[gitea] Moves database password into an sops secret

2025-03-18 15:38:49 -07:00
parent 18cb388ebb
commit 8bd3088bcf
16 changed files with 193 additions and 75 deletions
--- a/system/hosts/mcp/containers/gitea.nix
+++ b/system/hosts/mcp/containers/gitea.nix
@@ -0,0 +1,49 @@
+{ config, ... }:
+let 
+  inherit (import ./lib.nix config) hostRule blazestar;
+in
+{
+  virtualisation.oci-containers.containers.gitea = {
+    image = "gitea/gitea:latest-rootless";
+    autoStart = true;
+    dependsOn = [
+      "db"
+    ];
+    extraOptions = [
+      "-l=traefik.enable=true"
+      "-l=traefik.http.routers.gitea.rule=${hostRule "git" blazestar}"
+      "-l=traefik.http.services.gitea.loadbalancer.server.port=3000"
+      "-l=homepage.group=Apps"
+      "-l=homepage.name=Gitea"
+      "-l=homepage.icon=gitea.png"
+      "-l=homepage.href=https://git.${blazestar}"
+      "-l=homepage.description=Git Server"
+    ];
+    ports = [
+      "2222:2222"
+    ];
+    volumes = [
+      "/tank/git:/var/lib/gitea"
+      "/tank/config/gitea:/etc/gitea"
+    ];
+    user = toString config.users.users.gitea.uid;
+    environment = {
+      USER_UID = toString config.users.users.gitea.uid;
+      USER_GID = toString config.users.groups.git.gid;
+    };
+    environmentFiles = [
+      config.sops.templates."gitea.env".path
+    ];
+  };
+
+  sops.secrets."gitea_db_password" = {
+    restartUnits = [ "podman-gitea.service" ];
+  };
+  sops.templates."gitea.env".content = ''
+    GITEA__database__DB_TYPE="postgres"
+    GITEA__database__HOST="db"
+    GITEA__database__NAME="gitea"
+    GITEA__database__USER="gitea"
+    GITEA__database__PASSWD="${config.sops.placeholder."gitea_db_password"}"
+  '';
+}