256-7TK+sO+JC37OGTQDTiz9TriqbB5yTgoo7fyPyLtWvd8=", + "lastModified": 1701473318, + "narHash": "sha256-QdCJN8GeNl/V8wMjrvNkrWzNXnahgfjBfCSya4qQdrc=", "owner": "reckenrode", "repo": "nix-foundryvtt", - "rev": "3358ccef0ea3e06faabe8c54761fb8a0862b80d4", + "rev": "f624c0ceabe13dd876ecff871e0dc7f55f96e993", "type": "github" }, "original": { @@ -345,11 +345,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1671417167, - "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=", + "lastModified": 1702272962, + "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7", + "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", "type": "github" }, "original": { @@ -361,11 +361,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1693675694, - "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=", + "lastModified": 1702148972, + "narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d", + "rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227", "type": "github" }, "original": { @@ -377,11 +377,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1694767346, - "narHash": "sha256-5uH27SiVFUwsTsqC5rs3kS7pBoNhtoy9QfTP9BmknGk=", + "lastModified": 1702312524, + "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ace5093e36ab1e95cb9463863491bee90d5a4183", + "rev": "a9bf124c46ef298113270b1f84a164865987a91c", "type": "github" }, "original": { @@ -408,16 +408,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694937365, - "narHash": "sha256-iHZSGrb9gVpZRR4B2ishUN/1LRKWtSHZNO37C8z1SmA=", + "lastModified": 1702346276, + "narHash": "sha256-eAQgwIWApFQ40ipeOjVSoK4TEHVd6nbSd9fApiHIw5A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5d017a8822e0907fb96f7700a319f9fe2434de02", + "rev": "cf28ee258fd5f9a52de6b9865cdb93a1f96d09b7", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -556,11 +556,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1694495315, - "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=", + "lastModified": 1702177193, + "narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415", + "rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9", "type": "github" }, "original": { @@ -584,6 +584,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tlaternet-webserver": { "inputs": { "dream2nix": "dream2nix", @@ -607,12 +622,15 @@ } }, "utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d8ff1a8..efe6433 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "tlater.net host configuration"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; deploy-rs.url = "github:serokell/deploy-rs"; sops-nix = { diff --git a/keys/production.yaml b/keys/production.yaml index efeea6a..da53b95 100644 --- a/keys/production.yaml +++ b/keys/production.yaml @@ -1,5 +1,5 @@ -gitea: - metrics-token: ENC[AES256_GCM,data:/7/zvVl2ZOBoekrJR32vl/QQcG5XqTmltgpHEMUpbXVeqwnq29idzE2Qyjau96ZHObmSI73/ZtW95uXF6LH9Qw==,iv:iWZECCZSh1CN7wMBqstXR5QWtriR7QLKVqhekGnpXl0=,tag:HEr9km8VYmruBzf0I/5HuA==,type:str] +forgejo: + metrics-token: ENC[AES256_GCM,data:WVbD5JloJlHNjeEwe1uEd4Haj6L3ilj1Pnux6yrelUQP18ZPAh90aDO1OIZHaPJR7tTeyATr8BIzZL1zkNhCuA==,iv:eTYXN3hymIN3bTX1YxNGkAYE0KVDbdz2ds8UQAHlALE=,tag:A61loGdu0pfsiez96u2Qsg==,type:str] grafana: adminPassword: ENC[AES256_GCM,data:/qw//J7cOkIGa58bG4GgdzndvKof32AmQeWB00IX8WhA22PDCOc4VdUEoB3wVJJqI/ucoHFInYyhg2rFYoYBesBjAt0QS3+O+8WblIunUuYeqlBuYJJK1TLhy6ql6+aqvfiW/rJLm4LpgA7CboyDD2OYHcAbvGSD2GWwFcHTR/Y=,iv:KK6p8GKzc9SBDZZFkEwCdIjSxriPGNMDNcr97tfbwTI=,tag:gLRNSGdJWFD+V9K5TfJvXw==,type:str] secretKey: ENC[AES256_GCM,data:OUXWOE6I3a26SrFEOczWNIwyR3Rx62fbsRBBcfh0xyEbxOIPhexH6lIqlVG9Ltwra9+rAldNM4/0BydtxIDj7A==,iv:fiNO/or5yZnhpDPMANDnEC5dtXmbKBZsV+BPmvCN/HI=,tag:Q0M0OtLWdWAJgQmUlL//fg==,type:str] @@ -26,8 +26,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-10-12T18:40:26Z" - mac: ENC[AES256_GCM,data:F+yQ20jCtLRKeQDFVKoqrYCgtwGkXxrK6aQO0MFZTIMJAnbTVPM2ZJGQ1RxXb+Zs4T+44EEc2xN4LjeANvgpE6MfOz2VTw+sEEjcYwUyB6RcXHia9XlFLa8lh7/Wx/9DxlSFjjSrxmDkNB6r+n5UF81cdRXF2E9ibdH346ST98A=,iv:xVxFN1IDKrLskaGqnWvOWx1zUII0jRSjQxEsaTf2GNw=,tag:lnp1AvgMOXXlg1vFjHEWUQ==,type:str] + lastmodified: "2023-12-28T00:07:08Z" + mac: ENC[AES256_GCM,data:P2bNJLjzn69Kg2bJHXmofER7J8wbEj9C4jq9ePWewXBOt45GEiqgnqIaISwZkyzQmm9cxZd95Lr780ICwoKDFdtSCCcC7CdYxYEfyyhnvU3W2qzEghvkypL8JbiEtPSlQ9xOlCk7p41A9eRrV+JziIVSv5UEUs4NubrG9Mkwv3k=,iv:Yq2gANTTgx6cFxkdustUZ1MPszxGSkao/bS1KHAkzJc=,tag:kqJibocgRQXkxTJze6O5MA==,type:str] pgp: - created_at: "2022-10-12T00:46:51Z" enc: | @@ -65,4 +65,4 @@ sops: -----END PGP MESSAGE----- fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1