gitea container, traefik cleanup and sops

2025-04-24 14:44:47 -05:00
parent 1af719c1e2
commit ebf15f5582
5 changed files with 190 additions and 80 deletions
--- a/hosts/nas/apps/actual/default.nix
+++ b/hosts/nas/apps/actual/default.nix
@@ -36,7 +36,7 @@ in
            config = {
              dataDir = dataDir;
              openId = {
-                issuer = "https://authentik.mjallen.dev/application/o/actual-budget/";
+                issuer = "https://authentik.mjallen.dev/application/o/actual-budget/"; # TODO
                client_id = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
                client_secret = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
                server_hostname = "https://actual.mjallen.dev";
@@ -56,18 +56,6 @@ in
          useHostResolvConf = lib.mkForce false;
        };

-        # Create and set permissions for required directories
-        # system.activationScripts.actual-dirs = ''
-        #   mkdir -p /var/lib/private/actual-data
-
-        #   chown -R nobody:nogroup /var/lib/private/actual-data
-
-        #   chmod -R 775 /var/lib/private/actual-data
-
-        #   ln -sf /var/lib/private/actual /var/lib/actual-data
-
-        # '';
-
        services.resolved.enable = true;
        system.stateVersion = "23.11";
      };
--- a/hosts/nas/apps/gitea/default.nix
+++ b/hosts/nas/apps/gitea/default.nix
@@ -1,30 +1,104 @@
 { config, ... }:
+let
+  hostAddress = "10.0.1.18";
+  localAddress = "10.0.4.18";
+  httpPort = 3000;
+  sshPort = 2222;
+  rootUrl = "https://gitea.mjallen.dev/";
+  stateDir = "/media/nas/ssd/nix-app-data/gitea";
+  dataDir = "/var/lib/gitea";
+  secretsDir = "/run/secrets/jallen-nas/gitea";
+  mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
+  metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
+in
 {
-  services.gitea = {
-    enable = true;
-    stateDir = "/media/nas/ssd/nix-app-data/gitea";
-    useWizard = false;
-    mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
-    metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
-    settings = {
-      server = {
-        DOMAIN = "jallen-nas";
-        HTTP_ADDR = "0.0.0.0";
-        HTTP_PORT = 3000;
-        PROTOCOL = "http";
-        ROOT_URL = "https://gitea.mjallen.dev/";
-        SSH_PORT = 2222;
+  containers.gitea = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = hostAddress;
+    localAddress = localAddress;
+
+    bindMounts = {
+      ${dataDir} = {
+        hostPath = stateDir;
+        isReadOnly = false;
      };
-      service = {
-        REGISTER_EMAIL_CONFIRM = false;
-        ENABLE_CAPTCHA = false;
-        DISABLE_REGISTRATION = true;
-        ENABLE_OPENID_SIGNIN = false;
-        ENABLE_LDAP_SIGNIN = false;
-        ENABLE_SSH_SIGNIN = true;
-        ENABLE_BUILTIN_SSH_SERVER = true;
-        ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
+      secrets = {
+        hostPath = secretsDir;
+        isReadOnly = true;
+        mountPoint = secretsDir;
      };
    };
+
+    config = { lib, ... }:
+      {
+        services.gitea = {
+          enable = true;
+          stateDir = dataDir;
+          useWizard = false;
+          mailerPasswordFile = mailerPasswordFile;
+          metricsTokenFile = metricsTokenFile;
+          settings = {
+            server = {
+              DOMAIN = "jallen-nas";
+              HTTP_ADDR = "0.0.0.0";
+              HTTP_PORT = httpPort;
+              PROTOCOL = "http";
+              ROOT_URL = rootUrl;
+              SSH_PORT = sshPort;
+            };
+            service = {
+              REGISTER_EMAIL_CONFIRM = false;
+              ENABLE_CAPTCHA = false;
+              DISABLE_REGISTRATION = true;
+              ENABLE_OPENID_SIGNIN = false;
+              ENABLE_LDAP_SIGNIN = false;
+              ENABLE_SSH_SIGNIN = true;
+              ENABLE_BUILTIN_SSH_SERVER = true;
+              ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
+            };
+          };
+        };
+
+        users.users.gitea = {
+          extraGroups = [ "keys" ];
+        };
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ httpPort sshPort 22 ];
+          };
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce false;
+        };
+
+        # Create and set permissions for required directories
+        system.activationScripts.gitea-dirs = ''
+          mkdir -p /var/lib/gitea
+          chown -R gitea:gitea /var/lib/gitea
+          chmod -R 775 /var/lib/gitea
+          mkdir -p /run/secrets/jallen-nas
+          chown -R gitea:gitea /run/secrets/jallen-nas
+          chmod -R 775 /run/secrets/jallen-nas
+        '';
+
+        services.resolved.enable = true;
+        system.stateVersion = "23.11";
+      };
+  };
+
+  networking.nat = {
+    forwardPorts = [
+      {
+        destination = "${localAddress}:${toString httpPort}";
+        sourcePort = httpPort;
+      }
+      {
+        destination = "${localAddress}:${toString sshPort}";
+        sourcePort = sshPort;
+      }
+    ];
  };
 }
--- a/hosts/nas/apps/traefik/default.nix
+++ b/hosts/nas/apps/traefik/default.nix
@@ -2,6 +2,7 @@
 let
  domain = "mjallen.dev";

+  # Forward services
  authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io";
  authentikUrl = "http://10.0.1.18:9000";
  onlyofficeUrl = "http://10.0.2.18:9980";
@@ -12,34 +13,87 @@ let
  openWebUIUrl = "http://10.0.1.18:8888";
  paperlessUrl = "http://10.0.1.20:28981";
  cacheUrl = "http://10.0.1.18:5000";
-  giteaUrl = "http://10.0.1.18:3000";
+  giteaUrl = "http://10.0.4.18:3000";
  actualUrl = "http://10.0.3.18:3333";
  lubeloggerUrl = "http://10.0.1.18:6754";
+
+  # Plugins
+  traefikPlugins = {
+    bouncer = {
+      moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
+      version = "v1.4.2";
+    };
+    geoblock = {
+      moduleName = "github.com/PascalMinder/geoblock";
+      version = "v0.2.5";
+    };
+  };
+
+  crowdsecAppsecHost = "10.0.1.18:7422";
+  crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
+
+  # Ports
+  httpPort = 80;
+  httpsPort = 443;
+  traefikPort = 8080;
+  metricsPort = 8082;
+
+  forwardPorts = [
+      httpPort
+      httpsPort
+      traefikPort
+      metricsPort
+  ];
+
+  # misc
+  letsEncryptEmail = "jalle008@proton.me";
+  dataDir = "/media/nas/ssd/nix-app-data/traefik";
+  authentikAddress = "http://10.0.1.18:9000/outpost.goauthentik.io/auth/traefik";
+  group = [ config.users.users.nix-apps.group.name ];
 in
 {
+  sops = {
+    secrets = {
+      "jallen-nas/traefik/crowdsec-lapi-key" = {
+        owner = config.users.users.traefik.name;
+        group = config.users.users.traefik.group;
+        restartUnits = [ "traefik.service" ];
+      };
+      "jallen-nas/traefik/cloudflare-dns-api-token" = { };
+      "jallen-nas/traefik/cloudflare-zone-api-token" = { };
+      "jallen-nas/traefik/cloudflare-api-key" = { };
+      "jallen-nas/traefik/cloudflare-email" = { };
+    };
+    templates = {
+      "traefik.env" = {
+        content = ''
+          CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
+          CLOUDFLARE_ZONE_API_TOKEN =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
+          CLOUDFLARE_API_KEY =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
+          CLOUDFLARE_EMAIL =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
+        '';
+        owner = config.users.users.traefik.name;
+        group = config.users.users.traefik.group;
+        restartUnits = [ "traefik.service" ];
+      };
+    };
+  };
+
  networking.firewall = {
-    allowedTCPPorts = [
-      80
-      443
-      8080
-    ];
-    allowedUDPPorts = [
-      80
-      443
-      8080
-    ];
+    allowedTCPPorts = forwardPorts;
+    allowedUDPPorts = forwardPorts;
  };

  services.traefik = {
    enable = true;
-    dataDir = "/media/nas/ssd/nix-app-data/traefik";
-    group = "jallen-nas";
+    dataDir = dataDir;
+    group = "jallen-nas";#group;
    environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops

    staticConfigOptions = {
      entryPoints = {
        web = {
-          address = ":80";
+          address = ":${toString httpPort}";
          asDefault = true;
          http.redirections.entrypoint = {
            to = "websecure";
@@ -48,13 +102,13 @@ in
        };

        websecure = {
-          address = ":443";
+          address = ":${toString httpsPort}";
          asDefault = true;
          http.tls.certResolver = "letsencrypt";
        };

        metrics = {
-          address = ":8082"; # Port for metrics
+          address = ":${toString metricsPort}"; # Port for metrics
        };
      };

@@ -72,7 +126,7 @@ in
      };

      certificatesResolvers.letsencrypt.acme = {
-        email = "jalle008@proton.me";
+        email = letsEncryptEmail;
        storage = "${config.services.traefik.dataDir}/acme.json";
        dnsChallenge = {
          provider = "cloudflare";
@@ -88,16 +142,7 @@ in
      api.insecure = true;

      experimental = {
-        plugins = {
-          bouncer = {
-            moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
-            version = "v1.4.2";
-          };
-          geoblock = {
-            moduleName = "github.com/PascalMinder/geoblock";
-            version = "v0.2.5";
-          };
-        };
+        plugins = traefikPlugins;
      };
    };

@@ -107,7 +152,7 @@ in
          authentik = {
            forwardAuth = {
              tls.insecureSkipVerify = true;
-              address = "http://10.0.1.18:9000/outpost.goauthentik.io/auth/traefik";
+              address = authentikAddress;
              trustForwardHeader = true;
              authResponseHeaders = [
                "X-authentik-username"
@@ -133,10 +178,10 @@ in
            plugin = {
              bouncer = {
                crowdsecAppsecEnabled = true;
-                crowdsecAppsecHost = "10.0.1.18:7422";
+                crowdsecAppsecHost = crowdsecAppsecHost;
                crowdsecAppsecFailureBlock = true;
                crowdsecAppsecUnreachableBlock = true;
-                crowdsecLapiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
+                crowdsecLapiKeyFile = crowdsecLapiKeyFile;
              };
            };
          };
--- a/hosts/nas/sops.nix
+++ b/hosts/nas/sops.nix
@@ -114,14 +114,16 @@ in
        restartUnits = [ "container@paperless.service" ];
      };
      "jallen-nas/gitea/mail-key" = {
-        owner = "gitea";
-        group = "gitea";
-        restartUnits = [ "gitea.service" ];
+        owner = "root";
+        group = "keys";
+        mode = "0440";
+        restartUnits = [ "container@gitea.service" ];
      };
      "jallen-nas/gitea/metrics-key" = {
-        owner = "gitea";
-        group = "gitea";
-        restartUnits = [ "gitea.service" ];
+        owner = "root";
+        group = "keys";
+        mode = "0440";
+        restartUnits = [ "container@gitea.service" ];
      };
      "jallen-nas/free-games/eg-email" = { };
      "jallen-nas/free-games/eg-pass" = { };