move gitotlite to vm-synology

5 files changed, 161 insertions, 7 deletions

diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix
index 690e474..68952c6 100644
--- a/nix/machines/vm-synology/default.nix
+++ b/nix/machines/vm-synology/default.nix
@@ -1,5 +1,5 @@
 { ... }: {
-  imports = [ ./hardware.nix ../vm-shared.nix ./ddns.nix ];
+  imports = [ ./hardware.nix ../vm-shared.nix ./ddns.nix ./web.nix ./git.nix ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
diff --git a/nix/machines/vm-synology/git.nix b/nix/machines/vm-synology/git.nix
new file mode 100644
index 0000000..a6e7f88
--- /dev/null
+++ b/nix/machines/vm-synology/git.nix
@@ -0,0 +1,94 @@
+{ pkgs, lib, ... }: {
+
+  services.gitolite = {
+    enable = true;
+    adminPubkey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+    user = "git";
+    group = "git";
+    extraGitoliteRc = ''
+      # Make dirs/files group readable, needed for webserver/cgit. (Default
+      # setting is 0077.)
+      $RC{UMASK} = 0027;
+      $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner';
+      $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local";
+      push( @{$RC{ENABLE}}, 'symbolic-ref' );
+    '';
+  };
+
+  # let's make sure the default branch is `main'.
+  systemd.tmpfiles.rules = [
+    "C /var/lib/gitolite/.gitconfig - git git 0644 ${
+      pkgs.writeText "gitolite-gitconfig" ''
+        [init]
+        	defaultBranch = main
+      ''
+    }"
+  ];
+
+  services.cgit.main = {
+    enable = true;
+    package = pkgs.cgit-pink;
+    user = "git";
+    group = "git";
+    nginx.virtualHost = "git.fcuny.net";
+    scanPath = "/var/lib/gitolite/repositories";
+    settings = {
+      css = "/cgit.css";
+      logo = "/cgit.png";
+      favicon = "/favicon.ico";
+      robots = "noindex, nofollow";
+      # TODO readme.org
+      readme = ":README.md";
+      project-list = "/var/lib/gitolite/projects.list";
+      about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh";
+      source-filter =
+        "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py";
+      clone-url =
+        (lib.concatStringsSep " " [ "https://git.fcuny.net/$CGIT_REPO_URL" ]);
+      enable-log-filecount = 1;
+      enable-log-linecount = 1;
+      enable-git-config = 1;
+      enable-blame = 1;
+      enable-commit-graph = 1;
+      enable-follow-links = 1;
+      enable-index-links = 1;
+      enable-remote-branches = 1;
+      enable-subject-links = 1;
+      enable-tree-linenumbers = 1;
+      max-atom-items = 108;
+      max-commit-count = 250;
+      max-repo-count = 500;
+      repository-sort = "age";
+      snapshots = "tar.gz";
+      root-title = "¯\\_(ツ)_/¯";
+      root-desc = "source code of my various projects";
+    };
+  };
+
+  # TODO also rsync the backups to the nas
+  # TODO need the ssh key for the nas for rsync ?
+  age.secrets.restic = {
+    file = ../../../secrets/restic-backups.age;
+    owner = "root";
+    group = "root";
+    path = "/etc/restic/secret";
+    mode = "600";
+  };
+
+  # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix
+  services.restic.backups.git = {
+    passwordFile = "/etc/restic/secret";
+    repository = "/srv/backups/git";
+    initialize = true;
+    paths = [ "/var/lib/gitolite" ];
+    exclude = [
+      "/var/lib/gitolite/.bash_history"
+      "/var/lib/gitolite/.ssh"
+      "/var/lib/gitolite/.viminfo"
+    ];
+    extraBackupArgs = [ "--exclude-caches" "--compression=max" ];
+    timerConfig = { OnCalendar = "daily"; };
+    pruneOpts = [ "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 3" ];
+  };
+}
diff --git a/nix/machines/vm-synology/web.nix b/nix/machines/vm-synology/web.nix
new file mode 100644
index 0000000..f9c34cc
--- /dev/null
+++ b/nix/machines/vm-synology/web.nix
@@ -0,0 +1,60 @@
+{ ... }: {
+  # container for excalidraw
+  virtualisation.oci-containers.containers.excalidraw = {
+    autoStart = true;
+    image = "excalidraw/excalidraw:latest";
+    environment = { TZ = "America/Los_Angeles"; };
+    ports = [ "127.0.0.1:3030:80" ];
+    extraOptions = [ "--pull=always" ];
+  };
+
+  security.acme = {
+    defaults.email = "acme@fcuny.net";
+    acceptTerms = true;
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "test.fcuny.net" = {
+        # make it the default site: if a request goes through nginx
+        # without a host header, this will be the default site we serve
+        # for that request.
+        default = true;
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = { root = "/srv/www/fcuny.net"; };
+          "/.well-known/acme-challenge" = {
+            root = "/var/lib/acme/acme-challenges";
+          };
+        };
+      };
+      "git.fcuny.net" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/.well-known/acme-challenge" = {
+            root = "/var/lib/acme/acme-challenges";
+          };
+        };
+      };
+      "draw.fcuny.net" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/".proxyPass = "http://127.0.0.1:3030";
+          "/.well-known/acme-challenge" = {
+            root = "/var/lib/acme/acme-challenges";
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/secrets/ddns-updater.age b/secrets/ddns-updater.age
index d457178..7089031 100644
--- a/secrets/ddns-updater.age
+++ b/secrets/ddns-updater.age
diff --git a/secrets/restic-backups.age b/secrets/restic-backups.age
index 5e8ea2f..70c4bcc 100644
--- a/secrets/restic-backups.age
+++ b/secrets/restic-backups.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 9Ia8+w mPCN4AjX68aTAy5yMB2ZK7dGHex/1KzgHtIwH3EGn10
-qkAnGg8E6CaGoOFTl5KrkSrb2JVuUjRK2nJQM8UUQec
--> ssh-ed25519 pXC0Mg pdnJb3OKYTDJ2I083v7On6MMfAm8GrgVWVtet/aJzCM
-qs5Q/xk6KFWgFzN5L+oWAw6VGiGZ1ZXRt4WZglnrdV0
---- 2ev3nTb+Qhfg6CZnPOJcayE9mp4B1QcHmywEM4al+R0
-P����SܮR;��
�z���_b�2�5�ω��E�p5�W��p�
�
\ No newline at end of file
+-> ssh-ed25519 9Ia8+w yiSD9W1I3M/Rg8c6QpzRpEd7eNVLjfISYFh/3/dVgl0
+bR8A17+lv7sStJyxhsr8zQROWdzUbVWMkttpIXXA4tw
+-> ssh-ed25519 pXC0Mg 6kBmBLXNvNzA/8a1XYTB5cZpSgL+6D2aeg23cy1GqU0
+MN7srTewbHXBWPOd8LAQdPF8TKZ7t3Fi1rOncDOCfoU
+--- lNp487YxUggnR0bhdm4QA+1kYFdvbT34W79CzLWXE7I
+;^�{_Wp����[��gy[`��(4r�m��۶h����gOG�
\ No newline at end of file