move forgejo to host

2024-07-20 12:58:45 +01:00 · 2024-07-20 12:58:45 +01:00 · b80228d8af
parent 657b52b580
commit b80228d8af
7 changed files with 41 additions and 139 deletions
--- a/hosts/hetzner-arm/containers/forgejo/default.nix
+++ b/hosts/hetzner-arm/containers/forgejo/default.nix
@ -1,72 +0,0 @@
-{
-  self,
-  hostPath,
-  tree,
-  inputs,
-  pkgs,
-  config,
-  ...
-}: let
-  containerName = "forgejo";
-
-  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
-
-  hostIP = containerAddresses.host;
-  containerIP = containerAddresses.containers.${containerName};
-
-  pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path;
-in {
-  containers.forgejo = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = hostIP;
-    localAddress = containerIP;
-
-    specialArgs = {
-      inherit inputs;
-      inherit tree;
-      inherit self;
-      inherit hostPath;
-    };
-
-    config = {...}: {
-      nixpkgs.pkgs = pkgs;
-
-      imports = with tree;
-        [
-          presets.nixos.containerBase
-
-          ./secrets.nix
-        ]
-        ++ (with hosts.hetzner-arm.containers.forgejo.profiles; [
-          forgejo
-          restic
-        ]);
-
-      networking.firewall.allowedTCPPorts = [2222];
-
-      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "24.05";
-    };
-  };
-
-  networking = {
-    nat.forwardPorts = [
-      {
-        sourcePort = 2222;
-        destination = "${containerIP}\:2222";
-      }
-    ];
-
-    firewall.allowedTCPPorts = [2222];
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."forgejo.owo.monster" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/".proxyPass = "http://unix:${pathInContainer "/var/sockets/forgejo.sock"}";
-    };
-  };
-}
--- a/hosts/hetzner-arm/containers/forgejo/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/forgejo/profiles/restic.nix
@ -1,23 +0,0 @@
-{
-  self,
-  config,
-  ...
-}: let
-  backupSchedules = import "${self}/data/backupSchedules.nix";
-  inherit (config.services.secrets) secrets;
-in {
-  services.restic.backups.forgejo = {
-    user = "root";
-    paths = [
-      "/var/lib/forgejo"
-    ];
-
-    repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Forgejo";
-    passwordFile = "${secrets.restic_password.path}";
-    environmentFile = "${secrets.restic_env.path}";
-    createWrapper = true;
-
-    pruneOpts = ["--keep-last 50"];
-    timerConfig = backupSchedules.restic.high;
-  };
-}
--- a/hosts/hetzner-arm/containers/forgejo/secrets.nix
+++ b/hosts/hetzner-arm/containers/forgejo/secrets.nix
@ -1,35 +0,0 @@
-{...}: {
-  services.secrets = {
-    enable = true;
-
-    vaultLogin = {
-      enable = true;
-      loginUsername = "hetzner-arm-container-forgejo";
-    };
-
-    requiredVaultPaths = [
-      "api-keys/data/backblaze/Chaos-Backups"
-      "private-public-keys/data/restic/Forgejo"
-    ];
-
-    secrets = {
-      vault_password = {
-        manual = true;
-      };
-
-      restic_password = {
-        fetchScript = ''
-          simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile"
-        '';
-      };
-      restic_env = {
-        fetchScript = ''
-          cat << EOF > "$secretFile"
-          AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID)
-          AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey)
-          EOF
-        '';
-      };
-    };
-  };
-}
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -22,7 +22,6 @@ in {
    ++ (forEach [
      "storage"
      "mail"
-      "forgejo"
      "caldav"
      "jellyfin"
      #"grocy"
@ -32,6 +31,7 @@ in {
    ++ (with hosts.hetzner-arm.profiles; [
      staticSites
      gotosocial
+      forgejo
      restic
    ]);

--- a/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix
+++ b/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix
@ -11,7 +11,7 @@
        DOMAIN = "forgejo.owo.monster";
        ROOT_URL = "https://${DOMAIN}";
        # Can't access /run out of container
-        HTTP_ADDR = "/var/sockets/forgejo.sock";
+        HTTP_ADDR = "/var/sockets/forgejo/forgejo.sock";
        PROTOCOL = "http+unix";
        START_SSH_SERVER = true;
        SSH_PORT = 2222;
@ -65,10 +65,20 @@
  ];

  systemd.services.forgejo.serviceConfig.ReadWritePaths = [
-    "/var/sockets"
+    "/var/sockets/forgejo"
  ];

  systemd.tmpfiles.rules = [
-    "d /var/sockets - forgejo forgejo"
+    "d /var/sockets - root root"
+    "d /var/sockets/forgejo - forgejo forgejo"
  ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."forgejo.owo.monster" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://unix:/var/sockets/forgejo/forgejo.sock";
+    };
+  };
 }
--- a/hosts/hetzner-arm/profiles/restic.nix
+++ b/hosts/hetzner-arm/profiles/restic.nix
@ -8,6 +8,8 @@
  inherit (lib.lists) forEach;
  inherit (lib.strings) concatStringsSep;

+  inherit (builtins) attrNames;
+
  inherit (config.services.secrets) secrets;
  backupSchedules = import "${self}/data/backupSchedules.nix";

@ -16,11 +18,9 @@ in {
  environment.systemPackages = [
    # TODO: add ones in container too
    (pkgs.writeShellScriptBin "restic-all" ''
-      ${concatStringsSep "\n" (forEach [
-          "social"
-        ] (
-          name: "restic-${name} $@"
-        ))}
+      ${concatStringsSep "\n" (forEach (attrNames config.services.restic.backups) (
+        name: "restic-${name} $@"
+      ))}
    '')
  ];

@ -69,5 +69,19 @@ in {
        '')
      }/bin/backupCleanupCommand";
    };
+    forgejo = {
+      user = "root";
+      paths = [
+        "/var/lib/forgejo"
+      ];
+
+      repository = "${repoRoot}/Forgejo";
+      environmentFile = secrets.restic_backups_env.path;
+      passwordFile = secrets.restic_password_forgejo.path;
+      createWrapper = true;
+
+      pruneOpts = ["--keep-last 50"];
+      timerConfig = backupSchedules.restic.high;
+    };
  };
 }
--- a/hosts/hetzner-arm/secrets.nix
+++ b/hosts/hetzner-arm/secrets.nix
@ -15,6 +15,8 @@

      "private-public-keys/data/restic/Social"
      "api-keys/data/chaos_mail/gotosocial"
+
+      "private-public-keys/data/restic/Forgejo"
    ];

    secrets = {
@ -72,6 +74,12 @@
          echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile"
        '';
      };
+
+      restic_password_forgejo = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile"
+        '';
+      };
    };
  };
 }