Feature: Init stack.nix for Gitea.

- Rotate gitea and postgres secrets.
  - Small update to docs.
  - Delete unused runner-related files.
  - Delete runner.
  - Move postgres data to `$APPDATA/postgres`
Note: Primary Gitea instance on `gitea.jafner.tools` is running its own legacy config. This config will be used for a new `git.jafner.net` instance.

homelab/stacks/gitea/.env

@@ -1 +0,0 @@
-DOCKER_DATA=/home/admin/data/gitea

homelab/stacks/gitea/README.md

@@ -9,7 +9,7 @@ DB_TYPE = postgres
 HOST = postgres:5432
 NAME = gitea
 USER = gitea
-PASSWD = [Located at postgres_secrets.env]
+PASSWD = [From postgres.secrets]
 LOG_SQL = false
 SCHEMA = 
 SSL_MODE = disable

homelab/stacks/gitea/docker-compose.yml

@@ -2,21 +2,21 @@ services:
   gitea:
     image: gitea/gitea:latest
     container_name: gitea_gitea
-    env_file:
-      - path: ./gitea.env
-        required: true
     restart: always
+    env_file:
+      - path: /run/secrets/gitea/gitea
+        required: true
     networks:
       - web
       - gitea
     volumes:
-      - $DOCKER_DATA/gitea:/data
+      - $APPDATA/gitea:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     ports:
       - "2225:22"
     labels:
-      - traefik.http.routers.gitea.rule=Host(`gitea.jafner.tools`,`git.jafner.net`)
+      - traefik.http.routers.gitea.rule=Host(`git.jafner.net`)
       - traefik.http.routers.gitea.tls.certresolver=lets-encrypt
       - traefik.http.routers.gitea.tls.options=tls12@file
       - traefik.http.routers.gitea.middlewares=securityheaders@file
@@ -29,32 +29,12 @@ services:
     networks:
       - gitea
     env_file:
-      - path: ./postgres_secrets.env
-        required: false
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-  
-  runner-ubuntu:
-    image: gitea/act_runner:latest
-    container_name: gitea_runner-ubuntu
-    depends_on:
-      - gitea
-    env_file:
-      - path: ./runner-ubuntu.env
+      - path: /run/secrets/gitea/postgres
         required: true
-      - path: ./runner_secrets.env
-        required: false
-    networks:
-      - gitea
-    volumes: 
-      - ./runner_ubuntu_config.yaml:/config.yaml
-      - $DOCKER_DATA/runner-ubuntu:/data
-      - /var/run/docker.sock:/var/run/docker.sock
+    volumes:
+      - $APPDATA/postgres:/var/lib/postgresql/data
 
 networks:
   web:
     external: true
-  gitea:
-
-volumes:
-  postgres_data:
+  gitea:

homelab/stacks/gitea/gitea.env

@@ -1,2 +0,0 @@
-USER_UID=1002
-USER_GID=1002

homelab/stacks/gitea/gitea.secrets

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:jwpcbMqu53dv02XFm7jx2aKRi0vtnykn+f4BV2Wt19oGOp9WVZEajX1AACwvXCMNYE8kZvku6LW5DockSSBmlgupeVELMKcq,iv:6I0CiU1ziTRYq89shBpSu7PeH4fkSZyD8cbQmdncp/g=,tag:VAH4dh30O8NKdR1lppwm8g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaSzEwbmRna0hEcUsySi9v\nQzlSMXVkeS9qaElnWUZUS1RneEphOWlITFVjCi9haXJlNktoaitwV2Q2eDRHWGV3\nZERSQW4ya0RlMm5FMDJJWEszQ2I0TVkKLS0tIFZXeS9LSkZ5VUw4aTJUcTl6cjY5\nc1Z3U2FidElGT3MzZkVRTDBqZHc0WjQK+yVcFrBxY+ufzLe6U4VpEyf//0D9I14P\n3iIb1fWEGJu1AATmcy6FYnfxh0syIHX2jc/FCZvCvGRa8hCM5c2hXw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWStMTDFPUFZ0dmVqd1Jr\nT250MHI3dmRUUElRQll6Q1FFY01Kc2pLQkdjCmc4MXdYQytUS3FtUlJNQzdLN0Zs\nTHQ1TUVxelh1elRuemxhRWpqc3d6RHMKLS0tIEp5Z1ZaUTA0YWlKdUFtdnpFcHRn\nWGI1OEl3VHBXOW9WLytRZGJhN1Axb0UK+0FlvBab88gsLyZlIM+6ozxwHzvP/1VF\nUcJct35W4BVw+TYQyknluK19MWd5Wfzxi0oXmj25vwW2hZxaBe5gAg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-01T07:48:37Z",
+		"mac": "ENC[AES256_GCM,data:X7f0ByWIB583UjW0pF8jAMXZ2oQKwKHkOzq1MieWQ0ma1vO9cewfPWONB0QBmlin0L19VSbUKQYEEc9deMHcJ89z0U94ffdLvEDJ91XFWHlT5LIAAwlr+lOdqotA8WF/d9Tpejj1vTyWpJ/+5g+EOAwmARtvabAAgg1RRAhosEo=,iv:ixsrTfvzuU2lcFExStbWQJ+xzKg0d/M9A1QSP9aPxWo=,tag:gkCVaMiefUeGHkt9FkPVdw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

homelab/stacks/gitea/postgres.secrets

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:TJa3/FvMEQqcFKjUyd4c8Q0YYdIyreEU3iX6g3wtu6I9a9m7buYxfCe9URn1x/vjTS0+Lw6KzIO8Gk4YgIrLSt3SnW3Vwv01ZkOKhP4P936yezkEiYDPdDljyhzqt7lr,iv:QnhwVSBJv4kBbJsc+h5srVWiNuYry+2mcitiLsLuJkk=,tag:zA3cEi1YMYaNl8eg25pXnA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCblgwK0U5WEV2ZUZKczFw\nWmo4cjRyRUNnQ200WEVQOFlHWnJxL3J3eWhzClBoNWVMZnh3VGcwMEM0b2Q0YlJV\nb0JwZS9VY3B4dHpZdmk4bkFaTkNkYVEKLS0tIFc0RWt5OUhYeGVkd2piMFp1MzVT\nb3RTa2Zqa013b1RPQzBYdGFuRVJrN2cKPXvwad7AbKN5j/dXJOGu5iwluffKZW4D\nDEHy75VxU0SSAl75w+QMtYdKD8VestqjVD4XVw3s24ad9ZD1cx3qqw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZFdiVkJJUG96a0VnNytR\nM3JNT3F0bVpucGo0R0tCdmUrTmxiUXUyeTJJCnpQSU9LTUZHRkFjZVdVRDRENmlk\nRlVKT294RE95WGgvNEI0ZUErRGJYSjgKLS0tIGFHWlEzY0FxUHYwTWhZREcwcjlZ\nOVJqc3o1WTdBck9hQ3R1YVBXbTBzTHcKnnpHVNsCYJdXFde2EZ92mKZTbEuAcVft\nj1FcpXwsNN+5tYtcFES3SZB8O1SZRvLMPAaE+zrYc6es1DzxmH1okw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-01T07:48:52Z",
+		"mac": "ENC[AES256_GCM,data:Z4FsPf5eclDT8VH5JKyxTvSUcDnkem44T6cZiztKZ5tRjQ1V+mMadklC4r/2kE+B+NauoEFeEpKimV5IOEtOBtrI6aITPN3CV6XVtFk4WBLSwQQ8SB8p+KY0HJIF/oPABXrB1ILJmEhRiTDd+XduSs07aIKo4m+OTSPNGJxEDP0=,iv:onpJKsTeP/8INOzdECVr0cxNwH1i2kgD3TPelDm81Hc=,tag:8MgLYf0X0jqm/p4D/MCycQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

homelab/stacks/gitea/runner-dind.env

@@ -1,4 +0,0 @@
-CONFIG_FILE=/config.yaml
-GITEA_INSTANCE_URL=https://gitea.jafner.tools
-GITEA_RUNNER_NAME=druid2
-GITEA_RUNNER_LABELS=dind,druid

homelab/stacks/gitea/runner-ubuntu.env

@@ -1,4 +0,0 @@
-CONFIG_FILE=/config.yaml
-GITEA_INSTANCE_URL=https://gitea.jafner.tools
-GITEA_RUNNER_NAME=druid1
-GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:16-bullseye,ubuntu-22.04:docker://node:16-bullseye,ubuntu-20.04:docker://node:16-bullseye,ubuntu-18.04:docker://node:16-buster,druid

homelab/stacks/gitea/runner_config.yaml

@@ -1,89 +0,0 @@
-# Example configuration file, it's safe to copy this as the default config file without any modification.
-
-# You don't have to copy this file to your instance,
-# just run `./act_runner generate-config > config.yaml` to generate a config file.
-
-log:
-  # The level of logging, can be trace, debug, info, warn, error, fatal
-  level: info
-
-runner:
-  # Where to store the registration result.
-  file: .runner
-  # Execute how many tasks concurrently at the same time.
-  capacity: 1
-  # Extra environment variables to run jobs.
-  envs:
-    A_TEST_ENV_NAME_1: a_test_env_value_1
-    A_TEST_ENV_NAME_2: a_test_env_value_2
-  # Extra environment variables to run jobs from a file.
-  # It will be ignored if it's empty or the file doesn't exist.
-  env_file: .env
-  # The timeout for a job to be finished.
-  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
-  timeout: 3h
-  # Whether skip verifying the TLS certificate of the Gitea instance.
-  insecure: false
-  # The timeout for fetching the job from the Gitea instance.
-  fetch_timeout: 5s
-  # The interval for fetching the job from the Gitea instance.
-  fetch_interval: 2s
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `deamon`, will use labels in `.runner` file.
-  labels: []
-
-cache:
-  # Enable cache server to use actions/cache.
-  enabled: true
-  # The directory to store the cache data.
-  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
-  dir: ""
-  # The host of the cache server.
-  # It's not for the address to listen, but the address to connect from job containers.
-  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-  host: ""
-  # The port of the cache server.
-  # 0 means to use a random available port.
-  port: 0
-  # The external cache server URL. Valid only when enable is true.
-  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-  # The URL should generally end with "/".
-  external_server: ""
-
-container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, act_runner will create a network automatically.
-  network: ""
-  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options:
-  # The parent directory of a job's working directory.
-  # If it's empty, /workspace will be used.
-  workdir_parent:
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
-  valid_volumes: []
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: ""
-  # Pull docker image(s) even if already present
-  force_pull: false
-
-host:
-  # The parent directory of a job's working directory.
-  # If it's empty, $HOME/.cache/act/ will be used.
-  workdir_parent:

homelab/stacks/gitea/stack.nix

@@ -0,0 +1,29 @@
+{ sys, ... }: let stack = "gitea"; in {
+  home-manager.users."${sys.username}".home.file = {
+    "${stack}" = {
+      enable = true;
+      recursive = true;
+      source = ./.;
+      target = "stacks/${stack}/";
+    };
+    "${stack}/.env" = {
+      enable = true;
+      text = ''
+        APPDATA=${sys.dataDirs.appdata}/${stack}
+      '';
+      target = "stacks/${stack}/.env";
+    };
+  };
+  sops.secrets."${stack}/gitea" = { 
+    sopsFile = ./gitea.secrets;
+    key = "";
+    mode = "0440";
+    owner = sys.username;
+  };
+  sops.secrets."${stack}/postgres" = { 
+    sopsFile = ./postgres.secrets;
+    key = "";
+    mode = "0440";
+    owner = sys.username;
+  };
+}