From 9e4454ff57bfbf2f84f28de7f6a30295744e98db Mon Sep 17 00:00:00 2001 From: cnst Date: Mon, 6 Oct 2025 20:55:31 +0200 Subject: [PATCH] feat(gitea): move to cnst.dev domain, cf tunnel --- hosts/sobotka/server.nix | 11 ++- modules/server/gitea/default.nix | 139 ++++++++++++++++++++----------- secrets/giteaCloudflared.age | 12 +++ secrets/secrets.nix | 1 + 4 files changed, 111 insertions(+), 52 deletions(-) create mode 100644 secrets/giteaCloudflared.age diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix index d6d60b1e..70c7f750 100644 --- a/hosts/sobotka/server.nix +++ b/hosts/sobotka/server.nix @@ -14,9 +14,6 @@ tailscale = { enable = true; }; - gitea = { - enable = true; - }; unbound = { enable = true; }; @@ -50,6 +47,14 @@ uptime-kuma = { enable = true; }; + gitea = { + enable = true; + url = "git.cnst.dev"; + cloudflared = { + tunnelId = "33e2fb8e-ecef-4d42-b845-6d15e216e448"; + credentialsFile = config.age.secrets.giteaCloudflared.path; + }; + }; vaultwarden = { enable = true; url = "vault.cnst.dev"; diff --git a/modules/server/gitea/default.nix b/modules/server/gitea/default.nix index 171cca9f..44d59ea9 100644 --- a/modules/server/gitea/default.nix +++ b/modules/server/gitea/default.nix @@ -1,7 +1,8 @@ -# taken from @jtojnar +# "inspired" by @jtojnar <3 { config, lib, + self, ... }: let unit = "gitea"; @@ -21,6 +22,20 @@ in { default = 5003; description = "The port to host Gitea on."; }; + cloudflared = { + credentialsFile = lib.mkOption { + type = lib.types.str; + example = lib.literalExpression '' + pkgs.writeText "cloudflare-credentials.json" ''' + {"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"} + ''' + ''; + }; + tunnelId = lib.mkOption { + type = lib.types.str; + example = "00000000-0000-0000-0000-000000000000"; + }; + }; homepage.name = lib.mkOption { type = lib.types.str; default = "Gitea"; @@ -39,62 +54,88 @@ in { }; }; config = lib.mkIf cfg.enable { - services.${unit} = { - enable = true; - appName = "cnix code forge"; + age.secrets = { + giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age"; + }; - database = { - type = "postgres"; - socket = "/run/postgresql"; - name = "gitea"; - user = "gitea"; - createDatabase = false; + server = { + fail2ban = lib.mkIf config.server.fail2ban.enable { + jails = { + gitea = { + serviceName = "gitea"; + failRegex = "^.*Username or password is incorrect. Try again. IP: . Username: .*.$"; + }; + }; }; + }; - lfs = { + services = { + cloudflared = { enable = true; + tunnels.${cfg.cloudflared.tunnelId} = { + credentialsFile = cfg.cloudflared.credentialsFile; + default = "http_status:404"; + ingress."${cfg.url}".service = "http://localhost:${toString cfg.port}"; + }; }; - settings = { - cors = { - ENABLED = true; - SCHEME = "https"; - ALLOW_DOMAIN = cfg.url; + ${unit} = { + enable = true; + appName = "cnix code forge"; + + database = { + type = "postgres"; + socket = "/run/postgresql"; + name = "gitea"; + user = "gitea"; + createDatabase = false; }; - log = { - MODE = "console"; + + lfs = { + enable = true; }; - mailer = { - ENABLED = false; - MAILER_TYPE = "sendmail"; - FROM = "noreply+adam@cnst.dev"; - SENDMAIL_PATH = "/run/wrappers/bin/sendmail"; - }; - picture = { - DISABLE_GRAVATAR = true; - }; - repository = { - DEFAULT_BRANCH = "main"; - DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; - DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true; - }; - indexer = { - REPO_INDEXER_ENABLED = true; - }; - server = { - DOMAIN = cfg.url; - LANDING_PAGE = "explore"; - HTTP_PORT = cfg.port; - ROOT_URL = "https://${cfg.url}/"; - }; - security = { - DISABLE_GIT_HOOKS = false; - }; - service = { - DISABLE_REGISTRATION = true; - }; - session = { - COOKIE_SECURE = true; + + settings = { + cors = { + ENABLED = true; + SCHEME = "https"; + ALLOW_DOMAIN = cfg.url; + }; + log = { + MODE = "console"; + }; + mailer = { + ENABLED = false; + MAILER_TYPE = "sendmail"; + FROM = "noreply+adam@cnst.dev"; + SENDMAIL_PATH = "/run/wrappers/bin/sendmail"; + }; + picture = { + DISABLE_GRAVATAR = true; + }; + repository = { + DEFAULT_BRANCH = "main"; + DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; + DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true; + }; + indexer = { + REPO_INDEXER_ENABLED = true; + }; + server = { + DOMAIN = cfg.url; + LANDING_PAGE = "explore"; + HTTP_PORT = cfg.port; + ROOT_URL = "https://${cfg.url}/"; + }; + security = { + DISABLE_GIT_HOOKS = false; + }; + service = { + DISABLE_REGISTRATION = true; + }; + session = { + COOKIE_SECURE = true; + }; }; }; }; diff --git a/secrets/giteaCloudflared.age b/secrets/giteaCloudflared.age new file mode 100644 index 00000000..e154172d --- /dev/null +++ b/secrets/giteaCloudflared.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 t9iOEg RnlIwFO8LSwzj94G0Uru9qibXqOOpCU2kWWdNa2tRFU +lIC3K/jjBMKRfLfepoNYIkBe5rhHuR0l3Uf1Xuk8uZg +-> ssh-ed25519 KUYMFA k16GBRcaaSwJm/8+Vm2QBOu05u6eEro/7YYj7kbuNSU +VCpt918MBBFfFZKKypV9pSwz/Zhsxr+Ob6YjFuJ/oL0 +-> ssh-ed25519 76RhUQ FIKn3nuOT1ywu6pmYBbpC54HhpJGeMFejp5c0XibfAY +WDsh/5G4wXYt21yIDxmI6u1l/xPOdZRxgTazf6QLXP8 +-> ssh-ed25519 Jf8sqw 2EvD96Ec8h97ACoOBYzn1Ugx4ZyYSHIRnsmtB5lb/XQ +mFY8O8qwWWihsLe5ayB5iGm1JUY2B/9el/XSf5sPe7M +--- uuwibRk7LS4/lUx9gwL+x5NMrxLjGM1Yf55bzjxQTKM +HԄ6KA~)!B^S!Wd$.:S'cd_WWBj,lVSh hk +^.Ҏ){e$5*Dž5۫@/ Abx蝄`#ʕ$v6.iKԠsZhox'al6F5DPfԜxLvyaT'XƜK\2WGPt \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a84e62be..f8f53525 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -48,6 +48,7 @@ in { "homepageEnvironment.age".publicKeys = kima ++ sobotka; "cloudflareFirewallApiKey.age".publicKeys = kima ++ sobotka; "vaultwardenCloudflared.age".publicKeys = kima ++ sobotka; + "giteaCloudflared.age".publicKeys = kima ++ sobotka; "nextcloudCloudflared.age".publicKeys = kima ++ sobotka; "nextcloudAdminPass.age".publicKeys = kima ++ sobotka; "cloudflareDnsApiToken.age".publicKeys = kima ++ sobotka;