Finish up gitea host including secrets with sops

.sops.yaml

@@ -0,0 +1,10 @@
+keys:
+  - &carsten BD9A82C3AC8185DAD4CFDA47A34D551C8CCA7DCD
+  - &gitea age1r2xcvgph5egus0xmyypplpya5wlz5a5kxwydjakvx94eqpgyhgdqqnzd3j
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - pgp:
+      - *carsten
+      age:
+      - *gitea

flake.lock

@@ -198,6 +198,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1682173319,
+        "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-22.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1681272286,
@@ -288,7 +304,8 @@
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nur": "nur",
-        "sanctureplicum-nur": "sanctureplicum-nur"
+        "sanctureplicum-nur": "sanctureplicum-nur",
+        "sops-nix": "sops-nix"
       }
     },
     "sanctureplicum-nur": {
@@ -309,6 +326,27 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1682338428,
+        "narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "utils": {
       "locked": {
         "lastModified": 1678901627,

flake.nix

@@ -11,6 +11,8 @@
     nekowinston-nur.url = "github:nekowinston/nur";
     emacs-overlay.url = "github:nix-community/emacs-overlay";
     emacs-overlay.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     mach-nixpkgs.url = "github:nixos/nixpkgs/9fd0585f7dc9b85eb5d426396004cc649261e60d";
     mach-nix.url = "github:davhau/mach-nix/6cd3929b1561c3eef68f5fc6a08b57cf95c41ec1";
     mach-nix.inputs.nixpkgs.follows = "mach-nixpkgs";
@@ -29,6 +31,7 @@
     , mach-nix
     , mach-nixpkgs
     , nixos-wsl
+    , sops-nix
     , home-manager
     , ...
     } @inputs:
@@ -86,6 +89,9 @@
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
             home-manager.backupFileExtension = "bak";
+            home-manager.sharedModules = [
+              sops-nix.homeManagerModule
+            ];
           }
           ./hosts/eagle
         ];
@@ -121,7 +127,8 @@
           ({ config, pkgs, ... }: {
             nixpkgs.overlays = overlays;
           })
-          
+
+          sops-nix.nixosModules.sops
           ./hosts/gitea
         ];
       };

hosts/common/default.nix

@@ -9,6 +9,7 @@ with pkgs;
 {
   imports = [
     ./graphical.nix
+    ./vm-guest.nix
     ./wsl.nix
     ./pkgs.nix
   ];

hosts/common/vm-guest.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.vm-guest = lib.mkOption {
+    default = config.wsl.enable or false;
+    type = lib.types.bool;
+    description = "Whether this is a vm guest machine";
+  };
+
+  config = lib.mkIf config.vm-guest {
+    graphical = false;
+  } // lib.mkIf (!config.vm-guest) {
+    virtualisation.virtualbox.host.enable = true;
+    virtualisation.docker.enable = true;
+  };
+}

hosts/common/wsl.nix

@@ -16,8 +16,5 @@
     };
 
     networking.nameservers = [ "192.168.1.1" "87.62.97.64" ];
-
-    virtualisation.virtualbox.host.enable = true;
-    virtualisation.docker.enable = true;
   };
 }

hosts/gitea/default.nix

@@ -21,7 +21,15 @@
     shell = pkgs.bash;
   };
 
+  graphical = false;
+  vm-guest = true;
+
   networking.hostName = "gitea";
+  networking.firewall.allowedTCPPorts = [ 22 3000 ];
+
+  sops = {
+    defaultSopsFile = ../../secrets/gitea.yaml;
+  };
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions

hosts/gitea/hardware.nix

@@ -1,35 +1,35 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports = [ ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/41d3a241-09d6-4a5d-8b55-7f284310a7a9";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/8206-16B6";
-      fsType = "vfat";
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens192.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/41d3a241-09d6-4a5d-8b55-7f284310a7a9";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot/efi" =
+    { device = "/dev/disk/by-uuid/8206-16B6";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens192.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/gitea/services/gitea.nix

@@ -1,29 +1,37 @@
-{ pkgs, ... }: {
-  services.gitea = rec {
-    enable = true;
-    package = pkgs.unstable.gitea;
-    database = {
-      type = "postgres";
-      host = "unix:///var/run/postgresql/";
-    };
-    lfs.enable = true;
-    domain = "gitea.pid1.sh";
-    rootUrl = "https://" + domain;
-    settings = {
-      server.SSH_PORT = 22007;
-      session.COOKIE_SECURE = true;
-      mailer = {
-        ENABLED = true;
-        SMTP_ADDR = "mail.pid1.sh";
-        SMTP_PORT = 587;
-        FROM = "Root <root@pid1.sh>";
-        USER = "root@pid1.sh";
-        PASSWD = "***";
-        MAILER_TYPE = "smtp";
-        IS_TLS_ENABLED = true;
-        SUBJECT_PREFIX = "PID1 Gitea: ";
-        SEND_AS_PLAIN_TEXT = true;
-      };
-    };
-  };
-}
+{ pkgs, config, ... }: {
+  services.gitea = rec {
+    enable = true;
+    package = pkgs.unstable.gitea;
+    database = {
+      type = "postgres";
+      host = "unix:///var/run/postgresql/";
+    };
+    lfs.enable = true;
+    domain = "gitea.pid1.sh";
+    rootUrl = "https://" + domain;
+    mailerPasswordFile = config.sops.secrets.gitea_mailer_passwd.path;
+    settings = {
+      server.SSH_PORT = 22007;
+      session.COOKIE_SECURE = true;
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "mail.pid1.sh";
+        SMTP_PORT = 465;
+        FROM = "Root <root@pid1.sh>";
+        USER = "root@pid1.sh";
+        MAILER_TYPE = "smtp";
+        IS_TLS_ENABLED = true;
+        SUBJECT_PREFIX = "PID1 Gitea: ";
+        SEND_AS_PLAIN_TEXT = true;
+      };
+    };
+  };
+  systemd.services.gitea = {
+    after = [ "sops-nix.service" ];
+  };
+  sops.secrets = {
+    gitea_mailer_passwd = {
+      owner = config.systemd.services.gitea.serviceConfig.User;
+    };
+  };
+}

hosts/gitea/services/postgres.nix

@@ -1,13 +1,14 @@
-{ ... }: {
-  services.postgresql = {
-    enable = true;
-    ensureDatabases = [ "gitea" ];
-    ensureUsers = [
-      {
-        name = "gitea";
-        ensurePermissions = {
-          "DATABASE gitea" = "ALL PRIVILEGES";
-        };
-      }
-    ];
-}
+{ ... }: {
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "gitea" ];
+    ensureUsers = [
+      {
+        name = "gitea";
+        ensurePermissions = {
+          "DATABASE gitea" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+  };
+}

secrets/gitea.yaml

@@ -0,0 +1,42 @@
+gitea_mailer_passwd: ENC[AES256_GCM,data:8cBxkVTSS5uJM5FXsro=,iv:LvRu6/bsq7+9pO304VZ9Bqu3cQC2VTzhJW1XBXOqeM4=,tag:0IHlogFEQCqVh2qHZmR/mg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1r2xcvgph5egus0xmyypplpya5wlz5a5kxwydjakvx94eqpgyhgdqqnzd3j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZb1hFWElHL2ZaSnlLVzZM
+            dGNXa0lnRk83YmZ3amNkS3NZdkZxS2NrWEdJClVBWGYrbnIyZUhPNGZTVDc3SmRr
+            TmdueUk1OCt6S0lIUmRlUFc1bGRFNHcKLS0tIHFTSXdDelNFeS9FWjFzWmM2R3NW
+            ak85SHlPMW5zZ0lPc2tCbmRkMWZ4L28K2B7i21iAThigRr3lWAlhxaU468hINJd+
+            IFRMI+GPa8KXsuvhD9sqrO7ZVnUBGutn2Ka7vKzw9pnBtn9xnjL7MA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-26T22:12:13Z"
+    mac: ENC[AES256_GCM,data:jltSFannVuFVA3GLJHYY5bd+10pSLKIfRZV5gPsuPwXpFgbvcoRhJSP79WuMV4m9V/Cr3O8on2CD2n0pm/BRx05UROw/37h8YvZ0RrMkWl+oxYf90PFW8Y7/WI187sNXVFeWzY95TN4xPvz7tU6Gm0otIxENg7WYcUuFM9WikV8=,iv:ACFUZXrLygl5KA5LYVgNbqg9Gs8ObCnmnG9/7sL50g8=,tag:XDzX1n+18ajghHLw7ShHzA==,type:str]
+    pgp:
+        - created_at: "2023-04-26T22:11:17Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6NNVRyMyn3NARAA0VdwNGAPsJpztgWzifqrDCe3PK6kqmaMev3rO0z0/acb
+            ivwgjA0C5Tz6eecAbVE7RI61ROC4N2nKAy0tQ7SKnukpCMtwBVh7UyZS6N83LZvC
+            fvbEm7v7EhRsPyOslMmD+p80P2pEHUfw/Hp2OpT6W3BjP1YA097Oesz4WpgKrIac
+            BNbW5OZFl60fMHcv3u1XfvR57ft0Am8Pc3qQGD8Ex0FqGfz/cFEyh7gojYnZcWDF
+            v6YELFJ9+ttsBjgrDvZ5mEU2V77Hb1NH1D98rnGWx19l0It8tAwV2P+cKnLQXJz6
+            8zISnQ8HMdgQ07p1QbbboFT16dVcZNNMWAehLQ7a5MrOTfhYosryAZQd/ZJjDQZM
+            w+MGhLxDug/8PJeD03IJx+SJKN3Wke+AbvlAgWrOEGQXxSDyLm6iLcfCTegHP6CR
+            M9rzaz9pDv3yqyVnU4Ptr1wNeMqpVt76NF3uLgC3AuUyIlgnkqNxAk8Je6XuxjRJ
+            WDpHiriAWoVySCHuIra2KHvGumtdF4/nz0E9xEVJuk+X40+LQKhh7UHm5taFPboi
+            2yUZH7Gf1Xj1A2R6OeUopwJuEIuLzYRdJGvhGFLCgyts5Xa6UPOHp2pIzHtSn6lx
+            UY+f2K6U6vsMrkYbfXW3KeiHB0NET+KGBeCvAPw+1sdF1CL05oeHZasj8tnI+1TU
+            aAEJAhALEc2qzcI7OYizTPsfYywR0I4tL1cRrycufsaqMrvFWQ35WyHINgO93c0g
+            SnVr0Fmd6qzaafqh3xQdf7QfogTMzIgkUGyNkHbcsFbTDngoKlA85KANHF132Tw7
+            Hr4DRLTvKtvx
+            =+v1p
+            -----END PGP MESSAGE-----
+          fp: BD9A82C3AC8185DAD4CFDA47A34D551C8CCA7DCD
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3