histausse/nixos-modules
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: histausse:d3e61d3b894bd9338b345bc8bf4bde4075b12b50
Branches Tags
histausse:main
..
compare: histausse:d336ea124ed7da2a9ebbef91c7b26d689f8c9cbf
Branches Tags
histausse:main

No commits in common. "d3e61d3b894bd9338b345bc8bf4bde4075b12b50" and "d336ea124ed7da2a9ebbef91c7b26d689f8c9cbf" have entirely different histories.
d3e61d3b89 ... d336ea124e

6 changed files with 8 additions and 376 deletions
Show stats Expand all files Collapse all files

15
base.nix
View file

@ -19,19 +19,13 @@ in {
example = "example@example.com"; example = "example@example.com";
description = "Email of the admin, use for ACME and stuff"; description = "Email of the admin, use for ACME and stuff";
}; };
swapSize = mkOption {
type = types.int;
default = 1024;
example = 2048;
description = "Size of the swap file";
};
}; };
config = { config = {
swapDevices = [ swapDevices = [
{ {
device = "/swapfile"; device = "/swapfile";
priority = 0; priority = 0;
size = cfg.swapSize; size = 1024;
} }
]; ];
@ -50,6 +44,13 @@ in {
keyMap = "fr"; keyMap = "fr";
}; };
users.users.histausse = {
isNormalUser = true;
extraGroups = [
"wheel"
];
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
git git

41
pp-forgejo-runner.nix
View file

@ -1,41 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfgBase = config.base;
cfg = config.services.ppForgejoRunner;
in
{
options.services.ppForgejoRunner = {
forgeUrl = mkOption {
type = types.str;
default = "https://git.${cfgBase.domainName}";
example = "https://git.example.com";
description = "The domain of the forgejo server";
};
runnerName = mkOption {
type = types.str;
default = "${cfgBase.name}.${cfgBase.domainName}";
example = "git-runner.example.com";
description = "The name of the runner";
};
tokenFile = mkOption {
type = types.str;
default = "/etc/forgejo_runner_token";
description = "The file containing the token to access forgejo. Be sure to secure it. The content of the file must be of the form TOKEN=<token>";
};
};
config = {
virtualisation.podman.enable = true;
services.gitea-actions-runner.package = pkgs.forgejo-actions-runner;
services.gitea-actions-runner.instances."${cfg.runnerName}" = {
enable = true;
name = cfg.runnerName;
url = cfg.forgeUrl;
tokenFile = cfg.tokenFile;
labels = [
"debian:docker://debian:bookworm"
];
};
};
}

129
pp-forgejo.nix
View file

@ -1,129 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfgBase = config.base;
cfg = config.services.ppForgejo;
in
{
options.services.ppForgejo = {
domain = mkOption {
type = types.str;
default = "git.${cfgBase.domainName}";
example = "git.example.com";
description = "The domain of the server";
};
openIdEnabled = mkOption {
type = types.bool;
default = false;
description = "If OpenId provider is setup and should be used exclusively.";
};
openIdClientName = mkOption {
type = types.str;
default = "";
description = "The name (id) of the openId client to use exclusively.";
};
dbPasswordFile = mkOption {
type = types.str;
default = "/etc/forgejo_db_pwd";
description = "The file containing the database password. Be sure to secure it.";
};
actionsEnabled = mkOption {
type = types.bool;
default = false;
description = "Enable the use of actions";
};
};
config = {
services.forgejo.settings.DEFAULT.APP_NAME = "git";
services.forgejo.stateDir = "/var/lib/forgejo"; # default value, /var/lib/gitea in gitea, move it before migration!
# carefull to change ownership from gitea to forgejo
# and to move /var/lib/forgejo/data/gitea.db to /var/lib/forgejo/data/forgejo.db
services.forgejo.enable = true;
services.forgejo.settings.server.ROOT_URL = "https://${cfg.domain}/";
services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this???
services.forgejo.user = "git";
users.users.git = {
home = config.services.forgejo.stateDir;
useDefaultShell = true;
isSystemUser = true;
group = "git";
};
users.groups.git = {};
# If true, openid users cannot create new account
#services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnabled);
services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce false;
services.forgejo.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnabled;
services.forgejo.lfs.enable = true;
services.forgejo.settings.server.DOMAIN = cfg.domain;
# services.forgejo.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
services.forgejo.database.passwordFile = cfg.dbPasswordFile;
services.forgejo.settings.repository.ENABLE_PUSH_CREATE_USER = true;
services.forgejo.settings.repository.ENABLE_PUSH_CREATE_ORG = true;
services.forgejo.settings.repository.DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages,repo.actions";
# Set the permittions for the db file
system.activationScripts = {
forgejoDbFilePermission.text =
''
chmod 400 ${cfg.dbPasswordFile}
chown ${config.services.forgejo.user} ${cfg.dbPasswordFile}
'';
};
environment.systemPackages = with pkgs; [
forgejo
];
systemd.services.forgejo.environment.FORGEJO_CUSTOM = "${config.services.forgejo.stateDir}/custom";
services.forgejo.settings = {
ui = {
THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green";
DEFAULT_THEME = "forgejo-auto";
};
"ui.meta" = {
DESCRIPTION = "Code everywhere";
};
};
services.forgejo.settings.actions = lib.mkIf (cfg.actionsEnabled) {
ENABLED = true;
DEFAULT_ACTION_URL = "https://${cfg.domain}";
};
# NGINX
security.acme.acceptTerms = true;
security.acme.defaults.email = cfgBase.adminEmail;
services.nginx = {
enable = true;
virtualHosts = {
"${cfg.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
extraConfig = ''
client_max_body_size 0;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass_request_headers on;
'';
};
locations."/user/login" = lib.mkIf (cfg.openIdEnabled) {
return = "301 https://$host/user/oauth2/${cfg.openIdClientName}";
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}

5
pp-gitea.nix
View file

@ -54,10 +54,6 @@ in
services.gitea.domain = cfg.domain; services.gitea.domain = cfg.domain;
# services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance # services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
services.gitea.database.passwordFile = cfg.dbPasswordFile; services.gitea.database.passwordFile = cfg.dbPasswordFile;
services.gitea.settings.repository.ENABLE_PUSH_CREATE_USER = true;
services.gitea.settings.repository.ENABLE_PUSH_CREATE_ORG = true;
# Set the permittions for the db file # Set the permittions for the db file
system.activationScripts = { system.activationScripts = {
giteaDbFilePermission.text = giteaDbFilePermission.text =
@ -97,7 +93,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:3000"; proxyPass = "http://127.0.0.1:3000";
extraConfig = '' extraConfig = ''
client_max_body_size 0;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

77
pp-node-exporter.nix
View file

@ -1,77 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.ppNodeExporter;
prometheusCaFile = pkgs.writeTextFile {
name = "prometheus_ca.pem";
text = cfg.prometheusCa;
};
yaml = pkgs.formats.yaml { };
nodeWebConfig = yaml.generate "prometheus-node-exporter-webconfig.yml" {
tls_server_config = {
client_ca_file = prometheusCaFile;
cert_file = cfg.prometheusNodeExporterCertFile;
key_file = cfg.prometheusNodeExporterCertKeyFile;
client_auth_type = "RequireAndVerifyClientCert";
client_allowed_sans = lib.mkIf (cfg.prometheusNodeExporterAllowScrapperSans != null) cfg.prometheusNodeExporterAllowScrapperSans;
};
};
in {
options.services.ppNodeExporter = {
prometheusCa = lib.mkOption {
type = lib.types.str;
example = ''
-----BEGIN CERTIFICATE-----
MIIBaTCCAQ6gAwIBAgIUccDw/Xe2RC4p9gwdQMkcbPlS740wCgYIKoZIzj0EAwIw
EjEQMA4GA1UEAwwHZXhhbXBsZTAeFw0yNTAyMjMxMTQzMTlaFw0zNTAyMjExMTQz
MTlaMBIxEDAOBgNVBAMMB2V4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AARk2SGMdAzOR+I+xAJDXO2nm8N4oa8V/kqstJrvd3gGTVsk8b0/EA+6ZrFISL0t
MroC27QCybMwRol9oalSVnoCo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBhjAdBgNVHQ4EFgQUy13fD60aREMworuMEulXdkvTKOwwCgYIKoZIzj0E
AwIDSQAwRgIhALcoP/hicosVELvPfnomcEsWXTkkIVGbu1NeS5I2L72YAiEAi3AG
7/hpeMxkaE0d2D8pr6exVlZR7kDa9FgDpfu/+a0=
-----END CERTIFICATE-----
'';
description = "The CA that issues the prometheus scrapper certificate";
};
prometheusNodeExporterCertFile = lib.mkOption {
type = lib.types.path;
default = "/etc/prometheus-node-exporter/node-exporter.pem";
description = "The file of the certificate use by prometheus node exporter.";
};
prometheusNodeExporterCertKeyFile = lib.mkOption {
type = lib.types.path;
default = "/etc/prometheus-node-exporter/node-exporter.key";
description = "The file of the key for the certificate used by prometheus node exporter.";
};
prometheusNodeExporterAllowScrapperSans = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
default = null;
example = [ "prometheus.example.com" ];
description = "The list of Subject Alternative Names allowed to scrape node exporter. If not set, do not check Subject Names.";
};
};
config = {
system.activationScripts = {
prometheusNodeExporterFilePermission.text =
''
chmod 640 ${cfg.prometheusNodeExporterCertFile}
chmod 640 ${cfg.prometheusNodeExporterCertKeyFile}
chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertFile}
chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertKeyFile}
'';
};
services.prometheus = {
exporters = {
node = {
enable = true;
port = 9100; # default
enabledCollectors = [ "systemd" ]; # logind ?
extraFlags = [
"--web.config.file=${nodeWebConfig}"
];
};
};
};
};
}

117
pp-woodpecker.nix
View file

@ -1,117 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfgBase = config.base;
cfg = config.services.ppWoodpecker;
in
{
imports = [
# Woodpeeker is not in stable yet but the module is good enought
(builtins.fetchurl {
url = "https://github.com/NixOS/nixpkgs/raw/nixos-unstable/nixos/modules/services/continuous-integration/woodpecker/server.nix";
sha256 = "13dzbcb0fi0bwam0mlf6d6ly0x90pr8sq68kzs65mszbvsd5lqjb";
})
(builtins.fetchurl {
url = "https://github.com/NixOS/nixpkgs/raw/nixos-unstable/nixos/modules/services/continuous-integration/woodpecker/agents.nix";
sha256 = "14kjj9ybahmfqflvsa8p0va1z3zhliybggxd148fzz4bnjsqpsla";
})
];
options.services.ppWoodpecker = {
serverEnvFile = mkOption {
type = types.str;
default = "/etc/woodpecker_server_env";
description = "The file containing the env secrets WOODPECKER_AGENT_SECRET and WOODPECKER_GITEA_SECRET, cf https://woodpecker-ci.org/docs/administration/vcs/gitea#configuration for gitea";
};
agentEnvFile = mkOption {
type = types.str;
default = "/etc/woodpecker_agent_env";
description = "The file containing the env secrets WOODPECKER_AGENT_SECRET";
};
domain = mkOption {
type = types.str;
default = "ci.${cfgBase.domainName}";
example = "ci.example.com";
description = "The domain of the server";
};
giteaDomain = mkOption {
type = types.str;
default = "git.${cfgBase.domainName}";
example = "git.example.com";
description = "The domain of the gitea server";
};
giteaClientId = mkOption {
type = types.str;
example = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
description = "The domain of the gitea server";
};
admins = mkOption {
type = lib.types.listOf lib.types.string;
default = [];
example = [ "user1" "user2" ];
description = "List of admins";
};
maxProcsPerAgent = mkOption {
type = types.int;
default = 1;
example = 4;
description = "Number of possible paralle process per agent";
};
};
config = {
services.woodpecker-server.enable = true;
# To put in woodpecker_server_env:
# ```
# WOODPECKER_AGENT_SECRET=XXXXXX
# WOODPECKER_GITEA_SECRET=gto_XXXXXX
# ```
services.woodpecker-server.environmentFile = "${cfg.serverEnvFile}";
services.woodpecker-server.environment = {
WOODPECKER_HOST = "https://${cfg.domain}";
WOODPECKER_OPEN = "true"; # This means user of gitea can connect to the ci
WOODPECKER_GITEA = "true";
WOODPECKER_GITEA_CLIENT = "${cfg.giteaClientId}";
WOODPECKER_GITEA_URL = "https://${cfg.giteaDomain}";
WOODPECKER_ADMIN = lib.mkIf (cfg.admins != []) (lib.concatStringsSep "," cfg.admins);
};
virtualisation.podman.enable = true;
virtualisation.podman.defaultNetwork.dnsname.enable = true;
services.woodpecker-agents.agents.podman = {
enable = true;
extraGroups = [ "podman" ];
environmentFile = [ "${cfg.agentEnvFile}" ];
environment = {
WOODPECKER_BACKEND = "docker";
DOCKER_HOST = "unix:////run/podman/podman.sock";
WOODPECKER_MAX_PROCS = builtins.toString cfg.maxProcsPerAgent;
};
};
security.acme.acceptTerms = true;
security.acme.defaults.email = cfgBase.adminEmail;
services.nginx = {
enable = true;
virtualHosts = {
"${cfg.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
extraConfig = ''
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass_request_headers on;
'';
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}