WIP: gitea: Use a hardened systemd unit instead of a container

configuration/default.nix

@@ -5,10 +5,10 @@
   ...
 }: {
   imports = [
-    ./services/gitea.nix
     ./services/nextcloud.nix
     ./services/webserver.nix
     ./services/starbound.nix
+    ./services/postgres.nix
     ./ids.nix
     ./sops.nix
   ];
@@ -80,8 +80,6 @@
       domain = config.services.nginx.domain;
     in {
       "${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
-      "gitea.${domain}" = proxyPassToPort 3000 {};
-      "nextcloud.${domain}" = proxyPassToPort 3001 {};
     };
   };
 

configuration/services/gitea.nix

@@ -1,48 +1,30 @@
-{config, ...}: {
+{config, ...}: let
-  users = {
+  domain = "gitea.${config.services.nginx.domain}";
-    extraUsers.gitea = {
+in {
-      uid = config.ids.uids.git;
+  services.gitea = {
-      isSystemUser = true;
+    inherit domain;
-      description = "Gitea Service";
+    enable = true;
-      group = config.users.extraGroups.gitea.name;
+
-    };
+    httpAddress = "127.0.0.1";
-    extraGroups.gitea = {gid = config.ids.gids.git;};
+    database.type = "postgres";
+
+    ssh.clonePort = 2222;
+    rootUrl = "https://gitea.tlater.net/";
+    cookieSecure = true;
+
+    appName = "Gitea: Git with a cup of tea";
   };
 
-  virtualisation.pods.gitea = {
+  # Set up SSL
-    hostname = "gitea.tlater.net";
+  services.nginx.virtualHosts."${domain}" = let
-    publish = ["3000:3000" "2221:2221"];
+    inherit (config.services.gitea) httpAddress httpPort;
-    network = "slirp4netns";
+  in {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    '';
 
-    containers = {
+    locations."/".proxyPass = "http://${httpAddress}:httpPort";
-      gitea = {
-        image = "gitea/gitea:latest";
-        volumes = ["gitea:/data:Z" "/etc/localtime:/etc/localtime:ro"];
-        dependsOn = ["postgres"];
-
-        environment = {
-          DB_TYPE = "postgres";
-          DB_HOST = "localhost:5432";
-          DB_NAME = "gitea";
-          DB_USER = "gitea";
-
-          USER_UID = toString config.users.extraUsers.gitea.uid;
-          USER_GID = toString config.users.extraGroups.gitea.gid;
-
-          RUN_MODE = "prod";
-          DOMAIN = "gitea.tlater.net";
-          SSH_PORT = "2221";
-        };
-      };
-
-      postgres = {
-        image = "postgres:alpine";
-        environment = {
-          POSTGRES_DB = "gitea";
-          POSTGRES_USER = "gitea";
-        };
-        volumes = ["gitea-postgres-14:/var/lib/postgresql/data"];
-      };
-    };
   };
 }

configuration/services/nextcloud.nix

@@ -1,53 +1,43 @@
-{config, ...}: {
+{
-  virtualisation.pods.nextcloud = {
+  pkgs,
-    hostname = "nextcloud.tlater.net";
+  config,
-    publish = ["3001:80"];
+  ...
-    network = "slirp4netns";
+}: let
+  inherit (pkgs) fetchNextcloudApp;
+  nextcloud = pkgs.nextcloud23;
+  hostName = "nextcloud.${config.services.nginx.domain}"
+in {
+  services.nextcloud = {
+    inherit hostName;
 
-    containers = {
+    package = nextcloud;
-      nextcloud = {
+    enable = true;
-        image = "nextcloud:fpm-alpine";
+    maxUploadSize = "2G";
-        dependsOn = ["postgres"];
+    https = true;
-        volumes = [
-          "nextcloud-root:/var/www/html"
-          "nextcloud-apps:/var/www/html/custom_apps"
-          "nextcloud-config:/var/www/html/config"
-          "nextcloud-data:/var/www/html/data"
-        ];
-        environment = {
-          POSTGRES_DB = "nextcloud";
-          POSTGRES_USER = "nextcloud";
-          POSTGRES_HOST = "localhost";
-          OVERWRITEPROTOCOL = "https";
-          TRUSTED_PROXIES = "127.0.0.1";
-        };
-      };
 
-      cron = {
+    config = {
-        image = "nextcloud:fpm-alpine";
+      overwriteProtocol = "https";
-        entrypoint = "/cron.sh";
-        dependsOn = ["postgres" "nextcloud"];
-        extraOptions = ["--volumes-from=nextcloud-nextcloud"];
-      };
 
-      nginx = {
+      dbtype = "pgsql";
-        image = "nginx:alpine";
+      dbhost = "/run/postgresql";
-        dependsOn = ["nextcloud"];
-        volumes = [
-          "nextcloud-root:/var/www/html:ro"
-          "${./configs/nginx-nextcloud.conf}:/etc/nginx/nginx.conf:ro"
-        ];
-        extraOptions = ["--volumes-from=nextcloud-nextcloud"];
-      };
 
-      postgres = {
+      adminuser = "tlater";
-        image = "postgres:alpine";
+      adminpassFile = config.sops.secrets."nextcloud/tlater".path;
-        environment = {
+
-          POSTGRES_DB = "nextcloud";
+      defaultPhoneRegion = "AT";
-          POSTGRES_USER = "nextcloud";
-        };
-        volumes = ["nextcloud-postgres-14:/var/lib/postgresql/data"];
-      };
     };
+
+    # TODO(tlater): Add redis config. This will be much easier
+    # starting with 22.11, since this will add an `extraOptions` where
+    # the necessary redis config can go.
+  };
+
+  # Ensure that this service doesn't start before postgres is ready
+  systemd.services.nextcloud-setup.after = ["postgresql.service"];
+
+  # Set up SSL
+  services.nginx.virtualHosts."${hostName}" = {
+    forceSSL = true;
+    enableACME = true;
   };
 }

configuration/services/postgres.nix

@@ -0,0 +1,30 @@
+{
+  services.postgresql = {
+    enable = true;
+
+    # Only enable connections via the unix socket, and check with the
+    # OS to make sure the user matches the database name.
+    #
+    # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+    authentication  = ''
+      local sameuser all peer
+    '';
+
+    # Note: The following options with ensure.* are set-only; i.e.,
+    # when permissions/users/databases are removed from these lists,
+    # that operation needs to be performed manually on the system as
+    # well.
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions = {
+          "DATABASE nextcloud" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+
+    ensureDatabases = [
+      "nextcloud"
+    ];
+  };
+}