From 09a4d88e006e7bb68585c78827dfb688144def29 Mon Sep 17 00:00:00 2001 From: Joey Hafner Date: Fri, 31 Jan 2025 23:54:42 -0800 Subject: [PATCH] Feature: Init stack.nix for Gitea. - Rotate gitea and postgres secrets. - Small update to docs. - Delete unused runner-related files. - Delete runner. - Move postgres data to `$APPDATA/postgres` Note: Primary Gitea instance on `gitea.jafner.tools` is running its own legacy config. This config will be used for a new `git.jafner.net` instance. --- homelab/stacks/gitea/.env | 1 - homelab/stacks/gitea/README.md | 2 +- homelab/stacks/gitea/docker-compose.yml | 38 +++-------- homelab/stacks/gitea/gitea.env | 2 - homelab/stacks/gitea/gitea.secrets | 24 +++++++ homelab/stacks/gitea/postgres.secrets | 24 +++++++ homelab/stacks/gitea/runner-dind.env | 4 -- homelab/stacks/gitea/runner-ubuntu.env | 4 -- homelab/stacks/gitea/runner_config.yaml | 89 ------------------------- homelab/stacks/gitea/stack.nix | 29 ++++++++ 10 files changed, 87 insertions(+), 130 deletions(-) delete mode 100644 homelab/stacks/gitea/.env delete mode 100644 homelab/stacks/gitea/gitea.env create mode 100644 homelab/stacks/gitea/gitea.secrets create mode 100644 homelab/stacks/gitea/postgres.secrets delete mode 100644 homelab/stacks/gitea/runner-dind.env delete mode 100644 homelab/stacks/gitea/runner-ubuntu.env delete mode 100644 homelab/stacks/gitea/runner_config.yaml create mode 100644 homelab/stacks/gitea/stack.nix diff --git a/homelab/stacks/gitea/.env b/homelab/stacks/gitea/.env deleted file mode 100644 index 551e58f6..00000000 --- a/homelab/stacks/gitea/.env +++ /dev/null @@ -1 +0,0 @@ -DOCKER_DATA=/home/admin/data/gitea diff --git a/homelab/stacks/gitea/README.md b/homelab/stacks/gitea/README.md index 27b06a2f..9c523798 100644 --- a/homelab/stacks/gitea/README.md +++ b/homelab/stacks/gitea/README.md @@ -9,7 +9,7 @@ DB_TYPE = postgres HOST = postgres:5432 NAME = gitea USER = gitea -PASSWD = [Located at postgres_secrets.env] +PASSWD = [From postgres.secrets] LOG_SQL = false SCHEMA = SSL_MODE = disable diff --git a/homelab/stacks/gitea/docker-compose.yml b/homelab/stacks/gitea/docker-compose.yml index 88cdf96a..84bba98b 100644 --- a/homelab/stacks/gitea/docker-compose.yml +++ b/homelab/stacks/gitea/docker-compose.yml @@ -2,21 +2,21 @@ services: gitea: image: gitea/gitea:latest container_name: gitea_gitea - env_file: - - path: ./gitea.env - required: true restart: always + env_file: + - path: /run/secrets/gitea/gitea + required: true networks: - web - gitea volumes: - - $DOCKER_DATA/gitea:/data + - $APPDATA/gitea:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro ports: - "2225:22" labels: - - traefik.http.routers.gitea.rule=Host(`gitea.jafner.tools`,`git.jafner.net`) + - traefik.http.routers.gitea.rule=Host(`git.jafner.net`) - traefik.http.routers.gitea.tls.certresolver=lets-encrypt - traefik.http.routers.gitea.tls.options=tls12@file - traefik.http.routers.gitea.middlewares=securityheaders@file @@ -29,32 +29,12 @@ services: networks: - gitea env_file: - - path: ./postgres_secrets.env - required: false - volumes: - - postgres_data:/var/lib/postgresql/data - - runner-ubuntu: - image: gitea/act_runner:latest - container_name: gitea_runner-ubuntu - depends_on: - - gitea - env_file: - - path: ./runner-ubuntu.env + - path: /run/secrets/gitea/postgres required: true - - path: ./runner_secrets.env - required: false - networks: - - gitea - volumes: - - ./runner_ubuntu_config.yaml:/config.yaml - - $DOCKER_DATA/runner-ubuntu:/data - - /var/run/docker.sock:/var/run/docker.sock + volumes: + - $APPDATA/postgres:/var/lib/postgresql/data networks: web: external: true - gitea: - -volumes: - postgres_data: \ No newline at end of file + gitea: \ No newline at end of file diff --git a/homelab/stacks/gitea/gitea.env b/homelab/stacks/gitea/gitea.env deleted file mode 100644 index 6ec1555b..00000000 --- a/homelab/stacks/gitea/gitea.env +++ /dev/null @@ -1,2 +0,0 @@ -USER_UID=1002 -USER_GID=1002 \ No newline at end of file diff --git a/homelab/stacks/gitea/gitea.secrets b/homelab/stacks/gitea/gitea.secrets new file mode 100644 index 00000000..5cecc019 --- /dev/null +++ b/homelab/stacks/gitea/gitea.secrets @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:jwpcbMqu53dv02XFm7jx2aKRi0vtnykn+f4BV2Wt19oGOp9WVZEajX1AACwvXCMNYE8kZvku6LW5DockSSBmlgupeVELMKcq,iv:6I0CiU1ziTRYq89shBpSu7PeH4fkSZyD8cbQmdncp/g=,tag:VAH4dh30O8NKdR1lppwm8g==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaSzEwbmRna0hEcUsySi9v\nQzlSMXVkeS9qaElnWUZUS1RneEphOWlITFVjCi9haXJlNktoaitwV2Q2eDRHWGV3\nZERSQW4ya0RlMm5FMDJJWEszQ2I0TVkKLS0tIFZXeS9LSkZ5VUw4aTJUcTl6cjY5\nc1Z3U2FidElGT3MzZkVRTDBqZHc0WjQK+yVcFrBxY+ufzLe6U4VpEyf//0D9I14P\n3iIb1fWEGJu1AATmcy6FYnfxh0syIHX2jc/FCZvCvGRa8hCM5c2hXw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWStMTDFPUFZ0dmVqd1Jr\nT250MHI3dmRUUElRQll6Q1FFY01Kc2pLQkdjCmc4MXdYQytUS3FtUlJNQzdLN0Zs\nTHQ1TUVxelh1elRuemxhRWpqc3d6RHMKLS0tIEp5Z1ZaUTA0YWlKdUFtdnpFcHRn\nWGI1OEl3VHBXOW9WLytRZGJhN1Axb0UK+0FlvBab88gsLyZlIM+6ozxwHzvP/1VF\nUcJct35W4BVw+TYQyknluK19MWd5Wfzxi0oXmj25vwW2hZxaBe5gAg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-01T07:48:37Z", + "mac": "ENC[AES256_GCM,data:X7f0ByWIB583UjW0pF8jAMXZ2oQKwKHkOzq1MieWQ0ma1vO9cewfPWONB0QBmlin0L19VSbUKQYEEc9deMHcJ89z0U94ffdLvEDJ91XFWHlT5LIAAwlr+lOdqotA8WF/d9Tpejj1vTyWpJ/+5g+EOAwmARtvabAAgg1RRAhosEo=,iv:ixsrTfvzuU2lcFExStbWQJ+xzKg0d/M9A1QSP9aPxWo=,tag:gkCVaMiefUeGHkt9FkPVdw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/homelab/stacks/gitea/postgres.secrets b/homelab/stacks/gitea/postgres.secrets new file mode 100644 index 00000000..8946952c --- /dev/null +++ b/homelab/stacks/gitea/postgres.secrets @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:TJa3/FvMEQqcFKjUyd4c8Q0YYdIyreEU3iX6g3wtu6I9a9m7buYxfCe9URn1x/vjTS0+Lw6KzIO8Gk4YgIrLSt3SnW3Vwv01ZkOKhP4P936yezkEiYDPdDljyhzqt7lr,iv:QnhwVSBJv4kBbJsc+h5srVWiNuYry+2mcitiLsLuJkk=,tag:zA3cEi1YMYaNl8eg25pXnA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCblgwK0U5WEV2ZUZKczFw\nWmo4cjRyRUNnQ200WEVQOFlHWnJxL3J3eWhzClBoNWVMZnh3VGcwMEM0b2Q0YlJV\nb0JwZS9VY3B4dHpZdmk4bkFaTkNkYVEKLS0tIFc0RWt5OUhYeGVkd2piMFp1MzVT\nb3RTa2Zqa013b1RPQzBYdGFuRVJrN2cKPXvwad7AbKN5j/dXJOGu5iwluffKZW4D\nDEHy75VxU0SSAl75w+QMtYdKD8VestqjVD4XVw3s24ad9ZD1cx3qqw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZFdiVkJJUG96a0VnNytR\nM3JNT3F0bVpucGo0R0tCdmUrTmxiUXUyeTJJCnpQSU9LTUZHRkFjZVdVRDRENmlk\nRlVKT294RE95WGgvNEI0ZUErRGJYSjgKLS0tIGFHWlEzY0FxUHYwTWhZREcwcjlZ\nOVJqc3o1WTdBck9hQ3R1YVBXbTBzTHcKnnpHVNsCYJdXFde2EZ92mKZTbEuAcVft\nj1FcpXwsNN+5tYtcFES3SZB8O1SZRvLMPAaE+zrYc6es1DzxmH1okw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-01T07:48:52Z", + "mac": "ENC[AES256_GCM,data:Z4FsPf5eclDT8VH5JKyxTvSUcDnkem44T6cZiztKZ5tRjQ1V+mMadklC4r/2kE+B+NauoEFeEpKimV5IOEtOBtrI6aITPN3CV6XVtFk4WBLSwQQ8SB8p+KY0HJIF/oPABXrB1ILJmEhRiTDd+XduSs07aIKo4m+OTSPNGJxEDP0=,iv:onpJKsTeP/8INOzdECVr0cxNwH1i2kgD3TPelDm81Hc=,tag:8MgLYf0X0jqm/p4D/MCycQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/homelab/stacks/gitea/runner-dind.env b/homelab/stacks/gitea/runner-dind.env deleted file mode 100644 index 8a050799..00000000 --- a/homelab/stacks/gitea/runner-dind.env +++ /dev/null @@ -1,4 +0,0 @@ -CONFIG_FILE=/config.yaml -GITEA_INSTANCE_URL=https://gitea.jafner.tools -GITEA_RUNNER_NAME=druid2 -GITEA_RUNNER_LABELS=dind,druid \ No newline at end of file diff --git a/homelab/stacks/gitea/runner-ubuntu.env b/homelab/stacks/gitea/runner-ubuntu.env deleted file mode 100644 index 1b7a979c..00000000 --- a/homelab/stacks/gitea/runner-ubuntu.env +++ /dev/null @@ -1,4 +0,0 @@ -CONFIG_FILE=/config.yaml -GITEA_INSTANCE_URL=https://gitea.jafner.tools -GITEA_RUNNER_NAME=druid1 -GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:16-bullseye,ubuntu-22.04:docker://node:16-bullseye,ubuntu-20.04:docker://node:16-bullseye,ubuntu-18.04:docker://node:16-buster,druid diff --git a/homelab/stacks/gitea/runner_config.yaml b/homelab/stacks/gitea/runner_config.yaml deleted file mode 100644 index cae5cb84..00000000 --- a/homelab/stacks/gitea/runner_config.yaml +++ /dev/null @@ -1,89 +0,0 @@ -# Example configuration file, it's safe to copy this as the default config file without any modification. - -# You don't have to copy this file to your instance, -# just run `./act_runner generate-config > config.yaml` to generate a config file. - -log: - # The level of logging, can be trace, debug, info, warn, error, fatal - level: info - -runner: - # Where to store the registration result. - file: .runner - # Execute how many tasks concurrently at the same time. - capacity: 1 - # Extra environment variables to run jobs. - envs: - A_TEST_ENV_NAME_1: a_test_env_value_1 - A_TEST_ENV_NAME_2: a_test_env_value_2 - # Extra environment variables to run jobs from a file. - # It will be ignored if it's empty or the file doesn't exist. - env_file: .env - # The timeout for a job to be finished. - # Please note that the Gitea instance also has a timeout (3h by default) for the job. - # So the job could be stopped by the Gitea instance if it's timeout is shorter than this. - timeout: 3h - # Whether skip verifying the TLS certificate of the Gitea instance. - insecure: false - # The timeout for fetching the job from the Gitea instance. - fetch_timeout: 5s - # The interval for fetching the job from the Gitea instance. - fetch_interval: 2s - # The labels of a runner are used to determine which jobs the runner can run, and how to run them. - # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"] - # If it's empty when registering, it will ask for inputting labels. - # If it's empty when execute `deamon`, will use labels in `.runner` file. - labels: [] - -cache: - # Enable cache server to use actions/cache. - enabled: true - # The directory to store the cache data. - # If it's empty, the cache data will be stored in $HOME/.cache/actcache. - dir: "" - # The host of the cache server. - # It's not for the address to listen, but the address to connect from job containers. - # So 0.0.0.0 is a bad choice, leave it empty to detect automatically. - host: "" - # The port of the cache server. - # 0 means to use a random available port. - port: 0 - # The external cache server URL. Valid only when enable is true. - # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself. - # The URL should generally end with "/". - external_server: "" - -container: - # Specifies the network to which the container will connect. - # Could be host, bridge or the name of a custom network. - # If it's empty, act_runner will create a network automatically. - network: "" - # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker). - privileged: false - # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway). - options: - # The parent directory of a job's working directory. - # If it's empty, /workspace will be used. - workdir_parent: - # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob - # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted. - # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to: - # valid_volumes: - # - data - # - /src/*.json - # If you want to allow any volume, please use the following configuration: - # valid_volumes: - # - '**' - valid_volumes: [] - # overrides the docker client host with the specified one. - # If it's empty, act_runner will find an available docker host automatically. - # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers. - # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work. - docker_host: "" - # Pull docker image(s) even if already present - force_pull: false - -host: - # The parent directory of a job's working directory. - # If it's empty, $HOME/.cache/act/ will be used. - workdir_parent: \ No newline at end of file diff --git a/homelab/stacks/gitea/stack.nix b/homelab/stacks/gitea/stack.nix new file mode 100644 index 00000000..732b409c --- /dev/null +++ b/homelab/stacks/gitea/stack.nix @@ -0,0 +1,29 @@ +{ sys, ... }: let stack = "gitea"; in { + home-manager.users."${sys.username}".home.file = { + "${stack}" = { + enable = true; + recursive = true; + source = ./.; + target = "stacks/${stack}/"; + }; + "${stack}/.env" = { + enable = true; + text = '' + APPDATA=${sys.dataDirs.appdata}/${stack} + ''; + target = "stacks/${stack}/.env"; + }; + }; + sops.secrets."${stack}/gitea" = { + sopsFile = ./gitea.secrets; + key = ""; + mode = "0440"; + owner = sys.username; + }; + sops.secrets."${stack}/postgres" = { + sopsFile = ./postgres.secrets; + key = ""; + mode = "0440"; + owner = sys.username; + }; +} \ No newline at end of file