From 41dfde7216ef8fdec8e8adef4250663ccd20db82 Mon Sep 17 00:00:00 2001 From: Histausse Date: Sat, 6 May 2023 22:36:46 +0200 Subject: [PATCH 01/31] add config for woodpeecker --- pp-woodpecker.nix | 116 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 pp-woodpecker.nix diff --git a/pp-woodpecker.nix b/pp-woodpecker.nix new file mode 100644 index 0000000..dfeb172 --- /dev/null +++ b/pp-woodpecker.nix @@ -0,0 +1,116 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfgBase = config.base; + cfg = config.services.ppWoodpecker; +in +{ + imports = [ + # Woodpeeker is not in stable yet but the module is good enought + (builtins.fetchurl { + url = "https://github.com/NixOS/nixpkgs/raw/nixos-unstable/nixos/modules/services/continuous-integration/woodpecker/server.nix"; + sha256 = "0fbgr0s690c3i90c8rmnazilh3gl9x698pm69f8lqg2glz9rq13f"; + }) + (builtins.fetchurl { + url = "https://github.com/NixOS/nixpkgs/raw/nixos-unstable/nixos/modules/services/continuous-integration/woodpecker/agents.nix"; + sha256 = "06zmmg95c2pbrl7i6vl9zypmh4hysl3hkwhqjp2ylnndddhh7ihc"; + }) + ]; + options.services.ppWoodpecker = { + serverEnvFile = mkOption { + type = types.str; + default = "/etc/woodpecker_server_env"; + description = "The file containing the env secrets WOODPECKER_AGENT_SECRET and WOODPECKER_GITEA_SECRET, cf https://woodpecker-ci.org/docs/administration/vcs/gitea#configuration for gitea"; + }; + agentEnvFile = mkOption { + type = types.str; + default = "/etc/woodpecker_agent_env"; + description = "The file containing the env secrets WOODPECKER_AGENT_SECRET"; + }; + domain = mkOption { + type = types.str; + default = "ci.${cfgBase.domainName}"; + example = "ci.example.com"; + description = "The domain of the server"; + }; + giteaDomain = mkOption { + type = types.str; + default = "git.${cfgBase.domainName}"; + example = "git.example.com"; + description = "The domain of the gitea server"; + }; + giteaClientId = mkOption { + type = types.str; + example = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"; + description = "The domain of the gitea server"; + }; + admins = mkOption { + type = lib.types.listOf lib.types.string; + default = []; + example = [ "user1" "user2" ]; + description = "List of admins"; + }; + maxProcsPerAgent = mkOption { + type = types.int; + default = 1; + example = 4; + description = "Number of possible paralle process per agent"; + }; + }; + + config = { + + services.woodpecker-server.enable = true; + # To put in woodpecker_server_env: + # ``` + # WOODPECKER_AGENT_SECRET=XXXXXX + # WOODPECKER_GITEA_SECRET=gto_XXXXXX + # ``` + services.woodpecker-server.environmentFile = "${cfg.serverEnvFile}"; + services.woodpecker-server.environment = { + WOODPECKER_HOST = "https://${cfg.domain}"; + WOODPECKER_OPEN = "true"; # This means user of gitea can connect to the ci + WOODPECKER_GITEA = "true"; + WOODPECKER_GITEA_CLIENT = "${cfg.giteaClientId}"; + WOODPECKER_GITEA_URL = "https://${cfg.giteaDomain}"; + WOODPECKER_ADMIN = lib.mkIf (cfg.admins != []) (lib.concatStringsSep "," cfg.admins); + }; + + virtualisation.podman.enable = true; + services.woodpecker-agents.agents.podman = { + enable = true; + extraGroups = [ "podman" ]; + environmentFile = [ "${cfg.agentEnvFile}" ]; + environment = { + WOODPECKER_BACKEND = "docker"; + DOCKER_HOST = "unix:////run/podman/podman.sock"; + WOODPECKER_MAX_PROCS = builtins.toString cfg.maxProcsPerAgent; + }; + }; + + security.acme.acceptTerms = true; + security.acme.defaults.email = cfgBase.adminEmail; + services.nginx = { + enable = true; + virtualHosts = { + "${cfg.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8000"; + extraConfig = '' + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_pass_request_headers on; + ''; + }; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} From 2a9fcd451e19cefd22a3c5e8c4a413687c300a40 Mon Sep 17 00:00:00 2001 From: Histausse Date: Sat, 6 May 2023 23:34:55 +0200 Subject: [PATCH 02/31] remove user config from modules --- base.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/base.nix b/base.nix index ab3da5e..398075e 100644 --- a/base.nix +++ b/base.nix @@ -44,13 +44,6 @@ in { keyMap = "fr"; }; - users.users.histausse = { - isNormalUser = true; - extraGroups = [ - "wheel" - ]; - }; - environment.systemPackages = with pkgs; [ vim git From bc70008a902bb3f79d623cd32a35a3ea173f7272 Mon Sep 17 00:00:00 2001 From: Histausse Date: Sun, 7 May 2023 00:11:45 +0200 Subject: [PATCH 03/31] add swap size param --- base.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/base.nix b/base.nix index 398075e..d34597e 100644 --- a/base.nix +++ b/base.nix @@ -19,13 +19,19 @@ in { example = "example@example.com"; description = "Email of the admin, use for ACME and stuff"; }; + swapSize = mkOption { + type = types.int; + default = 1024; + example = 2048; + description = "Size of the swap file"; + }; }; config = { swapDevices = [ { device = "/swapfile"; priority = 0; - size = 1024; + size = cfg.swapSize; } ]; From 2f7d5273d77d60162a64a89ef08312e5681e4edc Mon Sep 17 00:00:00 2001 From: Histausse Date: Sun, 21 May 2023 00:02:43 +0200 Subject: [PATCH 04/31] enable packages (?) --- pp-gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pp-gitea.nix b/pp-gitea.nix index f19b8d9..2aee016 100644 --- a/pp-gitea.nix +++ b/pp-gitea.nix @@ -71,6 +71,9 @@ in cp -f -s -r ${cfg.customPackage}/* ${config.services.gitea.stateDir}/custom/ ''; services.gitea.settings = { + packages = { + ENABLED = true; + }; ui = { THEMES = "gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord"; DEFAULT_THEME = "dark"; From 3fcc08557e1c62e212413a1cb5ad4851b64bd521 Mon Sep 17 00:00:00 2001 From: Histausse Date: Sun, 21 May 2023 00:22:15 +0200 Subject: [PATCH 05/31] not necessary? --- pp-gitea.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/pp-gitea.nix b/pp-gitea.nix index 2aee016..f19b8d9 100644 --- a/pp-gitea.nix +++ b/pp-gitea.nix @@ -71,9 +71,6 @@ in cp -f -s -r ${cfg.customPackage}/* ${config.services.gitea.stateDir}/custom/ ''; services.gitea.settings = { - packages = { - ENABLED = true; - }; ui = { THEMES = "gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord"; DEFAULT_THEME = "dark"; From 257e36d8194c57acd805a35d078122ec33b72c6f Mon Sep 17 00:00:00 2001 From: Histausse Date: Sun, 21 May 2023 00:27:13 +0200 Subject: [PATCH 06/31] in fact, yes it is --- pp-gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pp-gitea.nix b/pp-gitea.nix index f19b8d9..b7aeaee 100644 --- a/pp-gitea.nix +++ b/pp-gitea.nix @@ -71,6 +71,9 @@ in cp -f -s -r ${cfg.customPackage}/* ${config.services.gitea.stateDir}/custom/ ''; services.gitea.settings = { + packages = { + ENABLED = true; + }; ui = { THEMES = "gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord"; DEFAULT_THEME = "dark"; From 952e70dcd88c2346fcb0044a355be0e62556592f Mon Sep 17 00:00:00 2001 From: Histausse Date: Sun, 21 May 2023 00:41:09 +0200 Subject: [PATCH 07/31] well I think not --- pp-gitea.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/pp-gitea.nix b/pp-gitea.nix index b7aeaee..f19b8d9 100644 --- a/pp-gitea.nix +++ b/pp-gitea.nix @@ -71,9 +71,6 @@ in cp -f -s -r ${cfg.customPackage}/* ${config.services.gitea.stateDir}/custom/ ''; services.gitea.settings = { - packages = { - ENABLED = true; - }; ui = { THEMES = "gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord"; DEFAULT_THEME = "dark"; From 42ba7665f2361f6a0f3d3548622b44a2144b4a87 Mon Sep 17 00:00:00 2001 From: Histausse Date: Sun, 21 May 2023 01:08:36 +0200 Subject: [PATCH 08/31] remove max body size for registry --- pp-gitea.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pp-gitea.nix b/pp-gitea.nix index f19b8d9..90454ea 100644 --- a/pp-gitea.nix +++ b/pp-gitea.nix @@ -93,6 +93,7 @@ in locations."/" = { proxyPass = "http://127.0.0.1:3000"; extraConfig = '' + client_max_body_size 0; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; From 7a2d7a0e7518408bc47c7edda6add7ca6d19a6f7 Mon Sep 17 00:00:00 2001 From: Histausse Date: Sat, 27 May 2023 23:40:57 +0200 Subject: [PATCH 09/31] add hostname resolution --- pp-woodpecker.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pp-woodpecker.nix b/pp-woodpecker.nix index dfeb172..05be455 100644 --- a/pp-woodpecker.nix +++ b/pp-woodpecker.nix @@ -77,6 +77,7 @@ in }; virtualisation.podman.enable = true; + virtualisation.podman.defaultNetwork.dnsname.enable = true; services.woodpecker-agents.agents.podman = { enable = true; extraGroups = [ "podman" ]; From 60f8eab05a3a674e8c158a7a57ce12d78ddf3794 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Sat, 19 Aug 2023 23:51:07 +0200 Subject: [PATCH 10/31] add push to create --- pp-gitea.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pp-gitea.nix b/pp-gitea.nix index 90454ea..5178df3 100644 --- a/pp-gitea.nix +++ b/pp-gitea.nix @@ -54,6 +54,10 @@ in services.gitea.domain = cfg.domain; # services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance services.gitea.database.passwordFile = cfg.dbPasswordFile; + + services.gitea.settings.repository.ENABLE_PUSH_CREATE_USER = true; + services.gitea.settings.repository.ENABLE_PUSH_CREATE_ORG = true; + # Set the permittions for the db file system.activationScripts = { giteaDbFilePermission.text = From f72e74d4aee0c5e6babd30f649910387feea4cc1 Mon Sep 17 00:00:00 2001 From: Vi Retault Date: Tue, 3 Oct 2023 16:32:12 -0400 Subject: [PATCH 11/31] updated upstream hash --- pp-woodpecker.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp-woodpecker.nix b/pp-woodpecker.nix index 05be455..a5551a2 100644 --- a/pp-woodpecker.nix +++ b/pp-woodpecker.nix @@ -9,7 +9,7 @@ in # Woodpeeker is not in stable yet but the module is good enought (builtins.fetchurl { url = "https://github.com/NixOS/nixpkgs/raw/nixos-unstable/nixos/modules/services/continuous-integration/woodpecker/server.nix"; - sha256 = "0fbgr0s690c3i90c8rmnazilh3gl9x698pm69f8lqg2glz9rq13f"; + sha256 = "13dzbcb0fi0bwam0mlf6d6ly0x90pr8sq68kzs65mszbvsd5lqjb"; }) (builtins.fetchurl { url = "https://github.com/NixOS/nixpkgs/raw/nixos-unstable/nixos/modules/services/continuous-integration/woodpecker/agents.nix"; From b71ced5fbfd1cf1bb14a95d684a821301c10634b Mon Sep 17 00:00:00 2001 From: Vi Retault Date: Tue, 3 Oct 2023 16:56:18 -0400 Subject: [PATCH 12/31] updated upstream hash --- pp-woodpecker.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp-woodpecker.nix b/pp-woodpecker.nix index a5551a2..ead633e 100644 --- a/pp-woodpecker.nix +++ b/pp-woodpecker.nix @@ -13,7 +13,7 @@ in }) (builtins.fetchurl { url = "https://github.com/NixOS/nixpkgs/raw/nixos-unstable/nixos/modules/services/continuous-integration/woodpecker/agents.nix"; - sha256 = "06zmmg95c2pbrl7i6vl9zypmh4hysl3hkwhqjp2ylnndddhh7ihc"; + sha256 = "14kjj9ybahmfqflvsa8p0va1z3zhliybggxd148fzz4bnjsqpsla"; }) ]; options.services.ppWoodpecker = { From 41ee11094fabb788d375f48db2ced6191ace7822 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Sat, 10 Feb 2024 18:31:53 +0100 Subject: [PATCH 13/31] add config for forgejo --- pp-forgejo.nix | 114 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 pp-forgejo.nix diff --git a/pp-forgejo.nix b/pp-forgejo.nix new file mode 100644 index 0000000..8218871 --- /dev/null +++ b/pp-forgejo.nix @@ -0,0 +1,114 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfgBase = config.base; + cfg = config.services.ppForgejo; +in +{ + options.services.ppForgejo = { + domain = mkOption { + type = types.str; + default = "git.${cfgBase.domainName}"; + example = "git.example.com"; + description = "The domain of the server"; + }; + openIdEnable = mkOption { + type = types.bool; + default = false; + description = "If OpenId provider is setup and should be used exclusively."; + }; + openIdClientName = mkOption { + type = types.str; + default = ""; + description = "The name (id) of the openId client to use exclusively."; + }; + customPackage = mkOption { + type = types.package; + default = pkgs.fetchgit { + url = "https://git.mineau.eu/histausse/gitea_custom"; + sha256 = "0r1kjkn0mkfyp2lb8j59frh1vnd1m54swpqwiasvg77r04ibfmn5"; + }; + description= "The package for custom configs like theme."; + }; + dbPasswordFile = mkOption { + type = types.str; + default = "/etc/forgejo_db_pwd"; + description = "The file containing the database password. Be sure to secure it."; + }; + }; + + config = { + + services.forgejo.appName = "git"; + services.forgejo.stateDir = "/var/lib/forgejo"; # default value, /var/lib/gitea in gitea, move it before migration! + services.forgejo.enable = true; + services.forgejo.rootUrl = "https://${cfg.domain}/"; + services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? + + # If true, openid users cannot create new account + #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable); + services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce false; + services.forgejo.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable; + + services.forgejo.lfs.enable = true; + services.forgejo.domain = cfg.domain; + # services.forgejo.database.type = "postgres"; # Default is sqlite3, probably better for a small instance + services.forgejo.database.passwordFile = cfg.dbPasswordFile; + # Set the permittions for the db file + system.activationScripts = { + forgejoDbFilePermission.text = + '' + chmod 400 ${cfg.dbPasswordFile} + chown ${config.services.forgejo.user} ${cfg.dbPasswordFile} + ''; + }; + environment.systemPackages = with pkgs; [ + forgejo + ]; + systemd.services.forgejo.environment.FORGEJO_CUSTOM = "${config.services.forgejo.stateDir}/custom"; + systemd.services.forgejo.preStart = lib.mkAfter '' + find ${config.services.forgejo.stateDir}/ -type d -exec chmod u+w {} \; + cp -f -s -r ${cfg.customPackage}/* ${config.services.forgejo.stateDir}/custom/ + ''; + services.forgejo.settings = { + ui = { + THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord"; + DEFAULT_THEME = "forgejo-auto"; + }; + "ui.meta" = { + DESCRIPTION = "Code everywhere"; + }; + }; + + + # NGINX + security.acme.acceptTerms = true; + security.acme.defaults.email = cfgBase.adminEmail; + services.nginx = { + enable = true; + virtualHosts = { + "${cfg.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + extraConfig = '' + client_max_body_size 0; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_pass_request_headers on; + ''; + }; + locations."/user/login" = lib.mkIf (cfg.openIdEnable) { + return = "301 https://$host/user/oauth2/${cfg.openIdClientName}"; + }; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} From 64c8eb3a9585c3b187d919166fe0c911e37de7e2 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Sat, 10 Feb 2024 18:34:12 +0100 Subject: [PATCH 14/31] add push to create --- pp-forgejo.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index 8218871..4da2adf 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -54,6 +54,10 @@ in services.forgejo.domain = cfg.domain; # services.forgejo.database.type = "postgres"; # Default is sqlite3, probably better for a small instance services.forgejo.database.passwordFile = cfg.dbPasswordFile; + + services.forgejo.settings.repository.ENABLE_PUSH_CREATE_USER = true; + services.forgejo.settings.repository.ENABLE_PUSH_CREATE_ORG = true; + # Set the permittions for the db file system.activationScripts = { forgejoDbFilePermission.text = From 8416ffacad2a0a9234f824a8862c2fd2c8a47c99 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Sat, 10 Feb 2024 19:05:52 +0100 Subject: [PATCH 15/31] update var name --- pp-forgejo.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index 4da2adf..9bf26c7 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -39,10 +39,10 @@ in config = { - services.forgejo.appName = "git"; + services.forgejo.settings.DEFAULT.APP_NAME = "git"; services.forgejo.stateDir = "/var/lib/forgejo"; # default value, /var/lib/gitea in gitea, move it before migration! services.forgejo.enable = true; - services.forgejo.rootUrl = "https://${cfg.domain}/"; + services.forgejo.settings.server.ROOT_URL = "https://${cfg.domain}/"; services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? # If true, openid users cannot create new account @@ -51,7 +51,7 @@ in services.forgejo.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable; services.forgejo.lfs.enable = true; - services.forgejo.domain = cfg.domain; + services.forgejo.settings.server.DOMAIN = cfg.domain; # services.forgejo.database.type = "postgres"; # Default is sqlite3, probably better for a small instance services.forgejo.database.passwordFile = cfg.dbPasswordFile; From a8ed56ac64df05ba10125831e43c35bb0dafa1a6 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Sat, 10 Feb 2024 20:42:50 +0100 Subject: [PATCH 16/31] add instruction for migration from gitea --- pp-forgejo.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index 9bf26c7..7a0ec2b 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -41,6 +41,8 @@ in services.forgejo.settings.DEFAULT.APP_NAME = "git"; services.forgejo.stateDir = "/var/lib/forgejo"; # default value, /var/lib/gitea in gitea, move it before migration! + # carefull to change ownership from gitea to forgejo + # and to move /var/lib/forgejo/data/gitea.db to /var/lib/forgejo/data/forgejo.db services.forgejo.enable = true; services.forgejo.settings.server.ROOT_URL = "https://${cfg.domain}/"; services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? From e271cb59543d8b19b65ca411515113910b385864 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 22:49:23 +0100 Subject: [PATCH 17/31] add forgejo runner --- pp-forgejo-runner.nix | 40 ++++++++++++++++++++++++++++++++++++++++ pp-forgejo.nix | 14 +++++++++++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 pp-forgejo-runner.nix diff --git a/pp-forgejo-runner.nix b/pp-forgejo-runner.nix new file mode 100644 index 0000000..185a601 --- /dev/null +++ b/pp-forgejo-runner.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: +with lib; +let + cfgBase = config.base; + cfg = config.services.ppForgejoRunner; +in +{ + options.services.ppForgejoRunner = { + forgeUrl = mkOption { + type = types.str; + default = "git.${cfgBase.domainName}"; + example = "git.example.com"; + description = "The domain of the forgejo server"; + }; + runnerName = mkOption { + type = types.str; + default = "${cfgBase.name}.${cfgBase.domainName}"; + example = "git-runner.example.com"; + description = "The name of the runner"; + }; + tokenFile = mkOption { + type = types.str; + default = "/etc/forgejo_db_pwd"; + description = "The file containing the token to access forgejo. Be sure to secure it. The content of the file must be of the form TOKEN="; + }; + }; + + config = { + virtualisation.podman.enable = true; + services.gitea-actions-runner.package = pkgs.forgejo-actions-runner; + services.gitea-actions-runner.instances."${cfg.runnerName}" = { + enable = true; + name = cfg.runnerName; + url = cfg.forgeUrl; + tokenFile = cfg.tokenFile; + labels = [ + "debian:docker://debian:bookworm" + ]; + }; +} diff --git a/pp-forgejo.nix b/pp-forgejo.nix index 7a0ec2b..6ad979d 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -12,7 +12,7 @@ in example = "git.example.com"; description = "The domain of the server"; }; - openIdEnable = mkOption { + openIdEnabled = mkOption { type = types.bool; default = false; description = "If OpenId provider is setup and should be used exclusively."; @@ -35,6 +35,11 @@ in default = "/etc/forgejo_db_pwd"; description = "The file containing the database password. Be sure to secure it."; }; + actionsEnabled = mkOption { + type: types.bool; + default = false; + description = "Enable the use of actions"; + }; }; config = { @@ -59,6 +64,7 @@ in services.forgejo.settings.repository.ENABLE_PUSH_CREATE_USER = true; services.forgejo.settings.repository.ENABLE_PUSH_CREATE_ORG = true; + services.forgejo.settings.repository.DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages,repo.actions"; # Set the permittions for the db file system.activationScripts = { @@ -85,6 +91,12 @@ in DESCRIPTION = "Code everywhere"; }; }; + + + services.forgejo.settings.actions = lib.mkIf (cfg.actionsEnabled) { + ENABLED = true; + DEFAULT_ACTION_URL = "https://${cfg.domain}"; + }; # NGINX From 0f55fc4762348d5a8942571e07b08c786b38b53c Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 22:54:53 +0100 Subject: [PATCH 18/31] fix typo --- pp-forgejo.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index 6ad979d..3d9eb42 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -36,7 +36,7 @@ in description = "The file containing the database password. Be sure to secure it."; }; actionsEnabled = mkOption { - type: types.bool; + type = types.bool; default = false; description = "Enable the use of actions"; }; From 1f86334c19dd64e31771f2fcbf28030dc1ea640e Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 22:56:22 +0100 Subject: [PATCH 19/31] fix typo --- pp-forgejo-runner.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pp-forgejo-runner.nix b/pp-forgejo-runner.nix index 185a601..ae60542 100644 --- a/pp-forgejo-runner.nix +++ b/pp-forgejo-runner.nix @@ -37,4 +37,5 @@ in "debian:docker://debian:bookworm" ]; }; + } } From 63a5f9973e25e7c352f67344baf88814225c9a42 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 22:57:09 +0100 Subject: [PATCH 20/31] fix typo --- pp-forgejo-runner.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp-forgejo-runner.nix b/pp-forgejo-runner.nix index ae60542..5e8f3dc 100644 --- a/pp-forgejo-runner.nix +++ b/pp-forgejo-runner.nix @@ -37,5 +37,5 @@ in "debian:docker://debian:bookworm" ]; }; - } + }; } From e1f483126cd0b77d846e5030380e4d6b65d2080d Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 22:57:56 +0100 Subject: [PATCH 21/31] fix typo --- pp-forgejo-runner.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp-forgejo-runner.nix b/pp-forgejo-runner.nix index 5e8f3dc..18adc1d 100644 --- a/pp-forgejo-runner.nix +++ b/pp-forgejo-runner.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: with lib; let cfgBase = config.base; From e108f7410c616cdd6dafb88331e964adbda0504e Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 23:00:04 +0100 Subject: [PATCH 22/31] fix typo --- pp-forgejo.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index 3d9eb42..1b19a62 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -53,9 +53,9 @@ in services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? # If true, openid users cannot create new account - #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable); + #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnabled); services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce false; - services.forgejo.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable; + services.forgejo.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnabled; services.forgejo.lfs.enable = true; services.forgejo.settings.server.DOMAIN = cfg.domain; @@ -121,7 +121,7 @@ in proxy_pass_request_headers on; ''; }; - locations."/user/login" = lib.mkIf (cfg.openIdEnable) { + locations."/user/login" = lib.mkIf (cfg.openIdEnabled) { return = "301 https://$host/user/oauth2/${cfg.openIdClientName}"; }; }; From dd1495ebf4bad9361d8af8a0c57c5ae0a47db351 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 23:04:12 +0100 Subject: [PATCH 23/31] fix token file --- pp-forgejo-runner.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp-forgejo-runner.nix b/pp-forgejo-runner.nix index 18adc1d..f647327 100644 --- a/pp-forgejo-runner.nix +++ b/pp-forgejo-runner.nix @@ -20,7 +20,7 @@ in }; tokenFile = mkOption { type = types.str; - default = "/etc/forgejo_db_pwd"; + default = "/etc/forgejo_runner_token"; description = "The file containing the token to access forgejo. Be sure to secure it. The content of the file must be of the form TOKEN="; }; }; From 3d62d3a0e5c1bce079ec7bbd19c31efec777d49e Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 23:08:04 +0100 Subject: [PATCH 24/31] fix scheme --- pp-forgejo-runner.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pp-forgejo-runner.nix b/pp-forgejo-runner.nix index f647327..e504650 100644 --- a/pp-forgejo-runner.nix +++ b/pp-forgejo-runner.nix @@ -8,8 +8,8 @@ in options.services.ppForgejoRunner = { forgeUrl = mkOption { type = types.str; - default = "git.${cfgBase.domainName}"; - example = "git.example.com"; + default = "https://git.${cfgBase.domainName}"; + example = "https://git.example.com"; description = "The domain of the forgejo server"; }; runnerName = mkOption { From 670404c5a1479f03b5105c5c3c26ed4d0573d473 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 23:24:00 +0100 Subject: [PATCH 25/31] rename forgejo user to 'git' --- pp-forgejo.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index 1b19a62..a30347f 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -52,6 +52,8 @@ in services.forgejo.settings.server.ROOT_URL = "https://${cfg.domain}/"; services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? + services.forgejo.user = "git"; + # If true, openid users cannot create new account #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnabled); services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce false; From c1a5ba6a20fcef5483abfe0eaf930b21c9114ded Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 23:32:11 +0100 Subject: [PATCH 26/31] create user --- pp-forgejo.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index a30347f..be76f3b 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -53,6 +53,11 @@ in services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? services.forgejo.user = "git"; + users.users.git = { + home = services.forgejo.stateDir; + useDefaultShell = true; + isSystemUser = true; + } # If true, openid users cannot create new account #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnabled); From e75cce74b8349b99e2e180e17d1462272f000083 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 23:33:08 +0100 Subject: [PATCH 27/31] fix typo --- pp-forgejo.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index be76f3b..cf487ae 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -57,7 +57,7 @@ in home = services.forgejo.stateDir; useDefaultShell = true; isSystemUser = true; - } + }; # If true, openid users cannot create new account #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnabled); From 07278433607ad55c384ef9af575841d6fb7c6e24 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 23:34:14 +0100 Subject: [PATCH 28/31] create group --- pp-forgejo.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index cf487ae..ab535f1 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -57,7 +57,9 @@ in home = services.forgejo.stateDir; useDefaultShell = true; isSystemUser = true; + group = "git"; }; + users.groups.git = {}; # If true, openid users cannot create new account #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnabled); From 2a49b7afd835681c9ea87e0737c0bab3134d172c Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Mon, 12 Feb 2024 23:35:26 +0100 Subject: [PATCH 29/31] fix typo --- pp-forgejo.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index ab535f1..1cd3211 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -54,7 +54,7 @@ in services.forgejo.user = "git"; users.users.git = { - home = services.forgejo.stateDir; + home = config.services.forgejo.stateDir; useDefaultShell = true; isSystemUser = true; group = "git"; From 6b24432c10434babf5a6036bba13b36e865ee5f0 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Thu, 11 Jul 2024 23:50:34 +0200 Subject: [PATCH 30/31] remove custom theme --- pp-forgejo.nix | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/pp-forgejo.nix b/pp-forgejo.nix index 1cd3211..87294cf 100644 --- a/pp-forgejo.nix +++ b/pp-forgejo.nix @@ -22,14 +22,6 @@ in default = ""; description = "The name (id) of the openId client to use exclusively."; }; - customPackage = mkOption { - type = types.package; - default = pkgs.fetchgit { - url = "https://git.mineau.eu/histausse/gitea_custom"; - sha256 = "0r1kjkn0mkfyp2lb8j59frh1vnd1m54swpqwiasvg77r04ibfmn5"; - }; - description= "The package for custom configs like theme."; - }; dbPasswordFile = mkOption { type = types.str; default = "/etc/forgejo_db_pwd"; @@ -87,13 +79,9 @@ in forgejo ]; systemd.services.forgejo.environment.FORGEJO_CUSTOM = "${config.services.forgejo.stateDir}/custom"; - systemd.services.forgejo.preStart = lib.mkAfter '' - find ${config.services.forgejo.stateDir}/ -type d -exec chmod u+w {} \; - cp -f -s -r ${cfg.customPackage}/* ${config.services.forgejo.stateDir}/custom/ - ''; services.forgejo.settings = { ui = { - THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord"; + THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green"; DEFAULT_THEME = "forgejo-auto"; }; "ui.meta" = { From d3e61d3b894bd9338b345bc8bf4bde4075b12b50 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Sun, 23 Feb 2025 13:08:05 +0100 Subject: [PATCH 31/31] add module for node exporter --- pp-node-exporter.nix | 77 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 pp-node-exporter.nix diff --git a/pp-node-exporter.nix b/pp-node-exporter.nix new file mode 100644 index 0000000..11be08e --- /dev/null +++ b/pp-node-exporter.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.ppNodeExporter; + prometheusCaFile = pkgs.writeTextFile { + name = "prometheus_ca.pem"; + text = cfg.prometheusCa; + }; + yaml = pkgs.formats.yaml { }; + nodeWebConfig = yaml.generate "prometheus-node-exporter-webconfig.yml" { + tls_server_config = { + client_ca_file = prometheusCaFile; + cert_file = cfg.prometheusNodeExporterCertFile; + key_file = cfg.prometheusNodeExporterCertKeyFile; + client_auth_type = "RequireAndVerifyClientCert"; + client_allowed_sans = lib.mkIf (cfg.prometheusNodeExporterAllowScrapperSans != null) cfg.prometheusNodeExporterAllowScrapperSans; + }; + }; +in { + options.services.ppNodeExporter = { + prometheusCa = lib.mkOption { + type = lib.types.str; + example = '' + -----BEGIN CERTIFICATE----- + MIIBaTCCAQ6gAwIBAgIUccDw/Xe2RC4p9gwdQMkcbPlS740wCgYIKoZIzj0EAwIw + EjEQMA4GA1UEAwwHZXhhbXBsZTAeFw0yNTAyMjMxMTQzMTlaFw0zNTAyMjExMTQz + MTlaMBIxEDAOBgNVBAMMB2V4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC + AARk2SGMdAzOR+I+xAJDXO2nm8N4oa8V/kqstJrvd3gGTVsk8b0/EA+6ZrFISL0t + MroC27QCybMwRol9oalSVnoCo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB + /wQEAwIBhjAdBgNVHQ4EFgQUy13fD60aREMworuMEulXdkvTKOwwCgYIKoZIzj0E + AwIDSQAwRgIhALcoP/hicosVELvPfnomcEsWXTkkIVGbu1NeS5I2L72YAiEAi3AG + 7/hpeMxkaE0d2D8pr6exVlZR7kDa9FgDpfu/+a0= + -----END CERTIFICATE----- + ''; + description = "The CA that issues the prometheus scrapper certificate"; + }; + prometheusNodeExporterCertFile = lib.mkOption { + type = lib.types.path; + default = "/etc/prometheus-node-exporter/node-exporter.pem"; + description = "The file of the certificate use by prometheus node exporter."; + }; + prometheusNodeExporterCertKeyFile = lib.mkOption { + type = lib.types.path; + default = "/etc/prometheus-node-exporter/node-exporter.key"; + description = "The file of the key for the certificate used by prometheus node exporter."; + }; + prometheusNodeExporterAllowScrapperSans = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.str); + default = null; + example = [ "prometheus.example.com" ]; + description = "The list of Subject Alternative Names allowed to scrape node exporter. If not set, do not check Subject Names."; + }; + }; + config = { + system.activationScripts = { + prometheusNodeExporterFilePermission.text = + '' + chmod 640 ${cfg.prometheusNodeExporterCertFile} + chmod 640 ${cfg.prometheusNodeExporterCertKeyFile} + chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertFile} + chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertKeyFile} + ''; + }; + + services.prometheus = { + exporters = { + node = { + enable = true; + port = 9100; # default + enabledCollectors = [ "systemd" ]; # logind ? + extraFlags = [ + "--web.config.file=${nodeWebConfig}" + ]; + }; + }; + }; + }; +}