services: gitea add secrets

2023-01-03 16:52:23 +01:00 · 2023-01-03 16:52:23 +01:00 · 1a41b8ceb5
commit 1a41b8ceb5
parent 4c77497369
5 changed files with 102 additions and 25 deletions
--- a/modules/services/server/gitea.nix
+++ b/modules/services/server/gitea.nix
@ -7,21 +7,23 @@
 {
  services.gitea = {
    enable = true;
-    #dump.enable = true;
-    rootUrl = "https://git.kabtop.de"
+    dump.enable = true;
+    rootUrl = "https://git2.kabtop.de"
    lfs.enable = true;
    httpAdress = "localhost";
    dump.type = "tar.xz";
-    domain = "git.kabtop.de";
+    domain = "git2.kabtop.de";
    database.type = "postgres";
    database.user = "gitea";
-    #database.password = "secret123";
    database.name = "giteadb"
+    database.passwordFile = config.age.secrets."services/gitea/databasePassword".path;
    appName = "Kabtop Git";
+#    mailerPasswordFile = config.age.secrets."services/gitea/mailerPassword".path;
    settings = {
        RUN_MODE = "prod";
        server = {
            START_SSH_SERVER = true;
+            SSH_PORT = 2222;
            SSH_SERVER_CIPHERS = "";
            SSH_SERVER_KEY_EXCHANGES = "";
            SSH_SERVER_MACS = "";
@ -33,10 +35,10 @@
            PASSWORD_CHECK_PWN = true;
            PASSWORD_HASH_ALGO = "argon2";
        };
-        oauth2 = {
-            ENABLE = true;
-            #JWT_SECRET = "secret123";
-        };
+#        oauth2 = {
+#            ENABLE = true;
+#            #JWT_SECRET = "secret123";
+#        };
        repository = {
            MAX_CREATION_LIMIT = 100;
        };
@ -44,29 +46,30 @@
            SHOW_USER_EMAIL = false;
            DEFAULT_THEME = "arc-green";
        };
-        openid = {
-            ENABLE_OPENID_SIGNIN = true;
-            WHITELISTED_URIS = "https://auth.kabtop.de";
-        };
-        oauth2_client = {
-            ENABLE_AUTO_REGISTRATION = true;
-        };
-        mailer = {
-            ENABLED = true;
-            SUBJECT_PREFIX = "Kabtop Gitea";
-            HOST = "in-v3.mailjet.com:587";
-            PROTOCOL = "";
-            FROM = '"Kabtop Gitea" <postmaster@kabtop.de>';
-            USER = "secrest123";
-            PASSWD = "secret123";
-            MAILER_TYPE = "smtp";
-        };
+#        openid = {
+#            ENABLE_OPENID_SIGNIN = true;
+#            WHITELISTED_URIS = "https://auth.kabtop.de";
+#        };
+#        oauth2_client = {
+#            ENABLE_AUTO_REGISTRATION = true;
+#        };
        time = {
            DEFAULT_UI_LOCATION = "Europe/Berlin"
        };
+        other = {
+            SHOW_FOOTER_VERSION = false;
+        }

        session.COOKIE_SECURE = true;
        service.DISABLE_REGISTRATION = true;
    };

+#    age.secrets."services/gitea/mailerPassword" = {
+#        file = ../../../secrets/services/gitea/mailerPassword.age;
+#        owner = "gitea";
+#    };
+    age.secrets."services/gitea/databasePassword" = {
+        file = ../../../secrets/services/gitea/databasePassword.age;
+        owner = "gitea";
+    };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -42,4 +42,7 @@ in
        "services/matrix/signal-registration.age".publicKeys = servers ++ users;
        "services/nextcloud/adminpassFile.age".publicKeys = servers ++ users;
        "services/nextcloud/dbpassFile.age".publicKeys = servers ++ users;
+        "services/gitea/databasePassword.age".publicKeys = servers ++ users;
+        "services/gitea/mailerPassword.age".publicKeys = servers ++ users;
+        "services/gitea/extraConfig.age".publicKeys = servers ++ users;
    }
--- a/secrets/services/gitea/databasePassword.age
+++ b/secrets/services/gitea/databasePassword.age
@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 neExcQ dCh+HRLD8hV5vIZ5iZ0gnSyiSdJunN/MsDXdClqiznI
+fi+QK8cL5l7RpJOWvgVAA0h98EueVfNCX5tMIXh0Pys
+-> ssh-rsa VtjGpQ
+ay+xZqKp9c6IfdhYJdB2Y4DsK+uHeUErU0KNSAtazF1i4Aic7VmXJCYQ65gqFpSZ
+n09Xewru/ciOmtPN9E2I01LlG26qwczrIjk72jNqAaRPnfL6RuOUk+HTGuitobOT
+idUFUKxJl5UPsXNpGFW3ETJ4eRcujPmUfqxVGFY/ssb7qI/9BTcuySOWL61Ytl7P
+HDJdTdrNZJKrBJfuzRDMzBAj32Sni0T92Ng5bzQVNF8eCNOhhIy9a+SigwhMT1qp
+tbZqURWIGw9n1HGwQ7raalkwr/CvdtINd7vY3pTKwK1pIwDwiflgQVJ7MTS4nVmL
+eiAKbfZG11HGSwEmyG/zl5RZvA9pzWbYqFgkLf6M75KQlMxjiwli25Da5ahmrIy+
+J8BzJVXcAKUl8tRgRgg7rbWjRL05OcaKNU6XCotgd0g5HSRA6nHY8URoCmRHWguL
+wxSAjBxMJ/NciFhlcwqKgixWGjn5J+8FzX2AYPTSnoSJRYwTo2WqpVmg7us2frDe
+iB9t1r1mFyWqzl/3mlM0SmEKs/NI0O5IfxYsTjMjLDLlgjfkx3gq0CKc1oRSBLR+
+vzhv59EGMRAI1CZg9xteuO3tkUw5iVkPA35784ALdfoBeToO96lFttpfWEbbILP5
+iv9HzHNwDlEMgF880pMPnAGWPag8Yv9ANR6bio49k8w
+-> piv-p256 grR75w Ay6xGroo9Wi6QLICfryEz8CWKO7guC7vmrt407bzUzcb
+2ENrhkE4T1TrSCjDToeI/uS58MZnafI8glefwChpSiU
+-> piv-p256 RQguQQ AuWNJAzo1Gj4bSfybbjXrqq6TT3gwAY6KV/XhDWTtnWS
+H3qeNrIePWNjpbLpkMh9ScWOwkwyjWTR+OYAboQzZ34
+-> q]_G5R-grease
+hQ+Pk+0q
+--- u2RASGK+aYwMNV4UkGyBprChnbBjkUwEdJTnCFxxmN4
+<EFBFBD>+傱?遞罉*麤眥3忍邴撳尤}藝蜻蓾拂,'cc<63>]"棙羑?麔l
--- a/secrets/services/gitea/extraConfig.age
+++ b/secrets/services/gitea/extraConfig.age
@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 neExcQ ZCLiNDBNdcv6P73bROlcWwvpalGPkUBeoRokt0MYBRM
+UU/zMvEr2HpP3E7rClTFNmZdA6r5umB6/t2FnKyoajI
+-> ssh-rsa VtjGpQ
+C3mwshkQwtNXd0+k6wK5grpZmeSt22jy0kNn9oHUmIA72cNvw+Xmmr8DC5035LcY
+mUwMn0Kf3RRXfWUHUK58cfNIARwZ1+W8EoC53Su/6MqpVixx1Pu2cWpw+tI+Hkxs
+fituCOok1o/l82eo4xCaINxgqebGiRZtUypdmjJ4zUSZ1IVhnBaK6/X+1vduc18e
+Q9rh3GstWW9BA3wWNw4G2v4GKryApq/a2BgjC8p8JkJUjXHYJoZp8ZyEbuhZtUua
+VP1fiyYwIe6Dx1CEJobEd07GImKaq9XTbV/BWpeA4tlX19mcYx/KUz655pr+kS0N
+C5LkmXEeugsRWd5CcavNaDrTnIgT6GO19U9Y7oCCP1vQ9XbYmoeoqt+uqZmees1q
+Yln+uXBNgnLOHJYUh1iXoi9TTHCT9IjiHLJiu1IJusWeL4Fs+VJKQIgSnlAJIikQ
+cW2SW35M9hyPlepshnck1zfQS2IE78PwiLcFkHyoAnj0pLXXzS6m0y7Z2u9WBlB8
+/o5ZNm7UUpw6mx8SMy5LY8GeTt/9XMNBMOKOQls3XdftR6mr4FuMrAKv+NV+mXzY
+/2THMr9NIQtIYQPYuBo/0cu2ocXQQfQ/KX983dr6/ZeqFsKZY4+bKKvR3yFztXor
+Ckz1uyMvKgJAzt3HJnGb+MkfTMRNxPRfyhzK4Fu3Hcg
+-> piv-p256 grR75w A6r9LwHeQ6DPZ1nercu+u9Ys01NHsV9ukvsc5J7PKcMB
+HgJ+QAQ65N1WY0vuzfH62wxmHWDAiYL3MdkF4pTsrAI
+-> piv-p256 RQguQQ A0CrKXt7n0lCnk9LZIw22cLtvmirE9DmSrO8xNvd4GCF
+H7ZBM+SythzfJmG3emnx8dTJyKgmsL+/RUr7EZ16Di4
+-> K-3-grease "6pzDWC8 H\y `>^
+vIepOhKYnfQ6YMA+c6Kyf17UPpiNLy5p2MF6lFd9zB94OIwl0CQjEfquM8omrgXg
+brtDuBD1
+--- 6cU45Olb2f2tmfRcu1vEuW5ueOfssEN2fmAS7hzgwo4
+Ho?ËmÂóËÊ›4/G+h7åÑò¹S¡aÐÈÌ/IGðs®"a¶PÛ÷,Ñ/Õ±´›OÁÍc©ZGG£íª—p/)Îqo³w@gR+Q>'ðË/Ò<>½F>“ïãÊÓ¹¹†\Ì§›p¢Å‰’Y·	Uzj5¶Ä^‡ú³ÏÜôhQ¥˜U`¢À¸AxI’žþ´Á°Ã¯—-ºK¡´±öŠËJÊÜ±•¹û‡ ?JÐå
én Fà°j8ûä3>iØòÈt¥^!£"¨AÛ§Á^¯zòf&,%šBëSd<53>OT_ùÇ\VÅå#"ùô%Dƒûå<}ÃàLÄêÔ”²¿@<40> ÅÒ{	J¼ŸbA²°ˆS‚JÔ½§ 2Øõ’êSÏ$
--- a/secrets/services/gitea/mailerPassword.age
+++ b/secrets/services/gitea/mailerPassword.age
@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 neExcQ S4SkrY0LLBlXsKIyKbJG/0xsdOTMXPRQwWmciJdCGFU
+OugL59NZJ6fccEJtXbWA7wYoaFflA/wUOzkOSeuoLaM
+-> ssh-rsa VtjGpQ
+L4dHVMy1Ep/ai3y0cbOjJYcCgFcbzecOdjPow6OASNqBPUOfpcge4hmpWKbITLB4
+9FNsBxF0g+Z/gYtyiRmdZpB+61Ns5qsp66V9UDpQouAWnWGOtJhMVju0klXJWQLm
+W8nL9dWdS3vcFhdD10YO7ErQZAADRn5msN3m79wsFpS8ehq7PSoyGmysvimvOGid
+d3H+NGfBJZOKuFtgPwx3OUel+QekGaCPJNgEMw5BB7BABvtOkSFsngbxSIzQDDgy
+vFfcFWtvpLM/VNNZNkUBr+9esaCj6RJsn7wvktT69bjT12RoFrrMA1M3f/nwBPPW
+7VEe9DWmYU0KYO/z8oyqW0pv1Jn7CywSkeMhzhZflXrHgSJz8f0sc7RvUDrPe8nU
+hZtja23mp8iFLsqT1IDzCtx2AVQ/IEpBhK/e2VAA9x1dD1u8oO63Lqafx5bJj4o
+fVvqdfqS95Hoj6BYT4R+eaALjlQwo+ZbYkpMs48tMl3FMGB1yWFTf7lef//faRDd
+O2qah2bc0B145eBQjSxu+qGV65h1uVVYbzyHztTDtD2VAH3vt3yhXxcrwIEbFmAD
+RhdudA2i5N5R4WYvTSUlqu7W/1IReYLhJGPcAwUwviZMpsLAZXV0J4+kMfY2nlG7
+QIWAaOjNbCR9uUIzyRBiT8Z7evEhNJGfeoHfWI3YyxE
+-> piv-p256 grR75w A4JUNXeQebYxnpxuy/S0nZFuVefAsKoy9AgSqAmIgf+C
+E6W2cZda5/zXAQiVXpuBwyq1vVjkc6oLPRZcxoquhSQ
+-> piv-p256 RQguQQ AtTS4VS0D7XBHhqO4nAilRuUoaL8wN/CKqvsJBDkS2eV
+DNQ7jGW5JaLyTj7s0pcjqYgB8TmSzKAc7uzY6KY/3K0
+-> dUR*@Go-grease sO
+kaM21qvzGtRDZOmKY3+RmLO7JNQ2qnbAy7Rhm2jrDwFMZapow7tHdoukwSPPtdqV
+zbvcRqVh5eUp2GSpP9L5Md/Rb4zBrB3DQEQX+BDcBq2AoQLgznZu
+--- 3gADr/DczM3F+Cvzio9AelnCMVuF9lKba8i82UlSmIs
+¬!O~ŻŘa}î›'i|A„°bŁŘřV÷ż‘rq'Nýę_0¦LfBEnWěĽcŠç·MžŃâIź:Ybb