adding bin & gitea

bin/perms.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# Usage: fix-perms.sh [-o owner[:group]] <directory>
+# Example: fix-perms.sh -o vaultwarden /srv/vaultwarden
+#          fix-perms.sh -o vaultwarden:vaultwarden /srv/vaultwarden
+
+set -euo pipefail
+
+# require root
+if [[ $EUID -ne 0 ]]; then
+  echo "This script must be run as root." >&2
+  exit 1
+fi
+
+OWNER=""
+TARGET=""
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -o|--owner)
+      OWNER="$2"
+      shift 2
+      ;;
+    -*)
+      echo "unknown option: $1"
+      exit 1
+      ;;
+    *)
+      TARGET="$1"
+      shift
+      ;;
+  esac
+done
+
+if [[ -z "$TARGET" ]]; then
+  echo "usage: $0 [-o owner[:group]] <directory>"
+  exit 1
+fi
+
+if [[ ! -d "$TARGET" ]]; then
+  echo "error: '$TARGET' is not a directory"
+  exit 1
+fi
+
+echo "======================================"
+echo "Target directory:  $TARGET"
+if [[ -n "$OWNER" ]]; then
+  echo "Ownership change:  $OWNER"
+else
+  echo "Ownership change:  (none)"
+fi
+echo "Directory perms:   2770 (setgid)"
+echo "File perms:        660"
+echo "======================================"
+read -rp "Proceed with these changes? [y/N]: " CONFIRM
+
+if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
+  echo "Aborted."
+  exit 0
+fi
+
+echo "setting permissions under: $TARGET"
+
+# optionally change ownership
+if [[ -n "$OWNER" ]]; then
+  echo "changing ownership to: $OWNER"
+  sudo chown -R "$OWNER" "$TARGET"
+fi
+
+# Set permissions for directories (with setgid)
+find "$TARGET" -type d -exec chmod 2770 {} +
+
+# Set permissions for files
+find "$TARGET" -type f -exec chmod 660 {} +
+
+echo "fin"
+

bin/rebuild.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -e
+pushd ~/.nix
+# nvim flake.nix
+# alejandra . &>/dev/null
+# git diff -U0 *.nix
+
+# add generation comment to flake.nix
+gen=$(nixos-rebuild list-generations | grep current)
+if sed -n '3p' flake.nix | grep -q '^# generation:'; then
+    # replace the comment on line 3
+    sed -i "3s/^# generation:.*/# generation: $gen/" flake.nix
+else
+    # insert comment on line 3
+    sed -i "3i# generation: $gen" flake.nix
+fi
+
+git diff -U0 $(find . -name '*.nix')
+
+echo "nixos rebuilding..."
+#sudo nixos-rebuild switch --flake ~/.nix#snowbelle &>.nixos-switch-log || (
+# cat .nixos-switch-log | grep --color error && false)
+sudo nixos-rebuild switch --flake ~/.nix#snowbelle 2>&1 | tee .nixos-switch-log | grep --color=always -E "error|$" && true
+
+git commit -am "$gen"
+popd

modules/homelab/services/gitea/default.nix

@@ -0,0 +1,108 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.gitea;
+  ids = 2703;
+  default_port = 3000;
+  data_dir = "/var/lib/gitea";
+in
+{
+  options.modules.services.gitea = {
+    enable = lib.mkEnableOption "enables gitea";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7703;
+      description = "set port for gitea (default: ${toString default_port}";
+    };
+
+    # set ssh port
+    ssh_port = lib.mkOption {
+      type = lib.types.int;
+      default = 7567;
+      description = "set port for gitea (default: 2222";
+    };
+
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for gitea";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare gitea group
+    users.groups.gitea = { gid = ids; };
+
+    # declare gitea user
+    users.users.gitea = {
+      description = "gitea server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/gitea";
+      createHome = true;
+      group = "gitea";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the gitea service
+    services.gitea = {
+      enable = true;
+      openFirewall = true;
+      user = "gitea";
+      group = "gitea";
+      dataDir = data_dir;
+      appName = "gitea";
+      useWizard = true;
+      settings = {
+        server = {
+          DOMAIN = "git.blakedheld.xyz";
+          HTTP_PORT = cfg.port;
+          SSH_PORT = cfg.ssh_port;
+        };
+      };
+      database = {
+        passwordFile = config.sops.secrets."gitea_database_password".path;
+    };
+
+    # override umask to make permissions work out
+    systemd.services.gitea.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."gitea.snowbelle.lan" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+     # external reverse proxy entry
+     services.nginx.virtualHosts."gitea.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+    sops.secrets = {
+      "gitea_database_password" = {
+        owner = "gitea";
+        group = "gitea";
+      };
+    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
+    };
+  };
+}