feat(gitea): move to cnst.dev domain, cf tunnel

hosts/sobotka/server.nix

@@ -14,9 +14,6 @@
     tailscale = {
       enable = true;
     };
-    gitea = {
-      enable = true;
-    };
     unbound = {
       enable = true;
     };
@@ -50,6 +47,14 @@
     uptime-kuma = {
       enable = true;
     };
+    gitea = {
+      enable = true;
+      url = "git.cnst.dev";
+      cloudflared = {
+        tunnelId = "33e2fb8e-ecef-4d42-b845-6d15e216e448";
+        credentialsFile = config.age.secrets.giteaCloudflared.path;
+      };
+    };
     vaultwarden = {
       enable = true;
       url = "vault.cnst.dev";

modules/server/gitea/default.nix

@@ -1,7 +1,8 @@
-# taken from @jtojnar
+# "inspired" by @jtojnar <3
 {
   config,
   lib,
+  self,
   ...
 }: let
   unit = "gitea";
@@ -21,6 +22,20 @@ in {
       default = 5003;
       description = "The port to host Gitea on.";
     };
+    cloudflared = {
+      credentialsFile = lib.mkOption {
+        type = lib.types.str;
+        example = lib.literalExpression ''
+          pkgs.writeText "cloudflare-credentials.json" '''
+          {"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
+          '''
+        '';
+      };
+      tunnelId = lib.mkOption {
+        type = lib.types.str;
+        example = "00000000-0000-0000-0000-000000000000";
+      };
+    };
     homepage.name = lib.mkOption {
       type = lib.types.str;
       default = "Gitea";
@@ -39,62 +54,88 @@ in {
     };
   };
   config = lib.mkIf cfg.enable {
-    services.${unit} = {
+    age.secrets = {
-      enable = true;
+      giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age";
-      appName = "cnix code forge";
+    };
 
-      database = {
+    server = {
-        type = "postgres";
+      fail2ban = lib.mkIf config.server.fail2ban.enable {
-        socket = "/run/postgresql";
+        jails = {
-        name = "gitea";
+          gitea = {
-        user = "gitea";
+            serviceName = "gitea";
-        createDatabase = false;
+            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
+          };
+        };
       };
+    };
 
-      lfs = {
+    services = {
+      cloudflared = {
         enable = true;
+        tunnels.${cfg.cloudflared.tunnelId} = {
+          credentialsFile = cfg.cloudflared.credentialsFile;
+          default = "http_status:404";
+          ingress."${cfg.url}".service = "http://localhost:${toString cfg.port}";
+        };
       };
 
-      settings = {
+      ${unit} = {
-        cors = {
+        enable = true;
-          ENABLED = true;
+        appName = "cnix code forge";
-          SCHEME = "https";
+
-          ALLOW_DOMAIN = cfg.url;
+        database = {
+          type = "postgres";
+          socket = "/run/postgresql";
+          name = "gitea";
+          user = "gitea";
+          createDatabase = false;
         };
-        log = {
+
-          MODE = "console";
+        lfs = {
+          enable = true;
         };
-        mailer = {
+
-          ENABLED = false;
+        settings = {
-          MAILER_TYPE = "sendmail";
+          cors = {
-          FROM = "noreply+adam@cnst.dev";
+            ENABLED = true;
-          SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
+            SCHEME = "https";
-        };
+            ALLOW_DOMAIN = cfg.url;
-        picture = {
+          };
-          DISABLE_GRAVATAR = true;
+          log = {
-        };
+            MODE = "console";
-        repository = {
+          };
-          DEFAULT_BRANCH = "main";
+          mailer = {
-          DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
+            ENABLED = false;
-          DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
+            MAILER_TYPE = "sendmail";
-        };
+            FROM = "noreply+adam@cnst.dev";
-        indexer = {
+            SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
-          REPO_INDEXER_ENABLED = true;
+          };
-        };
+          picture = {
-        server = {
+            DISABLE_GRAVATAR = true;
-          DOMAIN = cfg.url;
+          };
-          LANDING_PAGE = "explore";
+          repository = {
-          HTTP_PORT = cfg.port;
+            DEFAULT_BRANCH = "main";
-          ROOT_URL = "https://${cfg.url}/";
+            DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
-        };
+            DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
-        security = {
+          };
-          DISABLE_GIT_HOOKS = false;
+          indexer = {
-        };
+            REPO_INDEXER_ENABLED = true;
-        service = {
+          };
-          DISABLE_REGISTRATION = true;
+          server = {
-        };
+            DOMAIN = cfg.url;
-        session = {
+            LANDING_PAGE = "explore";
-          COOKIE_SECURE = true;
+            HTTP_PORT = cfg.port;
+            ROOT_URL = "https://${cfg.url}/";
+          };
+          security = {
+            DISABLE_GIT_HOOKS = false;
+          };
+          service = {
+            DISABLE_REGISTRATION = true;
+          };
+          session = {
+            COOKIE_SECURE = true;
+          };
         };
       };
     };

secrets/giteaCloudflared.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 t9iOEg RnlIwFO8LSwzj94G0Uru9qibXqOOpCU2kWWdNa2tRFU
+lIC3K/jjBMKRfLfepoNYIkBe5rhHuR0l3Uf1Xuk8uZg
+-> ssh-ed25519 KUYMFA k16GBRcaaSwJm/8+Vm2QBOu05u6eEro/7YYj7kbuNSU
+VCpt918MBBFfFZKKypV9pSwz/Zhsxr+Ob6YjFuJ/oL0
+-> ssh-ed25519 76RhUQ FIKn3nuOT1ywu6pmYBbpC54HhpJGeMFejp5c0XibfAY
+WDsh/5G4wXYt21yIDxmI6u1l/xPOdZRxgTazf6QLXP8
+-> ssh-ed25519 Jf8sqw 2EvD96Ec8h97ACoOBYzn1Ugx4ZyYSHIRnsmtB5lb/XQ
+mFY8O8qwWWihsLe5ayB5iGm1JUY2B/9el/XSf5sPe7M
+--- uuwibRk7LS4/lUx9gwL+x5NMrxLjGM1Yf55bzjxQTKM
+<EFBFBD>H<>Ԅ6K<36>A
<01>~<7E><>
)!B<08><>^S!Wd<><64>$.:S'c<>d<EFBFBD><64><EFBFBD>_WW<57>Bj<42>,<2C><>l<EFBFBD><6C><EFBFBD><EFBFBD><EFBFBD>V<>S<EFBFBD><53>h<EFBFBD>
+h<EFBFBD><EFBFBD><12><>k

secrets/secrets.nix

@@ -48,6 +48,7 @@ in {
   "homepageEnvironment.age".publicKeys = kima ++ sobotka;
   "cloudflareFirewallApiKey.age".publicKeys = kima ++ sobotka;
   "vaultwardenCloudflared.age".publicKeys = kima ++ sobotka;
+  "giteaCloudflared.age".publicKeys = kima ++ sobotka;
   "nextcloudCloudflared.age".publicKeys = kima ++ sobotka;
   "nextcloudAdminPass.age".publicKeys = kima ++ sobotka;
   "cloudflareDnsApiToken.age".publicKeys = kima ++ sobotka;