Periodic/system-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Periodic:6fd171ae12127eb46220e8b8118105177659ec14
Branches Tags
Periodic:main
..
compare: Periodic:39b2c4301c5c8b6697c1766dc8a4320020ab4a7e
Branches Tags
Periodic:main

2 Commits
6fd171ae12 ... 39b2c4301c

Author SHA1 Message Date
Drew Haven
39b2c4301c [mcp] Some user setup on the way to automated deployments 2025-04-28 19:31:55 -07:00
Drew Haven
3da928a7a8 [mcp] Adds gitea runners 2025-04-28 19:30:27 -07:00
5 changed files with 112 additions and 62 deletions
Expand all files Collapse all files

8
secrets/mcp.yaml
View File

@@ -1,4 +1,6 @@
gitea_db_password: ENC[AES256_GCM,data:G2YqiDk0msBRjUJkoPxWmayQ9dI=,iv:FsojIJIi61K7rD2VULDgIx6uSYX3iDiA6W744HlgHl0=,tag:BlmsM7LZHnBCKtfuqlhoKA==,type:str] gitea:
db_password: ENC[AES256_GCM,data:12FYMsc8HdTMdPegoPLCidaHMMU=,iv:Uat0g7Nvota1yvj6InIAo7Dzv3cBtVVzlRa1d09gx1s=,tag:sFavpAHW0k/Fv1uzPVuGcA==,type:str]
registration_token: ENC[AES256_GCM,data:zYfFATOuqACrGUyt6xPhiisz293uomKc6BLPKz8I+MFFBrBdzT9FqA==,iv:gyp2WsUHMMrNBmssWGPLSJmZqlAtopc6HeAtX9+oCXs=,tag:mLEPTapn7OM3bm5c9TKB0A==,type:str]
bookstack_app_key: ENC[AES256_GCM,data:N79JVlQSoVCXOsIHCxd19HFm6LkrYyXQu/xWenEdUlQWqwZEi3PuHXG7fQgvzQY4KI7S,iv:cd2l2eOv+wAJ5sih3YhHgQTdy1qrvaIsoHcywOnHuYM=,tag:5QvCHlQX8wUz3tI2NXl+8A==,type:str] bookstack_app_key: ENC[AES256_GCM,data:N79JVlQSoVCXOsIHCxd19HFm6LkrYyXQu/xWenEdUlQWqwZEi3PuHXG7fQgvzQY4KI7S,iv:cd2l2eOv+wAJ5sih3YhHgQTdy1qrvaIsoHcywOnHuYM=,tag:5QvCHlQX8wUz3tI2NXl+8A==,type:str]
bookstack_db: ENC[AES256_GCM,data:m8fGgAfmJu1rEaxmTVH4FfBhyiU=,iv:OnBT/6sp9zmcJ1+kBmdmvaE630hifxBpvKnu3XrVXcE=,tag:SSVQcYkAymlbFOnf0MB6KA==,type:str] bookstack_db: ENC[AES256_GCM,data:m8fGgAfmJu1rEaxmTVH4FfBhyiU=,iv:OnBT/6sp9zmcJ1+kBmdmvaE630hifxBpvKnu3XrVXcE=,tag:SSVQcYkAymlbFOnf0MB6KA==,type:str]
mariadb_root_password: ENC[AES256_GCM,data:p965ZhFQqqX+Ub1yhgklVYlBH6A=,iv:qC5WwTvZGvlbAkYiv35xHizMYAnP0V0Vw79EkvL32wQ=,tag:gOJQvHeOC9turFKOMQ9DNg==,type:str] mariadb_root_password: ENC[AES256_GCM,data:p965ZhFQqqX+Ub1yhgklVYlBH6A=,iv:qC5WwTvZGvlbAkYiv35xHizMYAnP0V0Vw79EkvL32wQ=,tag:gOJQvHeOC9turFKOMQ9DNg==,type:str]
@@ -33,8 +35,8 @@ sops:
by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q== vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-24T23:16:22Z" lastmodified: "2025-04-28T23:33:42Z"
mac: ENC[AES256_GCM,data:NY9uhBwukENyny0lSnYDrdRDlAm5o0kGBs8Tes4x3/dofWibl9HqHobilg4qrLFzwCgQsgyPAFoRKV7ZVQ25YHjXM4YnoFVmUASfyTfoejWet/J3HwOO1xNkX8N6iYWJRYHOWaKMm46ZvkjmqAB0N6L7Z/8Uk7b09HoAxJ3aVHA=,iv:kI3kv0e9kcc8cb4H+YCnQYs7qDbucQYo264lz4zR/2E=,tag:ELqxtawXwhEPBncDz3REVA==,type:str] mac: ENC[AES256_GCM,data:cZkRcGV5/CPPVUdTDekwC8UjO6K348sBsS7NvR8wnoXS0AmSZsqN594nkvoc0VccM55Hwnm4jZxY56OV+UFMya1IRIkTo6LJRb88/CgZ8bjz30ACe33FKgJfCugimUDKsekbgNX1UFg1DVbqYK9/N4fcEBSxV3Xmzy5QGnQ/8KU=,iv:EprUHNtU5w7569ADMOxw+izDAL22A5OrB12T9iyHxKU=,tag:kRvyUEZwd/RttKdFOY2bJQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4

67
system/hosts/mcp/containers/gitea.nix
View File

@@ -1,24 +1,40 @@
{ config, ... }: { config, ... }:
let let
inherit (import ./lib.nix config) hostRule blazestar; inherit (import ./lib.nix config) mkContainer blazestar;
in in
{ {
virtualisation.oci-containers.containers.gitea = { sops.secrets = {
"gitea/db_password" = {
restartUnits = [ "podman-gitea.service" ];
};
"gitea/registration_token" = {
restartUnits = [ "podman-gitea-runner.service" ];
};
};
sops.templates."gitea.env".content = ''
GITEA__database__DB_TYPE="postgres"
GITEA__database__HOST="db"
GITEA__database__NAME="gitea"
GITEA__database__USER="gitea"
GITEA__database__PASSWD="${config.sops.placeholder."gitea/db_password"}"
'';
virtualisation.oci-containers.containers.gitea = mkContainer {
image = "gitea/gitea:latest-rootless"; image = "gitea/gitea:latest-rootless";
autoStart = true;
dependsOn = [ dependsOn = [
"db" "db"
]; ];
extraOptions = [ hostName = "git";
"-l=traefik.enable=true" domain = blazestar;
"-l=traefik.http.routers.gitea.rule=${hostRule "git" blazestar}" public = true;
"-l=traefik.http.services.gitea.loadbalancer.server.port=3000" port = 3000;
"-l=homepage.group=Apps" homepageOpts = {
"-l=homepage.name=Gitea" name = "Gitea";
"-l=homepage.icon=gitea.png" icon = "gitea.png";
"-l=homepage.href=https://git.${blazestar}" description = "Git Server";
"-l=homepage.description=Git Server" group = "Apps";
]; };
ports = [ ports = [
"2222:2222" "2222:2222"
]; ];
@@ -36,14 +52,21 @@ in
]; ];
}; };
sops.secrets."gitea_db_password" = { sops.templates."gitea-runner.env".content = ''
restartUnits = [ "podman-gitea.service" ]; GITEA_RUNNER_NAME=MCP
}; GITEA_INSTANCE_URL=https://git.${blazestar}
sops.templates."gitea.env".content = '' GITEA_RUNNER_REGISTRATION_TOKEN=${config.sops.placeholder."gitea/registration_token"}
GITEA__database__DB_TYPE="postgres"
GITEA__database__HOST="db"
GITEA__database__NAME="gitea"
GITEA__database__USER="gitea"
GITEA__database__PASSWD="${config.sops.placeholder."gitea_db_password"}"
''; '';
virtualisation.oci-containers.containers.gitea-runner = {
image = "gitea/act_runner:latest";
autoStart = true;
environmentFiles = [
config.sops.templates."gitea-runner.env".path
];
volumes = [
# The runner will spawn new containers to run the actions
"/var/run/podman/podman.sock:/var/run/docker.sock:ro"
];
};
} }

37
system/hosts/mcp/containers/user-ids.nix
View File

@@ -1,37 +0,0 @@
{
gitea = 2001;
timetagger = 2002;
pocket-id = {
uid = 2003;
gid = 2003;
};
bookstack = {
uid = 2004;
gid = 2004;
};
mariadb = {
uid = 2005;
gid = 2005;
};
focalboard = {
uid = 2006;
gid = 2006;
};
offen = {
uid = 2007;
gid = 2007;
};
mkUserAndGroup = name: ids: {
groups."${name}" = {
gid = ids.gid;
};
users."${name}" = {
uid = ids.uid;
isSystemUser = true;
description = "System User for ${name}";
group = "${name}";
};
};
}

56
system/hosts/mcp/containers/users.nix Normal file
View File

@@ -0,0 +1,56 @@
{ pkgs, ... }: let
systemUsers = {
gitea = {
uid = 2001;
extraGroups = [ "git" ];
};
# timetagger = 2002;
pocket-id = 2003;
bookstack = 2004;
mariadb = 2005;
focalboard = 2006;
offen = 2007;
public-html = {
uid = 2008;
shell = pkgs.zsh;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPiqbLAXpBkjXnHLvz3VCd5i+VmYdd9dAcRt+8E1OQX drew@vega"
];
home = "/tank/web";
packages = [ pkgs.git ];
};
};
mkUser = name: value: {
uid = value.uid or value;
isSystemUser = true; # only affects UID allocation, but required
description = "System User for ${name}";
group = "${name}";
shell = value.shell or null;
extraGroups = value.extraGroups or [];
openssh.authorizedKeys.keys = value.authorizedKeys or [];
home = value.home or "/var/empty";
packages = value.packages or [];
};
mkGroup = name: value: let
# 1. Value if int
# 2. "gid" if present
# 3. "uid"
gid =
if builtins.isInt value
then value
else if builtins.hasAttr "gid" value
then value.gid
else value.uid;
in {
inherit gid;
};
in {
users.users = builtins.mapAttrs mkUser systemUsers;
users.groups = (builtins.mapAttrs mkGroup systemUsers) // {
# Legacy groups.
git = {
gid = 992;
};
};
}

6
system/hosts/mcp/drew.nix
View File

@@ -13,6 +13,12 @@
programs.git = { programs.git = {
userName = "Drew Haven"; userName = "Drew Haven";
userEmail = "drew.haven@gmail.com"; userEmail = "drew.haven@gmail.com";
extraConfig = {
safe = {
# Marks the web directory as safe even though I don't own it.
directory = "/tank/web";
};
};
}; };
services.syncthing.tray.enable = false; services.syncthing.tray.enable = false;