Feature: Init stack.nix for Gitea.

- Rotate gitea and postgres secrets. - Small update to docs. - Delete unused runner-related files. - Delete runner. - Move postgres data to `$APPDATA/postgres` Note: Primary Gitea instance on `gitea.jafner.tools` is running its own legacy config. This config will be used for a new `git.jafner.net` instance.
2025-01-31 23:54:42 -08:00 · 2025-01-31 23:54:42 -08:00 · 09a4d88e00
commit 09a4d88e00
parent 8420d3f2e0
10 changed files with 87 additions and 130 deletions
--- a/homelab/stacks/gitea/.env
+++ b/homelab/stacks/gitea/.env
@ -1 +0,0 @@
 DOCKER_DATA=/home/admin/data/gitea
--- a/homelab/stacks/gitea/README.md
+++ b/homelab/stacks/gitea/README.md
@ -9,7 +9,7 @@ DB_TYPE = postgres
 HOST = postgres:5432
 NAME = gitea
 USER = gitea
-PASSWD = [Located at postgres_secrets.env]
+PASSWD = [From postgres.secrets]
 LOG_SQL = false
 SCHEMA = 
 SSL_MODE = disable
--- a/homelab/stacks/gitea/docker-compose.yml
+++ b/homelab/stacks/gitea/docker-compose.yml
@ -2,21 +2,21 @@ services:
  gitea:
    image: gitea/gitea:latest
    container_name: gitea_gitea
    env_file:
      - path: ./gitea.env
        required: true
    restart: always
    env_file:
      - path: /run/secrets/gitea/gitea
        required: true
    networks:
      - web
      - gitea
    volumes:
-      - $DOCKER_DATA/gitea:/data
+      - $APPDATA/gitea:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "2225:22"
    labels:
-      - traefik.http.routers.gitea.rule=Host(`gitea.jafner.tools`,`git.jafner.net`)
+      - traefik.http.routers.gitea.rule=Host(`git.jafner.net`)
      - traefik.http.routers.gitea.tls.certresolver=lets-encrypt
      - traefik.http.routers.gitea.tls.options=tls12@file
      - traefik.http.routers.gitea.middlewares=securityheaders@file
@ -29,32 +29,12 @@ services:
    networks:
      - gitea
    env_file:
-      - path: ./postgres_secrets.env
+      - path: /run/secrets/gitea/postgres
        required: false
    volumes:
      - postgres_data:/var/lib/postgresql/data
  runner-ubuntu:
    image: gitea/act_runner:latest
    container_name: gitea_runner-ubuntu
    depends_on:
      - gitea
    env_file:
      - path: ./runner-ubuntu.env
        required: true
-      - path: ./runner_secrets.env
+    volumes:
-        required: false
+      - $APPDATA/postgres:/var/lib/postgresql/data
    networks:
      - gitea
    volumes: 
      - ./runner_ubuntu_config.yaml:/config.yaml
      - $DOCKER_DATA/runner-ubuntu:/data
      - /var/run/docker.sock:/var/run/docker.sock
 networks:
  web:
    external: true
-  gitea:
+  gitea:
 volumes:
  postgres_data:
--- a/homelab/stacks/gitea/gitea.env
+++ b/homelab/stacks/gitea/gitea.env
@ -1,2 +0,0 @@
 USER_UID=1002
 USER_GID=1002
--- a/homelab/stacks/gitea/gitea.secrets
+++ b/homelab/stacks/gitea/gitea.secrets
@ -0,0 +1,24 @@
 {
 	"data": "ENC[AES256_GCM,data:jwpcbMqu53dv02XFm7jx2aKRi0vtnykn+f4BV2Wt19oGOp9WVZEajX1AACwvXCMNYE8kZvku6LW5DockSSBmlgupeVELMKcq,iv:6I0CiU1ziTRYq89shBpSu7PeH4fkSZyD8cbQmdncp/g=,tag:VAH4dh30O8NKdR1lppwm8g==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaSzEwbmRna0hEcUsySi9v\nQzlSMXVkeS9qaElnWUZUS1RneEphOWlITFVjCi9haXJlNktoaitwV2Q2eDRHWGV3\nZERSQW4ya0RlMm5FMDJJWEszQ2I0TVkKLS0tIFZXeS9LSkZ5VUw4aTJUcTl6cjY5\nc1Z3U2FidElGT3MzZkVRTDBqZHc0WjQK+yVcFrBxY+ufzLe6U4VpEyf//0D9I14P\n3iIb1fWEGJu1AATmcy6FYnfxh0syIHX2jc/FCZvCvGRa8hCM5c2hXw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWStMTDFPUFZ0dmVqd1Jr\nT250MHI3dmRUUElRQll6Q1FFY01Kc2pLQkdjCmc4MXdYQytUS3FtUlJNQzdLN0Zs\nTHQ1TUVxelh1elRuemxhRWpqc3d6RHMKLS0tIEp5Z1ZaUTA0YWlKdUFtdnpFcHRn\nWGI1OEl3VHBXOW9WLytRZGJhN1Axb0UK+0FlvBab88gsLyZlIM+6ozxwHzvP/1VF\nUcJct35W4BVw+TYQyknluK19MWd5Wfzxi0oXmj25vwW2hZxaBe5gAg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-02-01T07:48:37Z",
 		"mac": "ENC[AES256_GCM,data:X7f0ByWIB583UjW0pF8jAMXZ2oQKwKHkOzq1MieWQ0ma1vO9cewfPWONB0QBmlin0L19VSbUKQYEEc9deMHcJ89z0U94ffdLvEDJ91XFWHlT5LIAAwlr+lOdqotA8WF/d9Tpejj1vTyWpJ/+5g+EOAwmARtvabAAgg1RRAhosEo=,iv:ixsrTfvzuU2lcFExStbWQJ+xzKg0d/M9A1QSP9aPxWo=,tag:gkCVaMiefUeGHkt9FkPVdw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.2"
 	}
 }
--- a/homelab/stacks/gitea/postgres.secrets
+++ b/homelab/stacks/gitea/postgres.secrets
@ -0,0 +1,24 @@
 {
 	"data": "ENC[AES256_GCM,data:TJa3/FvMEQqcFKjUyd4c8Q0YYdIyreEU3iX6g3wtu6I9a9m7buYxfCe9URn1x/vjTS0+Lw6KzIO8Gk4YgIrLSt3SnW3Vwv01ZkOKhP4P936yezkEiYDPdDljyhzqt7lr,iv:QnhwVSBJv4kBbJsc+h5srVWiNuYry+2mcitiLsLuJkk=,tag:zA3cEi1YMYaNl8eg25pXnA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCblgwK0U5WEV2ZUZKczFw\nWmo4cjRyRUNnQ200WEVQOFlHWnJxL3J3eWhzClBoNWVMZnh3VGcwMEM0b2Q0YlJV\nb0JwZS9VY3B4dHpZdmk4bkFaTkNkYVEKLS0tIFc0RWt5OUhYeGVkd2piMFp1MzVT\nb3RTa2Zqa013b1RPQzBYdGFuRVJrN2cKPXvwad7AbKN5j/dXJOGu5iwluffKZW4D\nDEHy75VxU0SSAl75w+QMtYdKD8VestqjVD4XVw3s24ad9ZD1cx3qqw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZFdiVkJJUG96a0VnNytR\nM3JNT3F0bVpucGo0R0tCdmUrTmxiUXUyeTJJCnpQSU9LTUZHRkFjZVdVRDRENmlk\nRlVKT294RE95WGgvNEI0ZUErRGJYSjgKLS0tIGFHWlEzY0FxUHYwTWhZREcwcjlZ\nOVJqc3o1WTdBck9hQ3R1YVBXbTBzTHcKnnpHVNsCYJdXFde2EZ92mKZTbEuAcVft\nj1FcpXwsNN+5tYtcFES3SZB8O1SZRvLMPAaE+zrYc6es1DzxmH1okw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-02-01T07:48:52Z",
 		"mac": "ENC[AES256_GCM,data:Z4FsPf5eclDT8VH5JKyxTvSUcDnkem44T6cZiztKZ5tRjQ1V+mMadklC4r/2kE+B+NauoEFeEpKimV5IOEtOBtrI6aITPN3CV6XVtFk4WBLSwQQ8SB8p+KY0HJIF/oPABXrB1ILJmEhRiTDd+XduSs07aIKo4m+OTSPNGJxEDP0=,iv:onpJKsTeP/8INOzdECVr0cxNwH1i2kgD3TPelDm81Hc=,tag:8MgLYf0X0jqm/p4D/MCycQ==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.2"
 	}
 }
--- a/homelab/stacks/gitea/runner-dind.env
+++ b/homelab/stacks/gitea/runner-dind.env
@ -1,4 +0,0 @@
 CONFIG_FILE=/config.yaml
 GITEA_INSTANCE_URL=https://gitea.jafner.tools
 GITEA_RUNNER_NAME=druid2
 GITEA_RUNNER_LABELS=dind,druid
--- a/homelab/stacks/gitea/runner-ubuntu.env
+++ b/homelab/stacks/gitea/runner-ubuntu.env
@ -1,4 +0,0 @@
 CONFIG_FILE=/config.yaml
 GITEA_INSTANCE_URL=https://gitea.jafner.tools
 GITEA_RUNNER_NAME=druid1
 GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:16-bullseye,ubuntu-22.04:docker://node:16-bullseye,ubuntu-20.04:docker://node:16-bullseye,ubuntu-18.04:docker://node:16-buster,druid
--- a/homelab/stacks/gitea/runner_config.yaml
+++ b/homelab/stacks/gitea/runner_config.yaml
@ -1,89 +0,0 @@
 # Example configuration file, it's safe to copy this as the default config file without any modification.
 # You don't have to copy this file to your instance,
 # just run `./act_runner generate-config > config.yaml` to generate a config file.
 log:
  # The level of logging, can be trace, debug, info, warn, error, fatal
  level: info
 runner:
  # Where to store the registration result.
  file: .runner
  # Execute how many tasks concurrently at the same time.
  capacity: 1
  # Extra environment variables to run jobs.
  envs:
    A_TEST_ENV_NAME_1: a_test_env_value_1
    A_TEST_ENV_NAME_2: a_test_env_value_2
  # Extra environment variables to run jobs from a file.
  # It will be ignored if it's empty or the file doesn't exist.
  env_file: .env
  # The timeout for a job to be finished.
  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
  timeout: 3h
  # Whether skip verifying the TLS certificate of the Gitea instance.
  insecure: false
  # The timeout for fetching the job from the Gitea instance.
  fetch_timeout: 5s
  # The interval for fetching the job from the Gitea instance.
  fetch_interval: 2s
  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
  # If it's empty when registering, it will ask for inputting labels.
  # If it's empty when execute `deamon`, will use labels in `.runner` file.
  labels: []
 cache:
  # Enable cache server to use actions/cache.
  enabled: true
  # The directory to store the cache data.
  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
  dir: ""
  # The host of the cache server.
  # It's not for the address to listen, but the address to connect from job containers.
  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
  host: ""
  # The port of the cache server.
  # 0 means to use a random available port.
  port: 0
  # The external cache server URL. Valid only when enable is true.
  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
  # The URL should generally end with "/".
  external_server: ""
 container:
  # Specifies the network to which the container will connect.
  # Could be host, bridge or the name of a custom network.
  # If it's empty, act_runner will create a network automatically.
  network: ""
  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
  privileged: false
  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
  options:
  # The parent directory of a job's working directory.
  # If it's empty, /workspace will be used.
  workdir_parent:
  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
  # valid_volumes:
  #   - data
  #   - /src/*.json
  # If you want to allow any volume, please use the following configuration:
  # valid_volumes:
  #   - '**'
  valid_volumes: []
  # overrides the docker client host with the specified one.
  # If it's empty, act_runner will find an available docker host automatically.
  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
  docker_host: ""
  # Pull docker image(s) even if already present
  force_pull: false
 host:
  # The parent directory of a job's working directory.
  # If it's empty, $HOME/.cache/act/ will be used.
  workdir_parent:
--- a/homelab/stacks/gitea/stack.nix
+++ b/homelab/stacks/gitea/stack.nix
@ -0,0 +1,29 @@
 { sys, ... }: let stack = "gitea"; in {
  home-manager.users."${sys.username}".home.file = {
    "${stack}" = {
      enable = true;
      recursive = true;
      source = ./.;
      target = "stacks/${stack}/";
    };
    "${stack}/.env" = {
      enable = true;
      text = ''
        APPDATA=${sys.dataDirs.appdata}/${stack}
      '';
      target = "stacks/${stack}/.env";
    };
  };
  sops.secrets."${stack}/gitea" = { 
    sopsFile = ./gitea.secrets;
    key = "";
    mode = "0440";
    owner = sys.username;
  };
  sops.secrets."${stack}/postgres" = { 
    sopsFile = ./postgres.secrets;
    key = "";
    mode = "0440";
    owner = sys.username;
  };
 }