Move bekkalokk files, configure gitea

hosts/bekkalokk/configuration.nix

@@ -6,10 +6,10 @@
     ../../base.nix
 
     # TODO: set up authentication for the following:
-    # ./services/website/website.nix
+    # ./services/website.nix
-    # ./services/website/nginx.nix
+    ./services/nginx.nix
-    # ./services/website/gitea.nix
+    ./services/gitea.nix
-    # ./services/website/mediawiki.nix
+    # ./services/mediawiki.nix
   ];
 
   sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;

hosts/bekkalokk/services/gitea.nix

@@ -0,0 +1,57 @@
+{ config, values, pkgs, ... }:
+let
+  cfg = config.services.gitea;
+in {
+  sops.secrets."gitea/dbpassword" = { };
+
+  services.gitea = {
+    enable = true;
+    user = "git";
+    rootUrl = "https://gitea.pvv.ntnu.no/";
+    stateDir = "/data/gitea";
+    appName = "PVV Git";
+
+    enableUnixSocket = true;
+
+    database = {
+      type = "postgres";
+      host = values.hosts.bicep.ipv4;
+      port = 5432;
+      passwordFile = config.sops.secrets."gitea/dbpassword".path;
+      createDatabase = false;
+    };
+
+    settings = {
+      service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "gitea.pvv.ntnu.no" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://unix:/run/gitea/gitea.sock";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+    };
+
+    "git2.pvv.ntnu.no" = {
+      globalRedirect = "gitea.pvv.ntnu.no";
+    };
+  };
+
+  users.users.git = {
+    description = "Gitea service";
+    home = cfg.stateDir;
+    #useDefaultShell = true;
+
+    group = "gitea";
+    isSystemUser = true;
+    #uid = config.ids.uids.git;
+    packages = [ pkgs.gitea ];
+  };
+
+}

hosts/bekkalokk/services/nginx.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "danio@pvv.ntnu.no";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    # virtualHosts = {
+    #   "www.pvv.ntnu.no" = {
+    #     forceSSL = true;
+
+    #     locations = {
+    #       "/pvv" = {
+    #         proxyPass = "http://localhost:${config.services.mediawiki.virtualHost.listen.pvv.port}";
+    #       };
+    #     };
+    #   };
+    # };
+  };
+}

hosts/bekkalokk/services/website/gitea.nix

@@ -1,26 +0,0 @@
-{ config, values, ... }:
-{
-  sops.secrets."postgres/gitea/password" = { };
-
-  services.gitea = {
-    enable = true;
-    rootUrl = "https://git2.pvv.ntnu.no/";
-    stateDir = "/data/gitea";
-    appName = "PVV Git";
-
-    enableUnixSocket = true;
-
-    database = {
-      type = "postgres";
-      host = values.bicep.ipv4;
-      port = config.services.postgresql.port;
-      passwordFile = config.sops.secrets."postgres/gitea/password".path;
-      createDatabase = false;
-    };
-
-    settings = {
-      service.DISABLE_REGISTRATION = true;
-      session.COOKIE_SECURE = true;
-    };
-  };
-}

hosts/bekkalokk/services/website/nginx.nix

@@ -1,30 +0,0 @@
-{ config, ... }:
-{
-  services.nginx = {
-    enable = true;
-
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-
-    virtualHosts = {
-      "www.pvv.ntnu.no" = {
-        forceSSL = true;
-
-        locations = {
-          "/pvv" = {
-            proxyPass = "http://localhost:${config.services.mediawiki.virtualHost.listen.pvv.port}";
-          };
-        };
-      };
-
-      "git.pvv.ntnu.no" = {
-        locations."/" = {
-          proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
-          proxyWebsockets = true;
-        };
-      };
-    };
-  };
-}

secrets/bekkalokk/bekkalokk.yaml

@@ -1,11 +1,9 @@
 gitea:
-    password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
+    dbpassword: ENC[AES256_GCM,data:Tx7bFpHjXev1Q3G5Rdq5/Pg5XVro7hQFyG/FJUsiGeJOezymfk1V84VXPQ==,iv:msn8d2sarb2r+nSy1Qk1IOtkXhKDOXjcUO5dFpln1e4=,tag:Wtm1Q5FzTt1WA+uQjaVQKA==,type:str]
 mediawiki:
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
-keys:
+postgres:
-    postgres:
+    mediawiki: ENC[AES256_GCM,data:JsDjfDrbJHejPDZFn6TyPkDnMIX9Go62ZmRy7P+N1Ncaz5tintspO1YtIA==,iv:7EgzkRf8GP/pIMxxEkI3fzKjxr1sT4vwsqshRtkeYU0=,tag:l3DO/0sicTolInEl2mJNSA==,type:str]
-        gitea: ENC[AES256_GCM,data:lG4P8kzp7Zq94WftN7p1RJqM65esPuTFZ2JJWkFFXTzlid2DRZPsG2FGIA==,iv:JvHQUgwwb7wJTNMxjLjOUw5sKKWlyMJafVaUOLUu9Sk=,tag:qE0+gDFU/YtghqCv/d2Qgw==,type:str]
-        mediawiki: ENC[AES256_GCM,data:p+s/uQ3ywQY9RpImFWTxjt1orzl905i9kTQPzsAIs6hAK5t3B00XVzKZgQ==,iv:xp3PRrjCGFxCsRZOlJGIonBOKWJ+3/1CByc4q7O3vDw=,tag:bfKlU2Pcoq0cQjbhp+UXag==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -39,8 +37,8 @@ sops:
             RHN4RDJWWGV2ZDJzVUo1VVorNzhlMGMKCwdWOZOnibpbB5mZSCBGhj+yUZvk/vuK
             hsiDo74vmsmNZ/zmN6cw60hNwhZ4NgtfXcKG8Axe+1rPUwEcrvWHIQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-28T23:33:14Z"
+    lastmodified: "2023-04-22T23:00:19Z"
-    mac: ENC[AES256_GCM,data:c7YytaXdAPQmCiZHH2cojJqcZna2ilGXzpnkgxgYUOSQ0n3tryOK45uVp2JDN9OJ9gS5QsLf62AlqidE0wkYYuRC6HZnwhmlMuoY3kl2sr0/Y4kJqGeODRlZoGzUIOahHkphK1Y5GBs8GW6OYk46U54wi9+BF062pYxuOCoPwD4=,iv:ZLueZpRdaD/7uvmimDUELCAtM3e9169vmoXcHz4OKfQ=,tag:Ya8tMbUBhuypXJeZ8GQmWA==,type:str]
+    mac: ENC[AES256_GCM,data:/c9N6/qSzeqjzNq1buR5Z7YLp/H1wDgpnpw5G8CcTJkggzn/mDfvyNg/k/TAJl5CzH/mh20yeHTjOGOiTXubkhJya+WT01g0PVinU3+GxTUZOxkaF0rHTCRzuiSbbrJzhtvMmmgbbYSkaGBZ8+Y3VvC8qnNKzadO+QozqZbLuWY=,iv:FiMABv8OBDRJeI6VsuapFS3qOlDP+TzJE8rrYSV/F7A=,tag:GAv2Pk5U7igVAyhch+ZEeA==,type:str]
     pgp:
         - created_at: "2023-01-28T23:37:44Z"
           enc: |