[gitea] Moves database password into an sops secret

system/hosts/mcp/containers/gitea.nix

@@ -0,0 +1,49 @@
+{ config, ... }:
+let 
+  inherit (import ./lib.nix config) hostRule blazestar;
+in
+{
+  virtualisation.oci-containers.containers.gitea = {
+    image = "gitea/gitea:latest-rootless";
+    autoStart = true;
+    dependsOn = [
+      "db"
+    ];
+    extraOptions = [
+      "-l=traefik.enable=true"
+      "-l=traefik.http.routers.gitea.rule=${hostRule "git" blazestar}"
+      "-l=traefik.http.services.gitea.loadbalancer.server.port=3000"
+      "-l=homepage.group=Apps"
+      "-l=homepage.name=Gitea"
+      "-l=homepage.icon=gitea.png"
+      "-l=homepage.href=https://git.${blazestar}"
+      "-l=homepage.description=Git Server"
+    ];
+    ports = [
+      "2222:2222"
+    ];
+    volumes = [
+      "/tank/git:/var/lib/gitea"
+      "/tank/config/gitea:/etc/gitea"
+    ];
+    user = toString config.users.users.gitea.uid;
+    environment = {
+      USER_UID = toString config.users.users.gitea.uid;
+      USER_GID = toString config.users.groups.git.gid;
+    };
+    environmentFiles = [
+      config.sops.templates."gitea.env".path
+    ];
+  };
+
+  sops.secrets."gitea_db_password" = {
+    restartUnits = [ "podman-gitea.service" ];
+  };
+  sops.templates."gitea.env".content = ''
+    GITEA__database__DB_TYPE="postgres"
+    GITEA__database__HOST="db"
+    GITEA__database__NAME="gitea"
+    GITEA__database__USER="gitea"
+    GITEA__database__PASSWD="${config.sops.placeholder."gitea_db_password"}"
+  '';
+}

system/hosts/mcp/containers/jobhunt.nix

@@ -21,6 +21,7 @@ in
       DB_HOST = "db";
       DB_USER = "jobhunt";
       DB_DATABSE = "jobhunt";
+      # TODO: Store secret
       DB_PASSWORD = "jobhunt123";
     };
   };

system/hosts/mcp/containers/lib.nix

@@ -1,14 +1,36 @@
 config:
 let
-  hostRule = host: "Host(`${host}.${config.domainName}`)";
-  localNetRule = "ClientIP(`${config.localNet}`)";
-  localHostRule = host: "${localNetRule} && ${hostRule host}";
+  havenisms = "havenisms.com";
+  blazestar = "blazestar.net";
+  hostRule = host: domain: "Host(`${host}.${domain}`)";
+  hostRuleHavenisms = host: hostRule host havenisms;
+  localNet = "192.168.0.0/16";
+  localNetRule = "ClientIP(`${localNet}`)";
+  localHostRule = host: domain: "${localNetRule} && ${hostRule host domain}";
+  localHostRuleHavenisms = host: localHostRule host havenisms;
 in 
 {
-  inherit hostRule localNetRule localHostRule;
+  inherit
+    hostRule
+    localHostRule
+    hostRuleHavenisms
+    localHostRuleHavenisms
+    havenisms
+    blazestar;
 
-  mkContainer = { image, dependsOn ? [], hostName, port, volumes ? [], environment ? [], homepageOpts, public ? false}:
-    let routerRule = if public then hostRule hostName else localHostRule hostName;
+
+  mkContainer = {
+    image,
+    hostName,
+    port,
+    homepageOpts,
+    dependsOn ? [],
+    domain ? havenisms,
+    volumes ? [],
+    environment ? [],
+    public ? false
+  }:
+    let routerRule = if public then hostRule hostName domain else localHostRule hostName domain;
     in
     {
       image = image;
@@ -21,10 +43,10 @@ in
         "-l=homepage.group=${homepageOpts.group}"
         "-l=homepage.name=${homepageOpts.name}"
         "-l=homepage.icon=${homepageOpts.icon}"
-        "-l=homepage.href=https://${hostName}.${config.domainName}"
+        "-l=homepage.href=https://${hostName}.${domain}"
         "-l=homepage.description=${homepageOpts.description}"
       ];
       volumes = volumes;
       environment = environment;
     };
-}
+}

system/hosts/mcp/containers/mariadb.nix

@@ -1,5 +1,4 @@
-{ config, pkgs, ... }:
-let inherit (import ./lib.nix config) mkContainer; in
+{ ... }:
 {
   virtualisation.oci-containers.containers.mariadb = {
     image = "mariadb:11";
@@ -20,7 +19,8 @@ let inherit (import ./lib.nix config) mkContainer; in
     ];
     environment = {
       MARIADB_DATABASE = "mariadb";
+      # TODO: Secrets
       MARIADB_ROOT_PASSWORD = "root123";
     };
   };
-}
+}

system/hosts/mcp/containers/minio.nix

@@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 let
-  inherit (import ./lib.nix config) localHostRule;
+  inherit (import ./lib.nix config) blazestar localHostRule;
   inherit (import ./secrets.nix) minioAdminPassword;
 in
 {
@@ -12,7 +12,7 @@ in
     ];
     cmd = [ "server" "/data" "--console-address" ":9001" ];
     environment = {
-      MINIO_BROWSER_REDIRECT_URL = "https://console.minio.havenisms.com/";
+      MINIO_BROWSER_REDIRECT_URL = "https://console.minio.${blazestar}/";
       MINIO_ROOT_USER = "minioadmin";
       MINIO_ROOT_PASSWORD = minioAdminPassword;
     };
@@ -27,8 +27,8 @@ in
       "-l=homepage.group=Infra"
       "-l=homepage.name=Minio"
       "-l=homepage.icon=mino.svg"
-      "-l=homepage.href=https://minio-admin.${config.domainName}"
+      "-l=homepage.href=https://minio-admin.${blazestar}"
       "-l=homepage.description=Reverse proxy"
     ];
   };
-}
+}

system/hosts/mcp/containers/nextcloud.nix

@@ -1,18 +1,18 @@
 { config, ... }:
 let
-  inherit (import ./lib.nix config) hostRule;
+  inherit (import ./lib.nix config) havenisms hostRule;
 in
 {
   virtualisation.oci-containers.containers.nextcloud = {
     image = "docker.io/library/nextcloud:latest";
     extraOptions = [
       "-l=traefik.enable=true"
-      "-l=traefik.http.routers.nextcloud.rule=${hostRule "cloud"}"
+      "-l=traefik.http.routers.nextcloud.rule=${hostRule "cloud" havenisms}"
       "-l=traefik.http.services.nextcloud.loadbalancer.server.port=80"
       "-l=homepage.group=Apps"
       "-l=homepage.name=NextCloud"
       "-l=homepage.icon=nextcloud.png"
-      "-l=homepage.href=https://cloud.${config.domainName}"
+      "-l=homepage.href=https://cloud.${havenisms}"
       "-l=homepage.description=Productivity suite"
       "-l=homepage.widget.type=nextcloud"
       "-l=homepage.widget.url=http://nextcloud.havenisms.com:8080"
@@ -24,6 +24,7 @@ in
       POSTGRES_HOST = "db";
       POSTGRES_DB = "nextcloud";
       POSTGRES_USER = "nextcloud";
+      # TODO: Secrets
       POSTGRES_PASSWORD = "nextcloud123";
     };
   };

system/hosts/mcp/containers/searxng.nix

@@ -1,6 +1,6 @@
 
-{ config, pkgs, ... }:
-let inherit (import ./lib.nix config) mkContainer; in
+{ config, ... }:
+let inherit (import ./lib.nix config) havenisms mkContainer; in
 {
   virtualisation.oci-containers.containers.searxng = mkContainer {
     hostName = "search";
@@ -20,8 +20,8 @@ let inherit (import ./lib.nix config) mkContainer; in
       "/tank/config/searxng:/etc/searxng"
     ];
     environment = {
-      SEARXNG_BASE_URL = "https://search.${config.domainName}";
+      SEARXNG_BASE_URL = "https://search.${havenisms}";
       SEARXNG_REDIS_URL = "redis://valkey:6379/0";
     };
   };
-}
+}

system/hosts/mcp/containers/synapse.nix

@@ -1,5 +1,5 @@
-{ config, pkgs, ... }:
-let inherit (import ./lib.nix config) hostRule;
+{ config, ... }:
+let inherit (import ./lib.nix config) hostRule havenisms;
   syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))";
   wellKnownRule = "PathPrefix(`/.well-known`)";
 in
@@ -19,7 +19,7 @@ in
       ];
       extraOptions = [
         "-l=traefik.enable=true"
-        "-l=traefik.http.routers.synapse.rule=${hostRule "chat"} && !(${syncRule} || ${wellKnownRule})"
+        "-l=traefik.http.routers.synapse.rule=${hostRule "chat" havenisms} && !(${syncRule} || ${wellKnownRule})"
         "-l=traefik.http.services.synapse.loadbalancer.server.port=8008"
       ];
     };
@@ -39,7 +39,7 @@ in
       };
       extraOptions = [
         "-l=traefik.enable=true"
-        "-l=traefik.http.routers.syncv3.rule=${hostRule "chat"} && ${syncRule}"
+        "-l=traefik.http.routers.syncv3.rule=${hostRule "chat" havenisms} && ${syncRule}"
         "-l=traefik.http.services.syncv3.loadbalancer.server.port=8009"
       ];
     };
@@ -52,9 +52,9 @@ in
       ];
       extraOptions = [
         "-l=traefik.enable=true"
-        "-l=traefik.http.routers.matrix-static.rule=${hostRule "chat"} && ${wellKnownRule}"
+        "-l=traefik.http.routers.matrix-static.rule=${hostRule "chat" havenisms} && ${wellKnownRule}"
         "-l=traefik.http.services.matrix-static.loadbalancer.server.port=80"
       ];
     };
   };
-}
+}