Koen/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Foregejo containers fully operational

Browse source
This commit is contained in:
KoenDR06 2025-12-25 13:11:54 +01:00
parent 2de1a62d2f
commit f1b3559434
4 changed files with 55 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

31
modules/base/secrets.nix
View file

@ -6,7 +6,7 @@
}: let }: let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.horseman.base.secrets; cfg = config.horseman.base.secrets;
secretFile = path: ../../secrets/${path}; secretFile = path: ../../secrets/${path}.age;
username = config.horseman.username; username = config.horseman.username;
in { in {
options = { options = {
@ -19,38 +19,45 @@ in {
environment.systemPackages = [pkgs.ragenix]; environment.systemPackages = [pkgs.ragenix];
age.secrets = { age.secrets = {
wifi.file = secretFile "wifi.age"; wifi.file = secretFile "wifi";
personalSSHpub = { personalSSHpub = {
file = secretFile "ssh/id_personal.pub.age"; file = secretFile "ssh/id_personal.pub";
owner = username; owner = username;
group = "users"; group = "users";
path = "/home/horseman/.ssh/id_ed25519.pub"; path = "/home/${username}/.ssh/id_ed25519.pub";
}; };
personalSSH = { personalSSH = {
file = secretFile "ssh/id_personal.age"; file = secretFile "ssh/id_personal";
owner = username; owner = username;
group = "users"; group = "users";
path = "/home/horseman/.ssh/id_ed25519"; path = "/home/${username}/.ssh/id_ed25519";
}; };
githubSSHpub = { githubSSHpub = {
file = secretFile "ssh/id_github.pub.age"; file = secretFile "ssh/id_github.pub";
owner = username; owner = username;
group = "users"; group = "users";
path = "/home/horseman/.ssh/id_github.pub"; path = "/home/${username}/.ssh/id_github.pub";
}; };
githubSSH = { githubSSH = {
file = secretFile "ssh/id_github.age"; file = secretFile "ssh/id_github";
owner = username; owner = username;
group = "users"; group = "users";
path = "/home/horseman/.ssh/id_github"; path = "/home/${username}/.ssh/id_github";
}; };
sshConfig = { sshConfig = {
file = secretFile "ssh/config.age"; file = secretFile "ssh/config";
owner = username; owner = username;
group = "users"; group = "users";
path = "/home/horseman/.ssh/config"; path = "/home/${username}/.ssh/config";
};
forgejo-secret = {
file = secretFile "containers/forgejo-secret";
path = "/run/forgejo-secrets/secret";
symlink = false;
mode = "444";
}; };
}; };
}; };

21
modules/containers/forgejo.nix
View file

@ -13,10 +13,8 @@
HTTP_PORT = 3000; HTTP_PORT = 3000;
SSH_PORT = 34916; SSH_PORT = 34916;
INSTANCE_URL = "http://local.git.server:3000"; INSTANCE_URL = "http://local.git.server:3000";
SECRET = "7c31591e8b67225a116d4a4519ea8e507e08f71f"; # TODO REMOVE
DATA_DIR = "/home/${username}/backups/volumes/forgejo"; DATA_DIR = "/home/${username}/backups/volumes/forgejo";
BACKUP_FILE = "/home/${username}/backups/forgejo.tar"; BACKUP_FILE = "/home/${username}/backups/forgejo.tar";
in { in {
options = { options = {
horseman.containers.forgejo = { horseman.containers.forgejo = {
@ -27,7 +25,6 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
networking.extraHosts = "192.168.100.3 local.git.server"; networking.extraHosts = "192.168.100.3 local.git.server";
systemd.timers."backup-forgejo" = { systemd.timers."backup-forgejo" = {
wantedBy = ["timers.target"]; wantedBy = ["timers.target"];
timerConfig = { timerConfig = {
@ -36,7 +33,7 @@ in {
}; };
}; };
environment.systemPackages = [ pkgs.gnutar ]; environment.systemPackages = [pkgs.gnutar];
systemd.services."backup-forgejo" = { systemd.services."backup-forgejo" = {
script = '' script = ''
${pkgs.gnutar} -cf ${BACKUP_FILE} ${DATA_DIR} ${pkgs.gnutar} -cf ${BACKUP_FILE} ${DATA_DIR}
@ -52,6 +49,13 @@ in {
hostAddress = "172.16.0.2"; hostAddress = "172.16.0.2";
localAddress = "192.168.100.2"; localAddress = "192.168.100.2";
bindMounts = {
"/var/lib/secrets" = {
hostPath = "/run/forgejo-secrets";
isReadOnly = true;
};
};
config = { config = {
config, config,
pkgs, pkgs,
@ -76,7 +80,7 @@ in {
systemd.services.startup = { systemd.services.startup = {
script = '' script = ''
cd ${config.users.users.runner.home} cd ${config.users.users.runner.home}
${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret ${SECRET} --name runner ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret $(cat /var/lib/secrets/secret) --name runner
sleep 10 sleep 10
${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile} ${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile}
''; '';
@ -99,6 +103,11 @@ in {
hostPath = DATA_DIR; hostPath = DATA_DIR;
isReadOnly = false; isReadOnly = false;
}; };
"/var/lib/secrets" = {
hostPath = "/run/forgejo-secrets";
isReadOnly = true;
};
}; };
config = { config = {
@ -130,7 +139,7 @@ in {
systemd.services.startup = { systemd.services.startup = {
script = '' script = ''
cd ${config.users.users.forgejo.home} cd ${config.users.users.forgejo.home}
${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret ${SECRET} --config ${config.services.forgejo.stateDir}/custom/conf/app.ini ${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret $(cat /var/lib/secrets/secret) --config ${config.services.forgejo.stateDir}/custom/conf/app.ini
''; '';
serviceConfig.User = "forgejo"; serviceConfig.User = "forgejo";
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];

1
secrets.nix
View file

@ -17,6 +17,7 @@ let
"ssh/id_github" "ssh/id_github"
"ssh/id_github.pub" "ssh/id_github.pub"
"ssh/config" "ssh/config"
"containers/forgejo-secret"
]; ];
attrs = map (secret: {"secrets/${secret}.age".publicKeys = all;}) secrets; attrs = map (secret: {"secrets/${secret}.age".publicKeys = all;}) secrets;
in in

19
secrets/containers/forgejo-secret.age Normal file
View file

@ -0,0 +1,19 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9tczZkdyAvNG9K
UEttaC8zNHlPVDJFT1NoOHBBKzduaThIcFR3TkdvZVF3UVFBSFhvClpLZGw0RmVp
cm1JRkNwL2RKN0lKRlEyb25YeUpjSWx0WXorNWZIa2ZHMzgKLT4gc3NoLWVkMjU1
MTkgZ1BJZFpBIEUyeGlybExFS3dPWXZOdk41TG9GYWQzajFPeVh3MjBlcjQ2b3Bn
NkRiRXcKSzdORWN3NC9IQ2JCRTF3UVRRc1k4eW5uQ2tMZXo0UEczWk1IS3BDbEV4
UQotPiBzc2gtZWQyNTUxOSBXeUlGekEgR0hhQitRZ2haZExXeVNlV0pBY0JkWTY0
S05PMnNmdVh5QUUyVmhjK1psNApMVWtDR0ZUNjBHNHdUbDVEdFI3SkU3TnhtbHN4
L3hiYnlYdmx5L2VmU3NBCi0+IHNzaC1lZDI1NTE5IGRiT2VoQSBpK2h2YlFCTk9a
Z21YZS9tQk9iUDdCQmpYNE9RK0k1SGtCbzhDdG9wVUFrCmlrNjBRQk9lWHVRRHVJ
dnFsSmJsTmNnaFA3MUorYkFGTklkWk94TUk3dHMKLT4gc3NoLWVkMjU1MTkgdHYv
Q3pnIGRUb21iKzlKY3hzcUhqaEZlK2EraEFQTmN0Nm5SZ05jdG1ia0xlN2NoelkK
d0R5Z0sxa0VDMy9aUTFJSS9jRmdDOGk5ZWVVVjIwdzJ4MUI3clR2bVE5SQotPiBi
NlJDOTpCWS1ncmVhc2UKR25PbzYrN2JsTXZwbXV5Z0NuUTZ0b2dTdU11Rlh6cmFL
cDlVOUUxNFd3VWg2V1ltU1N5dXZBWVM5UGI4d3cKLS0tIC9qQ0ZZUnVQRkc5dHRX
L0xpOTFxRk4xdTRCdUEwclU1dzB5RkVZbFRVZlUKhXXapogUWYhZ+Baie7Alcv7Z
hnMTGD+Wti8VhvHOmwS+z66mpbidJdNwcoiGOpeCfIJyKbQehQrzsI0wWbqjyA50
PKWqT6dq3w==
-----END AGE ENCRYPTED FILE-----