tadpole: Enable gitea

tadpole: Add gitea module
tadpole: Add secret for gitea
2024-08-29 20:30:32 +02:00 · 2024-08-29 20:30:32 +02:00 · 2024-08-29 20:08:09 +02:00 · 2024-08-29 13:43:37 +02:00 · 2024-08-27 09:50:38 +02:00 · 2024-08-27 09:50:25 +02:00
11 changed files with 128 additions and 3 deletions
--- a/hosts/backwards/modules/jellyfin/default.nix
+++ b/hosts/backwards/modules/jellyfin/default.nix
@@ -0,0 +1,30 @@
+{ pkgs, ... }:
+{
+  # 1. enable vaapi on OS-level
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+
+  hardware.opengl = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-vaapi-driver # previously vaapiIntel
+      vaapiVdpau
+      libvdpau-va-gl
+      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+      vpl-gpu-rt # QSV on 11th gen or newer
+    ];
+  };
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  environment.systemPackages = [
+    pkgs.jellyfin
+    pkgs.jellyfin-web
+    pkgs.jellyfin-ffmpeg
+  ];
+}
--- a/hosts/pinwheel/modules/tailscale/default.nix
+++ b/hosts/pinwheel/modules/tailscale/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  services.tailscale.enable = true;
+
+  networking.firewall = {
+    checkReversePath = "loose";
+    allowedUDPPorts = [ 41641 ];
+  };
+
+}
--- a/hosts/pinwheel/modules/work/default.nix
+++ b/hosts/pinwheel/modules/work/default.nix
@@ -1,4 +1,4 @@
-{ inputs, pkgs, lib, config, ... }:
+{ pkgs, lib, config, ... }:
 let
  gitEnabled = config.mod.git.enable;
  goEnabled = config.mod.go.enable;
@@ -18,7 +18,7 @@ in
      (pkgs.jetbrains.plugins.addPlugins pkgs.jetbrains.idea-ultimate [ "ideavim" ])
      (pkgs.google-cloud-sdk.withExtraComponents [ pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin ])
      (pkgs.graphite-cli.overrideAttrs(_: {
-        version = "1.3.7";
+        version = "1.4.3";
      }))
      pkgs.xdg-utils # needed by graphite-cli

--- a/hosts/sombrero/modules/tailscale/default.nix
+++ b/hosts/sombrero/modules/tailscale/default.nix
@@ -0,0 +1,9 @@
+{ ... }:
+{
+  services.tailscale.enable = true;
+
+  networking.firewall = {
+    checkReversePath = "loose";
+    allowedUDPPorts = [ 41641 ];
+  };
+}
--- a/hosts/tadpole/home.nix
+++ b/hosts/tadpole/home.nix
@@ -23,5 +23,4 @@
      };
    };
  };
-
 }
--- a/hosts/tadpole/modules/default.nix
+++ b/hosts/tadpole/modules/default.nix
@@ -13,6 +13,11 @@ in
      ssh.enable = true;
      nginx.enable = true;

+      gitea = {
+        enable = true;
+        domain = "git.ppp.pm";
+      };
+
      pppdotpm-site.enable = true;
    };
  };
--- a/hosts/tadpole/modules/gitea/default.nix
+++ b/hosts/tadpole/modules/gitea/default.nix
@@ -0,0 +1,64 @@
+{ lib, config, ... }:
+let
+  enable = config.mod.gitea.enable;
+  domain = config.mod.gitea.domain;
+
+  nginxEnable = config.mod.nginx.enable;
+in
+{
+  options = {
+    mod.gitea = {
+      enable = lib.mkEnableOption "Enable gitea";
+
+      domain = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        description = "The domain that nginx will use as a virtual host";
+      };
+    };
+  };
+
+  config = lib.mkIf (enable && nginxEnable) {
+    services.gitea = {
+      enable = true;
+
+      settings = {
+        service = {
+          DISABLE_REGISTRATION = false;
+        };
+
+        server = {
+          DOMAIN = domain;
+          ROOT_URL = "https://${domain}";
+
+          SSH_PORT = 1122; # See `ssh` module
+        };
+
+        database = {
+          type = "sqlite3";
+          passwordFile = config.age.secrets.gitea-dbpassword.path;
+        };
+
+        session = {
+          COOKIE_SECURE = true;
+        };
+      };
+    };
+
+    services.nginx = {
+      virtualHosts."${domain}" = {
+          forceSSL = true;
+          enableACME = true;
+
+          locations."/" = {
+            proxyPass = "http://0.0.0:3000";
+            proxyWebsockets = true;
+          };
+        };
+      };
+
+    age.secrets = {
+      "gitea-dbpassword".file = ../../../../secrets/tadpole/gitea-dbpassword.age;
+    };
+  };
+}
--- a/secrets/pinwheel/alex.pinwheel-andromeda.age
+++ b/secrets/pinwheel/alex.pinwheel-andromeda.age
--- a/secrets/pinwheel/alex.pinwheel-andromeda.pub.age
+++ b/secrets/pinwheel/alex.pinwheel-andromeda.pub.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -46,4 +46,5 @@ in {
  "tadpole/root.tadpole.pub.age".publicKeys = [ tadpole alex ];
  "tadpole/alex.tadpole-codeberg.org.age".publicKeys = [ tadpole alex ];
  "tadpole/alex.tadpole-codeberg.org.pub.age".publicKeys = [ tadpole alex ];
+  "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
 }
--- a/secrets/tadpole/gitea-dbpassword.age
+++ b/secrets/tadpole/gitea-dbpassword.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A Lysw9DIQKwVeQ1SOOdCIavwUd8aP81gug+v1k2lRg3k
+PuK/xzBMdmbyC1exYZCcNEullu4yQ0mUZL3k9cRaexA
+-> ssh-ed25519 +oNaHQ yDg4AtwU/jdwJASQox2ATR5P6wcLiAdMPp02m8yUkSI
+7H3Wc7biPmk/ZwkaWuZjdyqyRzcdueR+QUCxzFrn284
+--- wdBS0fjrSy/JpbxPYClvMEuRQuDwn6X9sVyaUyLpSsw
+<EFBFBD>XPz8/S<>,<2C>AG
Author	SHA1	Message	Date
Alexander Heldt	5e84d0147b	tadpole: Enable `gitea`	2024-08-29 20:30:32 +02:00
Alexander Heldt	69b4b1cd21	tadpole: Add `gitea` module	2024-08-29 20:30:32 +02:00
Alexander Heldt	81839ad84d	tadpole: Add secret for `gitea`	2024-08-29 20:08:09 +02:00
Alexander Heldt	79f939c5c9	pinwheel: Update `graphite`	2024-08-29 13:43:37 +02:00
Alexander Heldt	f3c6358110	tadpole: Cleanup `home` module	2024-08-27 09:50:38 +02:00
Alexander Heldt	2e0622fecc	pinwheel: Cleanup `work` module	2024-08-27 09:50:25 +02:00
Alexander Heldt	4db229d5c0	sombrero: Add `tailscale` module	2024-08-26 10:22:16 +02:00
Alexander Heldt	dd2cd91d7f	pinwheel: Add `tailscale` module	2024-08-26 10:22:16 +02:00
Alexander Heldt	1bbd8d8eb9	pinwheel: Update `ssh` key for `alex.pinwheel-andromeda`	2024-08-23 22:36:53 +02:00
Alexander Heldt	2fd40004e2	backwards: Add `jellyfin` module	2024-08-19 08:44:09 +02:00