From 65ec0779b7474d2668a38f181230808c4bd6e8a6 Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 9 Jul 2022 19:36:24 +0200 Subject: [PATCH 01/18] init basic untested config --- hosts/parsons/configuration.nix | 1 + services/gitea.nix | 108 ++++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 services/gitea.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 937ea4a..c8aef57 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -17,6 +17,7 @@ ../../services/mail.nix ../../services/syncthing.nix ../../services/gitlab.nix + ../../services/gitea.nix ../../services/nginx-pages.nix ../../services/gitlab-runner.nix ../../services/lantifa.nix diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100644 index 0000000..5db2d08 --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: + +{ + containers.gitea = { + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.10"; + autoStart = true; + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/gitea"; + isReadOnly = false; + }; + }; + path = (evalConfig { + hosts = { }; + groups = { }; + } ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ ((import sources.nix-hexchen) { }).profiles.nopersist ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + services.gitea = { + enable = true; + appName = "0x0: git for all creatures"; + rootUrl = "https://git.infra4future.de/"; + httpAddress = "0.0.0.0"; + httpPort = 3000; + lfs.enable = true; + disableRegistration = true; + database.type = "postgres"; + cookieSecure = true; + log.level = "Info"; + # mailerPasswordFile = + # "/var/lib/secrets/noreply"; # see below for access permissions + # settings = { + # mailer = { + # ENABLED = true; + # HOST = "0x0.rip:465"; + # FROM = "noreply@0x0.rip"; + # ENVELOPE_FROM = "noreply@0x0.rip"; + # USER = "noreply@0x0.rip"; + + # }; + repository = { + DEFAULT_PRIVATE = "public"; + PREFERRED_LICENSES = "Unlicense"; + DEFAULT_BRANCH = "main"; + }; + "repository.pull-requests" = { + DEFAULT_MERGE_STYLE = "merge"; + DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; + }; + "repository.upload".FILE_MAX_SIZE = 1024; + server = { + LANDING_PAGE = "explore"; + OFFLINE = true; + }; + security = { INSTALL_LOCK = true; }; + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + cron = { + ENABLED = true; + NOTICE_ON_SUCCESS = true; + }; + "cron.update_mirrors" = { + SCHEDULE = "@every 12h"; + PULL_LIMIT = "-1"; + PUSH_LIMIT = "-1"; + }; + "cron.git_gc_repos".ENABLED = true; + "cron.delete_old_actions".ENABLED = true; + }; + services.postgresqlBackup = { + enable = true; + databases = [ "gitea" ]; + startAt = "*-*-* 23:45:00"; + location = "/persist/backups/postgres"; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."git.infra4future.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${config.containers.gitea.localAddress}:3000"; + }; + }; +} From db5865fff22f3ddb59cb9148e9c9e4e5a30c657c Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 9 Jul 2022 19:39:40 +0200 Subject: [PATCH 02/18] !fixup add missing settings section --- services/gitea.nix | 75 +++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/services/gitea.nix b/services/gitea.nix index 5db2d08..2b35352 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -49,45 +49,46 @@ log.level = "Info"; # mailerPasswordFile = # "/var/lib/secrets/noreply"; # see below for access permissions - # settings = { - # mailer = { - # ENABLED = true; - # HOST = "0x0.rip:465"; - # FROM = "noreply@0x0.rip"; - # ENVELOPE_FROM = "noreply@0x0.rip"; - # USER = "noreply@0x0.rip"; + settings = { + # mailer = { + # ENABLED = true; + # HOST = "0x0.rip:465"; + # FROM = "noreply@0x0.rip"; + # ENVELOPE_FROM = "noreply@0x0.rip"; + # USER = "noreply@0x0.rip"; - # }; - repository = { - DEFAULT_PRIVATE = "public"; - PREFERRED_LICENSES = "Unlicense"; - DEFAULT_BRANCH = "main"; + # }; + repository = { + DEFAULT_PRIVATE = "public"; + PREFERRED_LICENSES = "Unlicense"; + DEFAULT_BRANCH = "main"; + }; + "repository.pull-requests" = { + DEFAULT_MERGE_STYLE = "merge"; + DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; + }; + "repository.upload".FILE_MAX_SIZE = 1024; + server = { + LANDING_PAGE = "explore"; + OFFLINE = true; + }; + security = { INSTALL_LOCK = true; }; + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + cron = { + ENABLED = true; + NOTICE_ON_SUCCESS = true; + }; + "cron.update_mirrors" = { + SCHEDULE = "@every 12h"; + PULL_LIMIT = "-1"; + PUSH_LIMIT = "-1"; + }; + "cron.git_gc_repos".ENABLED = true; + "cron.delete_old_actions".ENABLED = true; }; - "repository.pull-requests" = { - DEFAULT_MERGE_STYLE = "merge"; - DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; - }; - "repository.upload".FILE_MAX_SIZE = 1024; - server = { - LANDING_PAGE = "explore"; - OFFLINE = true; - }; - security = { INSTALL_LOCK = true; }; - other = { - SHOW_FOOTER_VERSION = false; - SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; - }; - cron = { - ENABLED = true; - NOTICE_ON_SUCCESS = true; - }; - "cron.update_mirrors" = { - SCHEDULE = "@every 12h"; - PULL_LIMIT = "-1"; - PUSH_LIMIT = "-1"; - }; - "cron.git_gc_repos".ENABLED = true; - "cron.delete_old_actions".ENABLED = true; }; services.postgresqlBackup = { enable = true; From f9f1eee6fde9f2eb2c2d6ec7c7be93ec63a9942f Mon Sep 17 00:00:00 2001 From: stuebinm Date: Tue, 19 Jul 2022 17:32:00 +0200 Subject: [PATCH 03/18] update lantifa source urls & hashes --- services/lantifa.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/lantifa.nix b/services/lantifa.nix index 3b7c04d..e1649d2 100644 --- a/services/lantifa.nix +++ b/services/lantifa.nix @@ -40,7 +40,7 @@ extraConfig = let wikidb = pkgs.fetchzip { url = "https://www.kennel17.co.uk/uploads/testwiki/e/e9/WikiDB.zip"; - sha256 = "0pns9fk1ws54m7rgbfsrxqh6ayab16mmnvzba8m4malljgrbil8b"; + sha256 = "sha256-8pMNQwmGEsbIoSV1s4RL5Xqq4+f+GNOaCB8VlVnbweY="; }; in '' // Configure short URLs @@ -77,8 +77,8 @@ sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i"; }; intersection = pkgs.fetchzip { # This is the DynamicPageList extension - url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-4a70dbd.tar.gz"; - sha256 = "0s70fqkf5ylpsxy1h3hljic8708j6099mz12b6k03hgwc582yywi"; + url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-82eb087.tar.gz"; + sha256 = "sha256-TD58DvJ4CFASP4rIc94jeB4SN4zktLe33xZtz/Qg2dk="; }; PageForms = pkgs.fetchzip { url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip"; From b5a68e09fd46640e2c3820a83f51e3d14d827f25 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 20 Jul 2022 18:30:47 +0200 Subject: [PATCH 04/18] gitea: fix uffd login (note that this actually has to patch uffd) --- pkgs/uffd/default.nix | 5 ++--- pkgs/uffd/gitea-magic.patch | 32 ++++++++++++++++++++++++++++++++ services/gitea.nix | 6 ++++++ 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 pkgs/uffd/gitea-magic.patch diff --git a/pkgs/uffd/default.nix b/pkgs/uffd/default.nix index 9e23c8b..761ff6a 100644 --- a/pkgs/uffd/default.nix +++ b/pkgs/uffd/default.nix @@ -5,12 +5,11 @@ python3Packages.buildPythonPackage rec { version = "2.0.1"; src = fetchzip { - url = - "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; + url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4="; }; - patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ]; + patches = [ ./gitea-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ]; propagatedBuildInputs = with python3Packages; [ flask diff --git a/pkgs/uffd/gitea-magic.patch b/pkgs/uffd/gitea-magic.patch new file mode 100644 index 0000000..a2b3430 --- /dev/null +++ b/pkgs/uffd/gitea-magic.patch @@ -0,0 +1,32 @@ +From e3c0995160a653ef6cd8784b255036585b273b82 Mon Sep 17 00:00:00 2001 +From: stuebinm +Date: Wed, 20 Jul 2022 18:02:15 +0200 +Subject: [PATCH] magic gitea patch + +--- + uffd/oauth2/views.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/uffd/oauth2/views.py b/uffd/oauth2/views.py +index d13fd42..94352be 100644 +--- a/uffd/oauth2/views.py ++++ b/uffd/oauth2/views.py +@@ -230,6 +230,15 @@ def oauth_required(*scopes): + @oauth_required('profile') + def userinfo(): + user = request.oauth.user ++ client = request.oauth.client_id ++ if client == "gitea": ++ return jsonify( ++ id=user.unix_uid, ++ full_name=user.displayname, ++ login=user.loginname, ++ email=user.mail, ++ groups=[group.name for group in user.groups] ++ ) + return jsonify( + id=user.unix_uid, + name=user.displayname, +-- +2.36.0 + diff --git a/services/gitea.nix b/services/gitea.nix index 2b35352..ec370e7 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -22,6 +22,8 @@ imports = [ ((import sources.nix-hexchen) { }).profiles.nopersist ]; + environment.systemPackages = [ pkgs.gitea ]; + nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { @@ -63,6 +65,10 @@ PREFERRED_LICENSES = "Unlicense"; DEFAULT_BRANCH = "main"; }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + ENABLE_AUTO_REGISTRATION = true; + }; "repository.pull-requests" = { DEFAULT_MERGE_STYLE = "merge"; DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; From c854e10980d5ad6b4fb2d8b1efc654b7b2ed1c9f Mon Sep 17 00:00:00 2001 From: stuebinm Date: Fri, 22 Jul 2022 18:50:00 +0200 Subject: [PATCH 05/18] gitea: enable offline mode --- services/gitea.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gitea.nix b/services/gitea.nix index ec370e7..a270512 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -76,7 +76,7 @@ "repository.upload".FILE_MAX_SIZE = 1024; server = { LANDING_PAGE = "explore"; - OFFLINE = true; + OFFLINE_MODE = true; }; security = { INSTALL_LOCK = true; }; other = { From a1c5832a5125c590799f1719e676a1dec19167c4 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 1 Aug 2022 18:39:46 +0200 Subject: [PATCH 06/18] gitea: save state under /persist --- services/gitea.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gitea.nix b/services/gitea.nix index a270512..a84e505 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -24,6 +24,8 @@ environment.systemPackages = [ pkgs.gitea ]; + hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea"; + nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { From e246563f5723c234a64e6ea196f6d573695d0b0b Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 1 Aug 2022 20:54:17 +0200 Subject: [PATCH 07/18] git ssh: switch to gitea (instead of gitlab) --- services/gitea.nix | 13 +++++++++++++ services/gitlab.nix | 10 +++++----- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/services/gitea.nix b/services/gitea.nix index a84e505..e24bcc6 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -104,6 +104,14 @@ startAt = "*-*-* 23:45:00"; location = "/persist/backups/postgres"; }; + services.openssh = { + enable = true; + passwordAuthentication = false; + listenAddresses = [ { + addr = "192.168.100.10"; + port = 22; + } ]; + }; })).config.system.build.toplevel; }; @@ -114,4 +122,9 @@ proxyPass = "http://${config.containers.gitea.localAddress}:3000"; }; }; + hexchen.nftables.nat.forwardPorts = [{ + ports = [ 22 ]; + destination = "${config.containers.gitea.localAddress}:22"; + proto = "tcp"; + }]; } diff --git a/services/gitlab.nix b/services/gitlab.nix index 5de66be..8a2c708 100644 --- a/services/gitlab.nix +++ b/services/gitlab.nix @@ -133,11 +133,11 @@ })).config.system.build.toplevel; }; - hexchen.nftables.nat.forwardPorts = [{ - ports = [ 22 ]; - destination = "${config.containers.gitlab.localAddress}:22"; - proto = "tcp"; - }]; + # hexchen.nftables.nat.forwardPorts = [{ + # ports = [ 22 ]; + # destination = "${config.containers.gitlab.localAddress}:22"; + # proto = "tcp"; + # }]; services.nginx.virtualHosts."gitlab.infra4future.de" = { locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80"; From 45ceeef189f95616ecb38a75dfe1828e591c7cb8 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 3 Aug 2022 11:26:05 +0200 Subject: [PATCH 08/18] gitea: git protocol v2 over ssh cf. https://docs.gitea.io/en-us/config-cheat-sheet/#git-git, entry for option ENABLE_AUTO_GIT_WIRE_PROTOCOL --- services/gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/gitea.nix b/services/gitea.nix index e24bcc6..19d5455 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -111,6 +111,9 @@ addr = "192.168.100.10"; port = 22; } ]; + extraConfig = '' + AcceptEnv GIT_PROTOCOL + ''; }; })).config.system.build.toplevel; }; From 3ea537459bbfd65c126ae0af04fd56b7d4c6e036 Mon Sep 17 00:00:00 2001 From: moira Date: Mon, 12 Sep 2022 19:05:32 +0200 Subject: [PATCH 09/18] change name --- common/users.nix | 4 ++-- services/mail.nix | 14 +++++++------- services/syncthing.nix | 8 ++------ websites/muc.hacc.earth/index.html | 2 +- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/common/users.nix b/common/users.nix index 7c4cbb9..22002ca 100644 --- a/common/users.nix +++ b/common/users.nix @@ -48,13 +48,13 @@ packages = with pkgs; [ ffmpeg ]; }; - schweby = { + moira = { uid = 1004; shell = pkgs.fish; isNormalUser = true; extraGroups = [ "wheel" "cdrom" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqj9RRfthjBl4+y4YH7aWetx5qs2KOE2B0oOw3pjRrQ schweby 2022-05-22" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcJRF71+XM5YZj+SaSiGcdVZ0IDxGBXIWssDtHiTtr moira_2022_06" ]; hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90"; }; diff --git a/services/mail.nix b/services/mail.nix index 518f973..211a2e1 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -42,7 +42,7 @@ "raphael@hacc.space".hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; - "schweby@hacc.space".hashedPassword = + "moira@hacc.space".hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; "zauberberg@hacc.space".hashedPassword = @@ -81,7 +81,7 @@ "hexchen@hacc.space" "octycs@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "stuebinm@hacc.space" "lenny@hacc.space" @@ -89,12 +89,12 @@ # admin: current people with access to the mail server and knowledge on how to use it™ "admin@hacc.space" = - [ "hexchen@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; + [ "hexchen@hacc.space" "moira@hacc.space" "zauberberg@hacc.space" ]; # voc: hacc video operation center, various streaming-related things "voc@hacc.space" = [ "hexchen@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "octycs@hacc.space" "stuebinm@hacc.space" "zauberberg@hacc.space" @@ -105,13 +105,13 @@ # -- Regional: Germany -- # board of hacc e.V. "vorstand@hacc.space" = - [ "raphael@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; + [ "raphael@hacc.space" "moira@hacc.space" "zauberberg@hacc.space" ]; # members of hacc e.V. "mitglieder@hacc.space" = [ "hexchen@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "lenny@hacc.space" "octycs@hacc.space" @@ -123,7 +123,7 @@ "hexchen@hacc.space" "octycs@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "stuebinm@hacc.space" "lenny@hacc.space" diff --git a/services/syncthing.nix b/services/syncthing.nix index 3eff7a7..40bab1c 100644 --- a/services/syncthing.nix +++ b/services/syncthing.nix @@ -7,10 +7,6 @@ configDir = "/persist/var/lib/syncthing/"; dataDir = "/persist/data/syncthing/"; devices = { - schweby = { - addresses = []; # empty = dynamic - id = "YF7DNNS-B63GERK-YFQ7G7Q-2DG7557-VIWFOTK-R3JOS63-T76POBQ-F6MO6AH"; - }; raphael-laptop = { addresses = []; # empty = dynamic id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG"; @@ -25,7 +21,7 @@ folders = { "/persist/data/syncthing/hacc/" = { id = "qt2ly-xvvvs"; - devices = [ "schweby" "conway" "raphael-laptop"]; + devices = [ "conway" "raphael-laptop"]; type = "receiveonly"; versioning = { type = "simple"; @@ -34,7 +30,7 @@ }; "/persist/data/syncthing/hacc_eV_vorstand/" = { id = "twwt7-fxrsr"; - devices = [ "schweby" "conway" "raphael-laptop"]; + devices = [ "conway" "raphael-laptop"]; # type = "receiveencrypted"; # no yet implemented }; }; diff --git a/websites/muc.hacc.earth/index.html b/websites/muc.hacc.earth/index.html index fbc0bb4..e386de9 100644 --- a/websites/muc.hacc.earth/index.html +++ b/websites/muc.hacc.earth/index.html @@ -402,7 +402,7 @@ registered at the local court Munich VR 208921
  • raphael or rw
  • zauberberg
    • -
  • schweby
    • +
  • moira
  • Satzung (statutes)
    • From 856cd79c374ba7b3556222abe680388613fc43fc Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 9 Jul 2022 19:36:24 +0200 Subject: [PATCH 10/18] init basic untested config --- hosts/parsons/configuration.nix | 1 + services/gitea.nix | 108 ++++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 services/gitea.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 937ea4a..c8aef57 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -17,6 +17,7 @@ ../../services/mail.nix ../../services/syncthing.nix ../../services/gitlab.nix + ../../services/gitea.nix ../../services/nginx-pages.nix ../../services/gitlab-runner.nix ../../services/lantifa.nix diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100644 index 0000000..5db2d08 --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: + +{ + containers.gitea = { + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.10"; + autoStart = true; + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/gitea"; + isReadOnly = false; + }; + }; + path = (evalConfig { + hosts = { }; + groups = { }; + } ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ ((import sources.nix-hexchen) { }).profiles.nopersist ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + services.gitea = { + enable = true; + appName = "0x0: git for all creatures"; + rootUrl = "https://git.infra4future.de/"; + httpAddress = "0.0.0.0"; + httpPort = 3000; + lfs.enable = true; + disableRegistration = true; + database.type = "postgres"; + cookieSecure = true; + log.level = "Info"; + # mailerPasswordFile = + # "/var/lib/secrets/noreply"; # see below for access permissions + # settings = { + # mailer = { + # ENABLED = true; + # HOST = "0x0.rip:465"; + # FROM = "noreply@0x0.rip"; + # ENVELOPE_FROM = "noreply@0x0.rip"; + # USER = "noreply@0x0.rip"; + + # }; + repository = { + DEFAULT_PRIVATE = "public"; + PREFERRED_LICENSES = "Unlicense"; + DEFAULT_BRANCH = "main"; + }; + "repository.pull-requests" = { + DEFAULT_MERGE_STYLE = "merge"; + DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; + }; + "repository.upload".FILE_MAX_SIZE = 1024; + server = { + LANDING_PAGE = "explore"; + OFFLINE = true; + }; + security = { INSTALL_LOCK = true; }; + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + cron = { + ENABLED = true; + NOTICE_ON_SUCCESS = true; + }; + "cron.update_mirrors" = { + SCHEDULE = "@every 12h"; + PULL_LIMIT = "-1"; + PUSH_LIMIT = "-1"; + }; + "cron.git_gc_repos".ENABLED = true; + "cron.delete_old_actions".ENABLED = true; + }; + services.postgresqlBackup = { + enable = true; + databases = [ "gitea" ]; + startAt = "*-*-* 23:45:00"; + location = "/persist/backups/postgres"; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."git.infra4future.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${config.containers.gitea.localAddress}:3000"; + }; + }; +} From 7db9dbb4c2bb39ca3d4c03617a7d53865bc31273 Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 9 Jul 2022 19:39:40 +0200 Subject: [PATCH 11/18] !fixup add missing settings section --- services/gitea.nix | 75 +++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/services/gitea.nix b/services/gitea.nix index 5db2d08..2b35352 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -49,45 +49,46 @@ log.level = "Info"; # mailerPasswordFile = # "/var/lib/secrets/noreply"; # see below for access permissions - # settings = { - # mailer = { - # ENABLED = true; - # HOST = "0x0.rip:465"; - # FROM = "noreply@0x0.rip"; - # ENVELOPE_FROM = "noreply@0x0.rip"; - # USER = "noreply@0x0.rip"; + settings = { + # mailer = { + # ENABLED = true; + # HOST = "0x0.rip:465"; + # FROM = "noreply@0x0.rip"; + # ENVELOPE_FROM = "noreply@0x0.rip"; + # USER = "noreply@0x0.rip"; - # }; - repository = { - DEFAULT_PRIVATE = "public"; - PREFERRED_LICENSES = "Unlicense"; - DEFAULT_BRANCH = "main"; + # }; + repository = { + DEFAULT_PRIVATE = "public"; + PREFERRED_LICENSES = "Unlicense"; + DEFAULT_BRANCH = "main"; + }; + "repository.pull-requests" = { + DEFAULT_MERGE_STYLE = "merge"; + DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; + }; + "repository.upload".FILE_MAX_SIZE = 1024; + server = { + LANDING_PAGE = "explore"; + OFFLINE = true; + }; + security = { INSTALL_LOCK = true; }; + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + cron = { + ENABLED = true; + NOTICE_ON_SUCCESS = true; + }; + "cron.update_mirrors" = { + SCHEDULE = "@every 12h"; + PULL_LIMIT = "-1"; + PUSH_LIMIT = "-1"; + }; + "cron.git_gc_repos".ENABLED = true; + "cron.delete_old_actions".ENABLED = true; }; - "repository.pull-requests" = { - DEFAULT_MERGE_STYLE = "merge"; - DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; - }; - "repository.upload".FILE_MAX_SIZE = 1024; - server = { - LANDING_PAGE = "explore"; - OFFLINE = true; - }; - security = { INSTALL_LOCK = true; }; - other = { - SHOW_FOOTER_VERSION = false; - SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; - }; - cron = { - ENABLED = true; - NOTICE_ON_SUCCESS = true; - }; - "cron.update_mirrors" = { - SCHEDULE = "@every 12h"; - PULL_LIMIT = "-1"; - PUSH_LIMIT = "-1"; - }; - "cron.git_gc_repos".ENABLED = true; - "cron.delete_old_actions".ENABLED = true; }; services.postgresqlBackup = { enable = true; From 639410011e678ef62e3c25d70612a69ca04bef63 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Tue, 19 Jul 2022 17:32:00 +0200 Subject: [PATCH 12/18] update lantifa source urls & hashes --- services/lantifa.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/lantifa.nix b/services/lantifa.nix index 3b7c04d..e1649d2 100644 --- a/services/lantifa.nix +++ b/services/lantifa.nix @@ -40,7 +40,7 @@ extraConfig = let wikidb = pkgs.fetchzip { url = "https://www.kennel17.co.uk/uploads/testwiki/e/e9/WikiDB.zip"; - sha256 = "0pns9fk1ws54m7rgbfsrxqh6ayab16mmnvzba8m4malljgrbil8b"; + sha256 = "sha256-8pMNQwmGEsbIoSV1s4RL5Xqq4+f+GNOaCB8VlVnbweY="; }; in '' // Configure short URLs @@ -77,8 +77,8 @@ sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i"; }; intersection = pkgs.fetchzip { # This is the DynamicPageList extension - url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-4a70dbd.tar.gz"; - sha256 = "0s70fqkf5ylpsxy1h3hljic8708j6099mz12b6k03hgwc582yywi"; + url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-82eb087.tar.gz"; + sha256 = "sha256-TD58DvJ4CFASP4rIc94jeB4SN4zktLe33xZtz/Qg2dk="; }; PageForms = pkgs.fetchzip { url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip"; From 6aa06aed18c93678668905e83428996042cbe353 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 20 Jul 2022 18:30:47 +0200 Subject: [PATCH 13/18] gitea: fix uffd login (note that this actually has to patch uffd) --- pkgs/uffd/default.nix | 5 ++--- pkgs/uffd/gitea-magic.patch | 32 ++++++++++++++++++++++++++++++++ services/gitea.nix | 6 ++++++ 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 pkgs/uffd/gitea-magic.patch diff --git a/pkgs/uffd/default.nix b/pkgs/uffd/default.nix index 9e23c8b..761ff6a 100644 --- a/pkgs/uffd/default.nix +++ b/pkgs/uffd/default.nix @@ -5,12 +5,11 @@ python3Packages.buildPythonPackage rec { version = "2.0.1"; src = fetchzip { - url = - "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; + url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4="; }; - patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ]; + patches = [ ./gitea-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ]; propagatedBuildInputs = with python3Packages; [ flask diff --git a/pkgs/uffd/gitea-magic.patch b/pkgs/uffd/gitea-magic.patch new file mode 100644 index 0000000..a2b3430 --- /dev/null +++ b/pkgs/uffd/gitea-magic.patch @@ -0,0 +1,32 @@ +From e3c0995160a653ef6cd8784b255036585b273b82 Mon Sep 17 00:00:00 2001 +From: stuebinm +Date: Wed, 20 Jul 2022 18:02:15 +0200 +Subject: [PATCH] magic gitea patch + +--- + uffd/oauth2/views.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/uffd/oauth2/views.py b/uffd/oauth2/views.py +index d13fd42..94352be 100644 +--- a/uffd/oauth2/views.py ++++ b/uffd/oauth2/views.py +@@ -230,6 +230,15 @@ def oauth_required(*scopes): + @oauth_required('profile') + def userinfo(): + user = request.oauth.user ++ client = request.oauth.client_id ++ if client == "gitea": ++ return jsonify( ++ id=user.unix_uid, ++ full_name=user.displayname, ++ login=user.loginname, ++ email=user.mail, ++ groups=[group.name for group in user.groups] ++ ) + return jsonify( + id=user.unix_uid, + name=user.displayname, +-- +2.36.0 + diff --git a/services/gitea.nix b/services/gitea.nix index 2b35352..ec370e7 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -22,6 +22,8 @@ imports = [ ((import sources.nix-hexchen) { }).profiles.nopersist ]; + environment.systemPackages = [ pkgs.gitea ]; + nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { @@ -63,6 +65,10 @@ PREFERRED_LICENSES = "Unlicense"; DEFAULT_BRANCH = "main"; }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + ENABLE_AUTO_REGISTRATION = true; + }; "repository.pull-requests" = { DEFAULT_MERGE_STYLE = "merge"; DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; From 97459d817776dfebb62736a7758df1363c61f61d Mon Sep 17 00:00:00 2001 From: stuebinm Date: Fri, 22 Jul 2022 18:50:00 +0200 Subject: [PATCH 14/18] gitea: enable offline mode --- services/gitea.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gitea.nix b/services/gitea.nix index ec370e7..a270512 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -76,7 +76,7 @@ "repository.upload".FILE_MAX_SIZE = 1024; server = { LANDING_PAGE = "explore"; - OFFLINE = true; + OFFLINE_MODE = true; }; security = { INSTALL_LOCK = true; }; other = { From 83cda0f44a6b25eab30638efd7991785b120a06e Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 1 Aug 2022 18:39:46 +0200 Subject: [PATCH 15/18] gitea: save state under /persist --- services/gitea.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gitea.nix b/services/gitea.nix index a270512..a84e505 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -24,6 +24,8 @@ environment.systemPackages = [ pkgs.gitea ]; + hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea"; + nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { From 9bf75b9c3ddd1a2f7ca31679208f5d194a997a71 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 1 Aug 2022 20:54:17 +0200 Subject: [PATCH 16/18] git ssh: switch to gitea (instead of gitlab) --- services/gitea.nix | 13 +++++++++++++ services/gitlab.nix | 10 +++++----- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/services/gitea.nix b/services/gitea.nix index a84e505..e24bcc6 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -104,6 +104,14 @@ startAt = "*-*-* 23:45:00"; location = "/persist/backups/postgres"; }; + services.openssh = { + enable = true; + passwordAuthentication = false; + listenAddresses = [ { + addr = "192.168.100.10"; + port = 22; + } ]; + }; })).config.system.build.toplevel; }; @@ -114,4 +122,9 @@ proxyPass = "http://${config.containers.gitea.localAddress}:3000"; }; }; + hexchen.nftables.nat.forwardPorts = [{ + ports = [ 22 ]; + destination = "${config.containers.gitea.localAddress}:22"; + proto = "tcp"; + }]; } diff --git a/services/gitlab.nix b/services/gitlab.nix index 5de66be..8a2c708 100644 --- a/services/gitlab.nix +++ b/services/gitlab.nix @@ -133,11 +133,11 @@ })).config.system.build.toplevel; }; - hexchen.nftables.nat.forwardPorts = [{ - ports = [ 22 ]; - destination = "${config.containers.gitlab.localAddress}:22"; - proto = "tcp"; - }]; + # hexchen.nftables.nat.forwardPorts = [{ + # ports = [ 22 ]; + # destination = "${config.containers.gitlab.localAddress}:22"; + # proto = "tcp"; + # }]; services.nginx.virtualHosts."gitlab.infra4future.de" = { locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80"; From 6bba15faae1c81fc4724b31949e3c10dd8afea42 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 3 Aug 2022 11:26:05 +0200 Subject: [PATCH 17/18] gitea: git protocol v2 over ssh cf. https://docs.gitea.io/en-us/config-cheat-sheet/#git-git, entry for option ENABLE_AUTO_GIT_WIRE_PROTOCOL --- services/gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/gitea.nix b/services/gitea.nix index e24bcc6..19d5455 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -111,6 +111,9 @@ addr = "192.168.100.10"; port = 22; } ]; + extraConfig = '' + AcceptEnv GIT_PROTOCOL + ''; }; })).config.system.build.toplevel; }; From 82e70e0151c5ff5715f05236877237226356befb Mon Sep 17 00:00:00 2001 From: moira Date: Mon, 12 Sep 2022 19:05:32 +0200 Subject: [PATCH 18/18] change name --- common/users.nix | 4 ++-- services/mail.nix | 14 +++++++------- services/syncthing.nix | 8 ++------ websites/muc.hacc.earth/index.html | 2 +- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/common/users.nix b/common/users.nix index 7c4cbb9..22002ca 100644 --- a/common/users.nix +++ b/common/users.nix @@ -48,13 +48,13 @@ packages = with pkgs; [ ffmpeg ]; }; - schweby = { + moira = { uid = 1004; shell = pkgs.fish; isNormalUser = true; extraGroups = [ "wheel" "cdrom" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqj9RRfthjBl4+y4YH7aWetx5qs2KOE2B0oOw3pjRrQ schweby 2022-05-22" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcJRF71+XM5YZj+SaSiGcdVZ0IDxGBXIWssDtHiTtr moira_2022_06" ]; hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90"; }; diff --git a/services/mail.nix b/services/mail.nix index 518f973..211a2e1 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -42,7 +42,7 @@ "raphael@hacc.space".hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; - "schweby@hacc.space".hashedPassword = + "moira@hacc.space".hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; "zauberberg@hacc.space".hashedPassword = @@ -81,7 +81,7 @@ "hexchen@hacc.space" "octycs@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "stuebinm@hacc.space" "lenny@hacc.space" @@ -89,12 +89,12 @@ # admin: current people with access to the mail server and knowledge on how to use it™ "admin@hacc.space" = - [ "hexchen@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; + [ "hexchen@hacc.space" "moira@hacc.space" "zauberberg@hacc.space" ]; # voc: hacc video operation center, various streaming-related things "voc@hacc.space" = [ "hexchen@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "octycs@hacc.space" "stuebinm@hacc.space" "zauberberg@hacc.space" @@ -105,13 +105,13 @@ # -- Regional: Germany -- # board of hacc e.V. "vorstand@hacc.space" = - [ "raphael@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; + [ "raphael@hacc.space" "moira@hacc.space" "zauberberg@hacc.space" ]; # members of hacc e.V. "mitglieder@hacc.space" = [ "hexchen@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "lenny@hacc.space" "octycs@hacc.space" @@ -123,7 +123,7 @@ "hexchen@hacc.space" "octycs@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "stuebinm@hacc.space" "lenny@hacc.space" diff --git a/services/syncthing.nix b/services/syncthing.nix index 3eff7a7..40bab1c 100644 --- a/services/syncthing.nix +++ b/services/syncthing.nix @@ -7,10 +7,6 @@ configDir = "/persist/var/lib/syncthing/"; dataDir = "/persist/data/syncthing/"; devices = { - schweby = { - addresses = []; # empty = dynamic - id = "YF7DNNS-B63GERK-YFQ7G7Q-2DG7557-VIWFOTK-R3JOS63-T76POBQ-F6MO6AH"; - }; raphael-laptop = { addresses = []; # empty = dynamic id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG"; @@ -25,7 +21,7 @@ folders = { "/persist/data/syncthing/hacc/" = { id = "qt2ly-xvvvs"; - devices = [ "schweby" "conway" "raphael-laptop"]; + devices = [ "conway" "raphael-laptop"]; type = "receiveonly"; versioning = { type = "simple"; @@ -34,7 +30,7 @@ }; "/persist/data/syncthing/hacc_eV_vorstand/" = { id = "twwt7-fxrsr"; - devices = [ "schweby" "conway" "raphael-laptop"]; + devices = [ "conway" "raphael-laptop"]; # type = "receiveencrypted"; # no yet implemented }; }; diff --git a/websites/muc.hacc.earth/index.html b/websites/muc.hacc.earth/index.html index fbc0bb4..e386de9 100644 --- a/websites/muc.hacc.earth/index.html +++ b/websites/muc.hacc.earth/index.html @@ -402,7 +402,7 @@ registered at the local court Munich VR 208921
    • raphael or rw
    • zauberberg
      • -
    • schweby
      • +
    • moira
  • Satzung (statutes)