infra/nixos/hosts/silver/services/gitea.nix

{config, ...}: let
  sshExposeIp = "0.0.0.0"; # TODO: change this to the public-facing IP for prod
  sshIntPort = 14022;
  httpIntPort = 14020;
  dom = "git.min.rip";
in {
  services.nginx = {
    virtualHosts.${dom} = {
      forceSSL = true;
      enableACME = true;

      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString httpIntPort}";
      };
    };
    streamConfig = ''
      upstream gitea {
        server 127.0.0.1:${toString sshIntPort};
      }

      server {
        listen ${sshExposeIp}:22;
        proxy_timeout 20s;
        proxy_pass gitea;
      }
    ''; # May not support IPv6, i'm unsure..
  };

  # Auto-create directories we need
  systemd.tmpfiles.rules = [
    "d /srv/gitea 0750 1000 1000 - -"
    "d /srv/gitea/gitea 0750 1000 1000 - -"
    "d /srv/gitea/runner 0750 1000 1000 - -"
  ];

  virtualisation.oci-containers.containers.gitea = {
    image = "docker.io/gitea/gitea:1.21.4";
    environment = {
      USER_UID = "1000";
      USER_GID = "1000";
      GITEA_WORK_DIR = "/data/gitea";
      GITEA_CUSTOM = "/data/gitea";
      GITEA_APP_INI = "/data/gitea/conf/app.ini";
    };
    volumes = [
      "/srv/gitea/gitea:/data"
      "/etc/localtime:/etc/localtime:ro"
    ];
    ports = [
      "${toString httpIntPort}:3000/tcp"
      "${toString sshIntPort}:22/tcp"
    ];
  };

  sops.secrets."svc-gitea-runner-env" = {};

  virtualisation.oci-containers.containers.gitea-runner = {
    image = "docker.io/gitea/act_runner:0.2.6-dind-rootless";
    environment = {
      GITEA_INSTANCE_URL = "https://${dom}/";
      DOCKER_HOST = "unix:///var/run/user/1000/docker.sock";
    };
    environmentFiles = [config.sops.secrets."svc-gitea-runner-env".path];
    volumes = [
      "/srv/gitea/runner:/data"
    ];
    extraOptions = ["--privileged"];
  };
}
Initial commit 2024-10-13 15:16:39 -05:00			`{config, ...}: let`
			`sshExposeIp = "0.0.0.0"; # TODO: change this to the public-facing IP for prod`
			`sshIntPort = 14022;`
			`httpIntPort = 14020;`
			`dom = "git.min.rip";`
			`in {`
			`services.nginx = {`
			`virtualHosts.${dom} = {`
Partial rollout of HTTP/3 2024-10-13 18:14:29 -05:00			`forceSSL = true;`
			`enableACME = true;`

Initial commit 2024-10-13 15:16:39 -05:00			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString httpIntPort}";`
			`};`
			`};`
			`streamConfig = ''`
			`upstream gitea {`
			`server 127.0.0.1:${toString sshIntPort};`
			`}`

			`server {`
			`listen ${sshExposeIp}:22;`
			`proxy_timeout 20s;`
			`proxy_pass gitea;`
			`}`
			`''; # May not support IPv6, i'm unsure..`
			`};`

			`# Auto-create directories we need`
			`systemd.tmpfiles.rules = [`
			`"d /srv/gitea 0750 1000 1000 - -"`
			`"d /srv/gitea/gitea 0750 1000 1000 - -"`
			`"d /srv/gitea/runner 0750 1000 1000 - -"`
			`];`

			`virtualisation.oci-containers.containers.gitea = {`
			`image = "docker.io/gitea/gitea:1.21.4";`
			`environment = {`
			`USER_UID = "1000";`
			`USER_GID = "1000";`
			`GITEA_WORK_DIR = "/data/gitea";`
			`GITEA_CUSTOM = "/data/gitea";`
			`GITEA_APP_INI = "/data/gitea/conf/app.ini";`
			`};`
			`volumes = [`
			`"/srv/gitea/gitea:/data"`
			`"/etc/localtime:/etc/localtime:ro"`
			`];`
			`ports = [`
			`"${toString httpIntPort}:3000/tcp"`
			`"${toString sshIntPort}:22/tcp"`
			`];`
			`};`

			`sops.secrets."svc-gitea-runner-env" = {};`

			`virtualisation.oci-containers.containers.gitea-runner = {`
			`image = "docker.io/gitea/act_runner:0.2.6-dind-rootless";`
			`environment = {`
			`GITEA_INSTANCE_URL = "https://${dom}/";`
			`DOCKER_HOST = "unix:///var/run/user/1000/docker.sock";`
			`};`
			`environmentFiles = [config.sops.secrets."svc-gitea-runner-env".path];`
			`volumes = [`
			`"/srv/gitea/runner:/data"`
			`];`
			`extraOptions = ["--privileged"];`
			`};`
			`}`