From 3e1ac1c1c76360d3be9995af13f1c69e807ed13b Mon Sep 17 00:00:00 2001 From: blake Date: Tue, 7 Oct 2025 23:06:52 -0500 Subject: [PATCH] adding bin & gitea --- bin/perms.sh | 77 +++++++++++++++ bin/rebuild.sh | 26 +++++ modules/homelab/services/gitea/default.nix | 108 +++++++++++++++++++++ 3 files changed, 211 insertions(+) create mode 100755 bin/perms.sh create mode 100755 bin/rebuild.sh create mode 100644 modules/homelab/services/gitea/default.nix diff --git a/bin/perms.sh b/bin/perms.sh new file mode 100755 index 0000000..7d0122a --- /dev/null +++ b/bin/perms.sh @@ -0,0 +1,77 @@ +#!/usr/bin/env bash +# Usage: fix-perms.sh [-o owner[:group]] +# Example: fix-perms.sh -o vaultwarden /srv/vaultwarden +# fix-perms.sh -o vaultwarden:vaultwarden /srv/vaultwarden + +set -euo pipefail + +# require root +if [[ $EUID -ne 0 ]]; then + echo "This script must be run as root." >&2 + exit 1 +fi + +OWNER="" +TARGET="" + +# Parse arguments +while [[ $# -gt 0 ]]; do + case "$1" in + -o|--owner) + OWNER="$2" + shift 2 + ;; + -*) + echo "unknown option: $1" + exit 1 + ;; + *) + TARGET="$1" + shift + ;; + esac +done + +if [[ -z "$TARGET" ]]; then + echo "usage: $0 [-o owner[:group]] " + exit 1 +fi + +if [[ ! -d "$TARGET" ]]; then + echo "error: '$TARGET' is not a directory" + exit 1 +fi + +echo "======================================" +echo "Target directory: $TARGET" +if [[ -n "$OWNER" ]]; then + echo "Ownership change: $OWNER" +else + echo "Ownership change: (none)" +fi +echo "Directory perms: 2770 (setgid)" +echo "File perms: 660" +echo "======================================" +read -rp "Proceed with these changes? [y/N]: " CONFIRM + +if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then + echo "Aborted." + exit 0 +fi + +echo "setting permissions under: $TARGET" + +# optionally change ownership +if [[ -n "$OWNER" ]]; then + echo "changing ownership to: $OWNER" + sudo chown -R "$OWNER" "$TARGET" +fi + +# Set permissions for directories (with setgid) +find "$TARGET" -type d -exec chmod 2770 {} + + +# Set permissions for files +find "$TARGET" -type f -exec chmod 660 {} + + +echo "fin" + diff --git a/bin/rebuild.sh b/bin/rebuild.sh new file mode 100755 index 0000000..b481230 --- /dev/null +++ b/bin/rebuild.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -e +pushd ~/.nix +# nvim flake.nix +# alejandra . &>/dev/null +# git diff -U0 *.nix + +# add generation comment to flake.nix +gen=$(nixos-rebuild list-generations | grep current) +if sed -n '3p' flake.nix | grep -q '^# generation:'; then + # replace the comment on line 3 + sed -i "3s/^# generation:.*/# generation: $gen/" flake.nix +else + # insert comment on line 3 + sed -i "3i# generation: $gen" flake.nix +fi + +git diff -U0 $(find . -name '*.nix') + +echo "nixos rebuilding..." +#sudo nixos-rebuild switch --flake ~/.nix#snowbelle &>.nixos-switch-log || ( +# cat .nixos-switch-log | grep --color error && false) +sudo nixos-rebuild switch --flake ~/.nix#snowbelle 2>&1 | tee .nixos-switch-log | grep --color=always -E "error|$" && true + +git commit -am "$gen" +popd diff --git a/modules/homelab/services/gitea/default.nix b/modules/homelab/services/gitea/default.nix new file mode 100644 index 0000000..4a1cc5b --- /dev/null +++ b/modules/homelab/services/gitea/default.nix @@ -0,0 +1,108 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.gitea; + ids = 2703; + default_port = 3000; + data_dir = "/var/lib/gitea"; +in +{ + options.modules.services.gitea = { + enable = lib.mkEnableOption "enables gitea"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7703; + description = "set port for gitea (default: ${toString default_port}"; + }; + + # set ssh port + ssh_port = lib.mkOption { + type = lib.types.int; + default = 7567; + description = "set port for gitea (default: 2222"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for gitea"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare gitea group + users.groups.gitea = { gid = ids; }; + + # declare gitea user + users.users.gitea = { + description = "gitea server user"; + uid = ids; + isSystemUser = true; + home = "/var/lib/gitea"; + createHome = true; + group = "gitea"; + extraGroups = [ "media" ]; + }; + + # enable the gitea service + services.gitea = { + enable = true; + openFirewall = true; + user = "gitea"; + group = "gitea"; + dataDir = data_dir; + appName = "gitea"; + useWizard = true; + settings = { + server = { + DOMAIN = "git.blakedheld.xyz"; + HTTP_PORT = cfg.port; + SSH_PORT = cfg.ssh_port; + }; + }; + database = { + passwordFile = config.sops.secrets."gitea_database_password".path; + }; + + # override umask to make permissions work out + systemd.services.gitea.serviceConfig = { UMask = lib.mkForce "0007"; }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."gitea.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + # external reverse proxy entry + services.nginx.virtualHosts."gitea.blakedheld.xyz" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + sops.secrets = { + "gitea_database_password" = { + owner = "gitea"; + group = "gitea"; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + }; + }; +}