diff --git a/flake.lock b/flake.lock index a9f2b18..f5e99ab 100644 --- a/flake.lock +++ b/flake.lock @@ -268,6 +268,24 @@ "type": "github" } }, + "loreddev-gitea": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1765921137, + "narHash": "sha256-u4qyEOZm1+2LQDlG24smmEToO/r1T08s7MCYzE/DnjE=", + "ref": "refs/heads/main", + "rev": "96edd617d6daac89d00c080df561818b2fcd7da2", + "revCount": 19980, + "type": "git", + "url": "https://code.capytal.cc/loreddev/gitea" + }, + "original": { + "type": "git", + "url": "https://code.capytal.cc/loreddev/gitea" + } + }, "mdfmt": { "flake": false, "locked": { @@ -288,7 +306,7 @@ "inputs": { "godotdev": "godotdev", "mdfmt": "mdfmt", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nvim-treesitter-main": "nvim-treesitter-main" }, "locked": { @@ -398,6 +416,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1765779637, + "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1767892417, "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=", @@ -413,7 +447,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1767379071, "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=", @@ -429,7 +463,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1778737229, "narHash": "sha256-6xWoytx8jFW4PF1GjRm/i/53trbpKGfz6zjzQGBr4cI=", @@ -489,7 +523,7 @@ }, "nvim-treesitter-main": { "inputs": { - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nvim-treesitter": "nvim-treesitter", "nvim-treesitter-textobjects": "nvim-treesitter-textobjects" }, @@ -530,10 +564,11 @@ "favelasmp": "favelasmp", "home-manager": "home-manager", "impermanence": "impermanence", + "loreddev-gitea": "loreddev-gitea", "neovim": "neovim", "nix-flatpak": "nix-flatpak", "nix-minecraft": "nix-minecraft_2", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix", "stylix": "stylix", diff --git a/flake.nix b/flake.nix index f09d4d8..71aacdf 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,10 @@ # url = "git+file:///home/guz/Projects/heart-favelasmp"; }; + loreddev-gitea = { + url = "git+https://code.capytal.cc/loreddev/gitea"; + }; + nix-minecraft = { url = "github:infinidoge/nix-minecraft"; inputs.nixpkgs.follows = "nixpkgs"; @@ -226,6 +230,7 @@ neovim = inputs.neovim.nixosModules.default; playit = ./modules/playit.nix; services = { + capytal-gitea = ./services/capytal/gitea.nix; cloudflared = ./services/cloudflared.nix; minecraft-servers = ./services/minecraft-servers.nix; }; diff --git a/secrets.yaml b/secrets.yaml index a8ab95a..00bdcd1 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,19 +1,24 @@ services: cloudflared: + capytalcc-cert: ENC[AES256_GCM,data:Gfys2Tlpk7sQpVkK9RSMQS9TzZVcU3IRoCpL1GOFuBL0ZWPzTgiNfyksBRs3yUph5X+Yc7BHT0qSFZneUwml9EojEuFZZnhxt7gygnQGSUzKHNAHF//fT+P3PpWI/dDfboznLQsNti7GbpflMiOOBdu36xXSai2jt4tFFLp/DoQ5aSXfCcgGx/gB4wLCN1kLcPnldGSHJ4k+Z3U28gJRiCZ/tWtrRO7KdUxh1u9Y71wQbtVP6Xp0jUI/0CgOAxE6+eOFcgeleNSc+vbvN3TB1yl2d/oj9jpsub9b60duMHkq0S5M7iE7aHPNk92i1kIraqVOuUYvlMmlCM4bRZ+vxhGxOujXHqr/BNfR+EhXyRsnZEZxdTCBZpQa,iv:noJUVwrFuHGD/bT0PVFQTjuCj35+viVlHvdM/yJS+6Q=,tag:FoyUbrAiaF75pFy6Fwx5Tw==,type:str] + capytalcc-cred: ENC[AES256_GCM,data:AKSM5VhzNUiLrM27fRiB7R+IzsJ1HY3X0VQFi3iqaazUTexxM7JwItW/jfBS8PlPTk7JiwVG++e7RNJapUzLHe0Zs1wwPUb6FkC3Q0GTdj051NhffvSCfpn/8WIGOxZaT9nZKYbWfqJ18oFLa6yX2VqN7DzpmnLgvy4G21SYkGRCFja2g00bVH92kJuLEpM/yVPdHa/RGjy0jQxmSgOpo3SEsHfaaxYk6VoPDd3RZC8=,iv:l3RNQz5lXnsDAcqaTkckL38henO5HaVbAlXt+Zrusk0=,tag:JBflgE+I2by4La46KHzIJQ==,type:str] guzone-cert: ENC[AES256_GCM,data:zFwtLBIb5S5XvduuK2hbVsq9YHkvKuyy25KtOHN3YQeHuWMZQzDXw4ICE6/YaJzfDhZNxcpQvRNt6OXqqBzHB74oEeKvOZC9owfMzNufWHxcFRpwNSl5LUq57ciC+6wnizhrdKwtk3v5lZk9ToCjURYbZ/RqkZKgYfrrv7Xh22Qns+H9rYg6B06MtglXSHciXnigc5ofkyd9mY3yoCCooteKaix13ZJYzt+LHfJlur/+tGz8pvAZGN/beOdkX/kp6QD3+7JPeOt6KeNkdGY4TvdM2fpMSK0JZekGHgHQVSQJLDkSlNY9SOPuqgZYleRi0fy2Ve9tA9SpGatWXhcuUZTbbNf0SRf/by5n6mUF9a3kPOjkJq/4Jeoi,iv:0wobompJLwaxVQnJAntKSF2pxIebDxxZ2lgEpw3iT1o=,tag:Ef3QZ6vebHzzSsTLUOWYyw==,type:str] guzone-cred: ENC[AES256_GCM,data:UVsBMQMB2yrS2TnzyqSh57Hyr13ONfC81gJO2iT5EDkUu1XoocJcd1G0TEhSODmMvTfx6FrI5GSGRbHX0Z/AK1IBIeLBBQ9zDqhvL/2i+0EltBaIw/HMDusWvFLQMBBQiJ0uDqpBTEUAidUEe/qX248bGdL3d9EfYcxp7ivplMOZ5ocNJhDXqF0M1odfcia6J5xvehBeBeO6B8t5tDoDIIpA39bHge5IgMvQ9GwB4tE=,iv:YFbB8Wmgnzwdw0BZjWIrkP5FQ09iKeiW/eIIbBdNEgk=,tag:v7u6cAf8JM2KT/jxxb0tYg==,type:str] - minio: - credentialsFile: ENC[AES256_GCM,data:b3ZS3dJOjUMTFNY0vnCr+u5SZaUtf2DR4zCIGH/OpZWWjJIxjRPKp6aPM5ok/XnYu8cv/4FHwMM=,iv:ZnzLCTI0cEVHGy7mMUNGiQlseOXxvNgWrD1mkthwkNE=,tag:8Ii6fNg2syJcyxNAww+6SQ==,type:str] + gitea: + actions-token: ENC[AES256_GCM,data:SBqyvNKmdAYQ2Yia3c3B6zJ36tV0iLkgmABXuzUXamRLHQAX6vtrUNXqwL5b3fU=,iv:0TQbJFRsAYpy/aKr3LyThFCPT/HOqws9rAVlc/BC064=,tag:AF7SeWmFqjAyDlifNcrY5w==,type:str] + env-file: ENC[AES256_GCM,data:GDccCdVJoiFlUhi60j1fp/0gZi34n1Y5sN+liUjnDEhBTia4sIcPGvJ2BoZC25M2YUEz7snuehEatTRxBVzuFEWpc/yKUEhv6X9hVMSG50I0Kom1/9FchGNGGa10WKikrN/d8rxhvDLJf8jdFlRImr+uxA4Ko25BZUs812tQISgxFc5KXR2IUSPA8BfKGgZNbxkTYQSqynz4jzJLV0IDuefbKCp4r+B3EIp2R3kQ/oU5ZB5QSM2hdM+z+eI8HtxXI0Lr29XXSFlXG1s/sZBzHwvqb3jJTlWREwhkuOscN20KM3bweSl8b86oKOnxt1UrEf7jEE5sArSoiqV3hymy1YV9CIr+E9SOxQOfdMDPpTjAvmuduc9A52HwiIqzyxpPTsOSK7l3t924w7UchGRdUdflsD1iUCLd5q0qi0mydvD3Uc2TZVzpuQtZ+uVGMOF7Xaz6sKZ0euO4j4RG7N7kIqBR3WhxsR1wVl0rwBEFfJ8DJh2opRBI,iv:gOst4FJAAVcnpCJ/wmuW7yPdjzGqvkSqHn6qWjEowHk=,tag:EUm568mJlgXfr3fgGthxyg==,type:str] minecraft: playit-secret: ENC[AES256_GCM,data:dXy11fLDMTYg+aeoHOVVsNxXHry5OvKixWwtF/FWQULQ/KyOH8eshVznSXBazx3MFTO0qm6c5jJecGiN/0Ry0WdtRqzZ7mFqjMnpTck7xDU=,iv:y9PAcD86PlnK8mxjMAS1FMBNW3ZT8uLAFPnxxUaEgm4=,tag:NtnVnknzWDwqzg+4hC65UQ==,type:str] proxy-allowed-users: ENC[AES256_GCM,data:nP9qx1xHS8mTXttAEfwX,iv:3afr3MFL7pUqNrq0iLFvs7Rif1Nfxp+/clFsMysawKo=,tag:I8P5SHwAt6n7qszAbeHCRA==,type:str] proxy-geyser-config: ENC[AES256_GCM,data:zUtasSljIpn3pya0QmyyckY6xlIexk/j9KjTlGFU5u9Onvrgr2B+ggnsc6tkvgGFoMTk5TF/T6I5CAzoOg0sTkJqGlx8zxfjYpi5ZnW2kLwdrwpzidzTGpl68pA5KMxYAtAmMkv8g10T+DSYvrVpk4o4wU3h5Ud9,iv:DNVOZwND/pS9RmbCDVi1oXqYSZqO/GwoNkUOJJOh5tY=,tag:E7V24sVn78MWD2RYDz2Rgg==,type:str] proxy-voicechat-properties: ENC[AES256_GCM,data:khVSVyXsCR6ig+ugQPmsMxYHnlCee5C4GBZLrzzoKuel5l/ieDOaGXw+abcm5RBELy+cOQWd/xD2cq3PM712hkksLpSYUw9gSSlx,iv:Gdc/bCdW6e1ZNFK5FXQGVmLQ1kv0Hklm3hvl79Er55k=,tag:O28pa0cIEDH7H0tuUGXo6Q==,type:str] proxy-secret: ENC[AES256_GCM,data:K5GMlzDMD31YKjrJ,iv:1jSAFuPri5DS7foMBSw0rzXimmg3IPN6JXm0WVXqNwI=,tag:X1InctFVT53Ne/b23crnTg==,type:str] - favelasmp-ops: ENC[AES256_GCM,data:ifAtvtIQpQV2uZrZp1JZwbK20XCn3F5uEzcs/FJE3etSFT0nd06RzjRUP7HaJnAEpkGz4VAy9p8p1sd8TdLvpZHru2elU1qn1H8YDjl2aj2FxNq+yvT9rfflS3hbdDFkN8Ov+j6vU4c9sEx4omDR70T0mhKJCj3qf6344dBYGRCH47LtCiLqSoGFnqYzN4MPc9hbkkuhH2rXFuhHZ5PYEtPKznkHcbLgf+cZZd/UpgIC28JNq88THDL2pwjKZQknTe1hcf2fmZyHhqBwMO8ZsYQr3r9zvCHRXrOr5XVOd3rX6nVrMKRd+18zaMJ7jxAzeVjNXjm+a4S1GYmyPbifVB6Tyw33+9JIITVfgQNn,iv:nZj95AAJv/ag72cSIOFpWiG5s426Jfov+DAAsP/0oCw=,tag:yfGaGs60I8l2xsWHkpucHw==,type:str] - favelasmp-whitelist: ENC[AES256_GCM,data:rmv+LFKMqsRgVCJX7tGNqXVHztU2u1z+QbDYaDw9NImsB526+vpCogXb2ZK71PbZFC+gwX+tw2tqsLDaZmOw8WR9V4e+mkmxjzO255foPdX3X5sLi4zkTP5LGU8kpeLn+FziuMMWCI25GBYUEfNELQigizvfABxiI2WFKMh062YR2aQSxB6pVThJzr3UAyr4pcgH+663iHT9LHW9dZxAu/su1zYI1rh7EE1zfFueiNjujFS1OYuwLRPIPwccPUb/Lk9jB30v6M+lVzWo5DU+RjwQL5HNQOAWyHVf0kcDLQkX082du2tiWGqsmNDzciYKiEMIbJHiRoQtWHfs31HrBt+vGT70EeR9Y0uDAkgID6riHOtLq5plUpGLL4m9gMMdS9V5q68ovvQwBcfMZx93hMMH2VxuZZw+bM/gwhsHoBQAVxw95Hlz2oduLvDQPu/S081NuB99xRLPd3rpMqJY6YZL27fnOXFutQYN3seO+yLiR0xgX83I/CcSgsg8GxDupNYd6bawqEsIzbt+2MALa6eKg/QRi+d5dITTmajSgrkhX3mJx3sSj6T3ItKuHHh6Q7EowGBDqg/JnqaZoa8eWbLjJSxQw6y/voc5xba3/yCb99R3JvbwB9vtWXmOkEtsh/DxkdX8mgEuAMQdtpCf6H0i0wnJtdkZ2pmzh443Dik/8Mztx2rrgDrhd1hr3bzErwY7mMkmNAFJ4UbcaNW+MiRrBB8bIZX02Ev/se1zgE3MVA/1Xxop0YIgS3PrsfCOlDig4Fy6xXHPsgWbYVDm4EDi3s30WZuByxkIwtYkjKeLAmHbDY9E6lMVhP+j7HiwatFSSiKeZcEmqPpctlTYC1FDYZyv40dFHbOUL/lK0fltYsnjjc8019tfIzVe9U3byDCZ+MMPJ9va0dzfwzdwhJQAlenKQDymjiVkeD3S7rByiJRxWOj9QBQMHSRybGHtLMq854DX7iPZcD+WxAl99xmgvhZ1iGZzbpYfnLZfOXfbq7Eh27N6eOHXU5y85CyJwfiIHWigYMvQhTgpeGybAX1osdXz14eG5xzDsrTvZtLXS8+1AeEYhabZXZuOtDNQxiz2Del0YvA/bNsczXlzgZpW+m2QPNEH83IQ6CoGQev/JHdRi+nB0eTv1CljN5ItQNY7hCpj/EizSpqCBoEv+8vB8EtjLV/EgSSsPEQ=,iv:cH7MpF0/VrrdYTU5XJxzXa9n2RA84uWgTcv5wSIHzsc=,tag:S3tlFRkgpj8YhUkedTihBQ==,type:str] + favelasmp-ops: ENC[AES256_GCM,data:G3zOP/eST5qyu9UxeI5eaot6IU/yJRcNu/BQQeb5lk1O7LiQaMTfa6aKfeJSf3swl7Jk2R4YwHjYDXnA+BpqDovA6xXIr4epPoQHA1wQq2UkRw+nGHCJDJONS5ZdwQHPa1iwqNg0KjT9ruSNcUZsACtjlfbeaGfzTG7SpFLWoFduYkQNhGdTaBn4s78R9S5xZWbqGRbJrMr7Ak+ja8QDhTU5hfjLQmDidXkT45olCzQ8nq1hPr+JpL9JwSDJyRaB5IrGIbpaWTndZNvGmlWDw3aukg2KKHeu/X4M4MQKATWJEquJLChgy6kqJxFu+58AruChr039HjGOTktCFXyqHR4kLOycStt55puFdecBBVwirfirQaLDH3HMANVoZ2fpy8FEihGIhFxMbxhsgmh/yH4euIVBfYKUeJ7B+o8ttz02C+0wSiENkIzTTTebwgU5aPAU6DTr7I8azRHHXX/4dWHqH6AwhmMEL0KsehxZv/ZKZj9IVau1s6+wZiO5MwcXvKsUKbsRIXqyijUna2dZl9eq,iv:y344lM1tjijqsgaM/NHGJMXJxbJrEK+v0LuF8ZGbI5g=,tag:BtV3E2EdEOU9NwTYiFLVUQ==,type:str] + favelasmp-whitelist: ENC[AES256_GCM,data:MKNkAWTm+ocxJW2cOD92WopiOM8PJRjQpuOlXqs7sfVg4vZKX5ivX0vrjcYZjF4Tia+qZCKjH3tJM+xHK5/jPDEQyBwYv5bh0/z7kg/IOvaYsrBgR249D5HniP8avQAmYOVSbG8ja25tmfUoCNcf/WUt7sGIenNUiHNQOKS5S07iFlyJWvCmgES8J7iGfYmc9hntFZ8ZK5GCwGZT1YzwT9p7aLEbTfLNe1c9IzT1ew6iReNCCpIyj33pTjdWA51kWJ1dS4/s5QIxC80eyzG97C66rtS2UzWunGgrN+HPtZmuMoVeIDTbhTEnTLGOGDtVVKZ8vv9fUX4yLaONTH8Bttp6rTMRzVKZHYuZ/1DA+E1BrE0xvBEzLpEKiRLwY1rfztmPB15yJEG/LZjLJPS9rYu0zIr0/UNrcvPwdDA4aDkoh8n+/ABFm7TsHXf38dpWVS+yxfLKEId9/DQ22m+iO5OFObzo4jAM+ajkRcBSv8aT+u9Zh87LBKv2JpiUUePHdL41ZpkWzynbTUyISB7Np1U94vETT1i4QGmBLwZ4SatkA9oAXPS35W5qULsTZ6TR60KW0dQ8bp+R+IICqh0rSl2tzEZtZ02PegvaX3mNBW6HXavnKzvztuEvIR+FQbvlyHKEEY6Ty803rO5WAW4sdI7QoaZnX2f23cXjP+uuVm4+RzfeZXW2U19HZvHOF/kFkM82wvnasMwVqpj1gWEk1HYUDjajqJ4muBvztBqXOYEhF4sNHoVPGiJ2xKMPESs32c5nia4OQy+zV4KviEU5U4TRwX7AkFOHVTDrNbvZ5nLXdJkMzQLPkyiTGecJTKa2hNpAeodALlFfmiRb5jR0MkYmeoFYqhzAfWjFCVB1JxW6HMapGp+D0KAf99sziz8FUs6n+vevafz2n5iyNzomwZqX9DoNFG34Mrgjd2+Tl3OxRFaWt1osGcJFjs4LpcY2MOU74QRixEwHGmzV9wowUpU1ychUOPvyoJWMBRm9vdep6LRCzkd8QU6+6hNIliy2bjMr1TEFGac2gv5SVyyeCa3R/CIPii37+1LGglLHsy8FuFmWQjRnxB9DxL+jaWl7mVLCHy1Fmu99FG2VuISKzqf5i+HI9wupXkoO9Du/H1LvBs7WlkBVMYCfTusxgNW6LLe8aoWDhM/NehXSR6ElJF1Fx1b2+oBZvTIbmemeDiq6Dn+Cp+4smswoXmgtqpzS0umXWzqLlWOag7FdWR+jPYra+GgavFZJ97qKitBw8hOR4xNi/0MsEi5j6SvTkE3LsRH1vEPHF91fn6y1TQaagrrSMA==,iv:s49Os2mYvjjoz8FxBpd9ZZWNMU9gIuC0Wck3czsSYqo=,tag:d/mSpnUjI+d8oSNDSt2Lbg==,type:str] favelasmp-pack-manager: ENC[AES256_GCM,data:vogn9uwFiurgx9CQjl5K9RYwSWdftXOijeu4IYRKkjTCo/i6c3vyQfdSa+lZbVd6PIhSHhzVcYcUkfzWtMbU9X3ES5yGqg43cp1yAJSDDLeXxO2FJPU4HOeXgjkUYVZdjLzM4L8QSWX94n494YC8wIryd2K29JeXpWJANcQEYnv1NtO6eSoWDT79vLO0uroqBx9O156fuTvNZmv9wvyBxTs8oRvjN35BH9Vb7oS3r5n+nEPuOFEny95GY1Wkw7ih1HzCxSE44MiJdZvgP/kBFMVbm4W+suqsRPOGNBFA2a8IlGXuSgYZx6ShFMLu9cn6YkYi1rhj2IZzzVEZrGimY9XqybznI6KrcVZ0HU3CZVReJCzyAH+RgVfcPliJNEAzU8XVk/O55kqGNFY6Tu8TBYh/jnq1eyxIceuC8OKGg41+ivwBSInmXmzcCSBnW/zzIT8QcEd46aCLqcjNlfvXHFJhpG4dCWSqRFE75rTkGmMZM3VI76MoFX2ek5GrAm1WuAJGjlB+zptmkQG/PpeT7Yrwl2LdcmrgkjUuXK/hi9Hm8mQ5WKc/qjECLXCTcYSFUyZivBwxMwp75Th6ieQ8TQ6Gds8Tk+UCMfroFbC1DXGGWEIZQsb91RMRMbReez9EeuYnLzAuEdvdTcdELrHrlHVyhyTt+8KFzEaBwhcsHKZXEcQtUFJcjBS/1Ne1FQ8jpHUnx++tNzARM3jc8EaKp5tkshxJjLd9sfG4wVbc4hxvBxYcma9wYQTlPUyKr67ZsxpZIn3Z8OF6bAg5dRxnW5ZCIECZE3Z5WbZ5OTV4ob05OVTks/HpGa5XLgF98w0P4BDPeRd9iSVjQrbMpF9ZsaAMhtbrllmTfgqzmesBR5qKvI23nS48EDDxo83VQ6oG3+5+p4y4OblVMh03afCVAKfFbQAGC6D8W667HbpNpejLpO6foAbhyvlzrpbhY1C+sRzI+k0C8jY+NBjPSwZWvJ76KprSTcwWUHtSGg8odeqFBslW/GVSSz2BwZpP8MeYlcvZM1roKFjXr+yfnc55OZHftxAB9qzTQLuij5aYsPC5nfkuHQigaf/nsjvVIHwxU33pdg8TBCc5djnCi/uaaZFBOHrxmIUgo05NCTjVfg0gAlffxQApIY3YpcdkE8OWT2TJXTUMe88iJqaMiQ2RNVUDY4MdcfxHtM8D1KbTFg7elUDQ1PAKwSG4QcXi8YXs742KKSDv1GjsZiAuqkRHeONOqjdPkAYErt6tBcknzbgVY4lWWNKYaf6949TWCjlYpOCWzhUiWJuXaURvgziDxUM7GcVCkc+yyDnWCDdd8ucOvSHeTPNgQS6kYHj1TLT9CJYwS0djFau7VN4fqdHG+wjibZCgRTPHoHjdAUHN5eUlYLlJuKv1Lm0YMCd6vI0WBZguSM8w2Tg7EQruCtXYNXr+hu7ev2+QaEqG0JX8a5Yq2EPWzIuBXgZstOxdDmTILracC600AG1+knhLDpOM9WkMnRHY92CykhllDKEir+BbX8CkJ+sjytfy1IVQx7lLXivXqVCBBABy1MCmoBJp3i4aChPk75i2RVA1+arjLdSGz9R69fXCT4aNCbLwBGlLc6PKNS68PxknP/dyKl6so5Rs+QIP54NuMfaRIpYyzZ4laHFG4YLHmM4gRSZz7d/b22tqn9f6ozIkSpDdm6cBBtHGp3MUUcQ0ZHTrRirqOkt4ySgxCBk/CSRRfgdylKZwGKqMbv0tKCb9lxYc8MIbiHxXf8PG3OBH/JuN7rGmV1COjC5QIWmxnXBW4BIBMUrkCMK8eqxXT8Vuk/CdKXofU3dap8ymrq8vUAWUaPSwjiE6bvr/xFOyCxVc0oq4kXQxO0rzoo0SZlfufYrcPk81iQwtnjK00vaznOytdmta9xIswdyPCBqYes74DMcBWvWht7zfeHJmAnVNieT++7jh5GsLIWK4QcPbYByVTbVGMYEGtRWwfWxmuVeqQMEQ6+E7Mi7qsWnEYcd8CjTpb6uKEOohnKeV/vMqB83rAv3DuOtVKrfTr5CEubVRt4JtLsKrKPUIf/nVLVYG0f8WVgxNlR76Lyn8gBVaJjGVS2iYAqKWYgxfYNeZ,iv:zrpbgxkEOPkGThzY6o9Tp59ObA6hJUHY5tqZ6v8A9Ac=,tag:YAHFXl5yYOSfsqdaxKqKkA==,type:str] favelasmp-discord: ENC[AES256_GCM,data:b3vFKmTz62WSWZW7B7vhTvC/PvUPUuflWBU0GtNJhwujycIf+UZbU1/5nNjgviPH37hZ+QS75ufBlaoLoxsaFJ5PCfAyKnP4LHxQaqhpmdj2tAcN9xSVIXxgRle6k+6RLy+z09U8A2EBUe+M3ke37cjxLMj1SrLW2WgcL1uMax3K2bXGydE83S+Qo9uC3p8fT/UdxmXURTwvOxtXQ9lPsXQoN8mfOS/m/eOvz0JU7ggXtxLR5+FO57jK/NXsXzC+c32ZX6+HvKxPbnMx+GuqeXeBABI9bY9Gnigyq3JPkhMrn9khAvzkcLXXTlVp4pN7OExx9GgawTur47uJzso/TogwUym4MRg8fkd8OYlXdq2EVyAydzL7RAlOu/T3zksYM+TVyGHoaYiGto2l9QLApapk11XTK65RdXCe9kOl+dubZSrmRuOdYXXVkYSC55tO2NOFvHDQW3MiAKLPnnupxPt0UGp9sckjWdBFfE9mNxJ0yI8gtevB7Dm1EiXuYeoMRw8YCGVTkaaQWa35bqZu7AnqN8muDBqr4HpIYxCQBKMTMlqAeBR0namnIEOkbX/5inT59nx8VUksmIgoj786ptRutEghLUp3XyOSJf2WrTJHm7H1cJLwU8w9q3510Dt1jkhId0D3AnRKL3GGDglzGNkGytdzhfnr9tfLTud/dReG9BrhdSW/CgQpK8wjEFZRaeyPPFrJwKSOBgN8fY+j28rbwaD98GRX/MaNBxSAJ4wJIMlobssTVl0p0lpzwcSv0D3ckS6eZ7Vby0bKcJtlumY+oWitTHzmhJwcKe96g9H7oP8zvIyD0lhV7Rm2c+J2MMtdDo1sZNcyJBP+N+moRROatHDLqwXkrUv4Xn1w3DU5/KxG99Uzg7YdZV4oKuuF3ComGWGTUuoTqUxDoxAKppzNyuhKtFB9fXk1c9GiyzBc6jC5pAJdhXaSmgU=,iv:W2kT11X2rsvEChSvJgEuUtmeIqKP1AYgWwXsspg4LUQ=,tag:lEC3vMsNme1vtPxAtDcRRg==,type:str] + minio: + credentialsFile: ENC[AES256_GCM,data:b3ZS3dJOjUMTFNY0vnCr+u5SZaUtf2DR4zCIGH/OpZWWjJIxjRPKp6aPM5ok/XnYu8cv/4FHwMM=,iv:ZnzLCTI0cEVHGy7mMUNGiQlseOXxvNgWrD1mkthwkNE=,tag:8Ii6fNg2syJcyxNAww+6SQ==,type:str] guz: password: ENC[AES256_GCM,data:0D9a5w==,iv:+ahN7Y5rsJGCB6/sLgA11yt6YjPDIs1Q7qyTSBqp/No=,tag:pqnd/zAKu4ZFSsrInPPO5g==,type:str] git-envs: ENC[AES256_GCM,data:ze7jgpqZ9WFzd6rQds3dTa5FQniZsx31f8qLr1IQ9VpMuEqGlFBLD5vMxeW49XCYQyNJdR0wjLA9QuW6hDN9VXdIm8D4k1GNC7S2Uac2ROslf5sITHjByIM5mKCtt5pttM+Z+MysrvHT6TKiQLdIpSfxYzmLkbEE23/qhBCZ+uK3kqHCJJwCuS19e0s1eTCgvI6gYQXAYU5NI2plSeq7VJc3esug3X3+W4TMn9pveknmjTrJZfXavlCQ5y6yyDIA+aFB5gKJjFWMfKn78GDrMhaw3F8xRt5AOWLh4R5TlZbGnsVLrJK7GK3BwPRB+vS46Di+Je9vog98TXX7ZHRtT8516qnE6J+pYDuh2vRo2gSri/AywSqYKYp8b5iMV+lVvWZBVGUee6USp0ufVUlC1H5qOd2eKysIRXFz2axfRVDu4m17tbjG0XrwjUEo+XkeW5XqRqcQ0V3EmxrUmy2e4RT39394UZUG1Ab2qvowgIYFzmOIRUUPZ4b6IOeKFwnHCbRt2WYFVQto1D8RRRPZO/hU8hc5k/NFBwTxIg8ulr8dCLZPHarkZGaVSTwiHCSOppKlVYlvhgzniaCkJIAYwfaVnjsxGbWKHRuquB3S6YbskUy8qxohAX/0oIjWLihFbqmzBnNmp36cqPC7tFgfJKxCLnlwsveyDVK0AaADBMHhkpcHW7CWb0s9ZwpHrqgIq4XJ37ncieOvQFDgSZ1F8G8/6/avQo42WbeoMkPcbAWrfR/6ZMsps6MK99PeYfju+AbUwfq6m3hcIBIRiko4sn2GsbkkTfmrzOGeMSO/YT4SLJrnYqq67NzQGlh985+8nqPb98LSBxsRQ5umiJyGdytWn5I+Hw1AYXo7WIl4jrV+vhvv4viH0QMZFmIHwTYqCnT7C1zBZwkz1X6j8ZpUHF6vG36U7dxcZcogjhUa5ITqvIe/96OmJ7uGtIQ94ZeuJbrFFAYncRs0Zql8x1bksJkmZ9HX+m09/h6cl3NZ8KPk36cha1MIkQtuOPPwmuVm6fE9jG7gKjNK1Gk/LXR/or9gzX3YWwt5KAfPKRiWz2Bf2y5RmJOCkrN7kSy7iV5yFsUgd64vWQ3jRKwfHsHHJX0XyIGfNYyY2af8kr/iJdzmTqLSilEw5Fs16irHj/yWti7UJR4miDQJydoxfTguv9kLHzoPKpy40iwnZeJS1cnQFQuY6Qf+HyKBWOU141J9kd/w7px1Muu0SN4q+WxdXTGuHYJJqqJsPxkgtpWYdrklaHfd+9XEHqjIZDuqZJ9M5ctptiPvJgJP1n7AzKlnwClEI/RqrLomZMW4JfD63gsIxFFK13BGwggzcOEz7VKRmo08CUFWpnAeOzQDwax6+o6X1jPxQdv2+oFPZRmqyrV9QjvXogG03uOjaO+zMfhj5Ykoom3IQv803hW3xrToshcyg2+qyamfj0c7DAI+h5VPohH+iiBRWiQJCmUJSkPmAgSLFwkuPNfFJ/0CKjWhFVNaXgx4HRQnH0evpHPFFN0JCrgROh14vf0J4bjIMi+v1gerhwBvBjuTNM41ZsTncFnRGMgaaRIp+UwGGSB9aZf7DdXVzcsvFdqRIUgsLSWJApmkvA6W3gyME3Pugp0K6QsADPbg/fJV3HukElC3RIPX89QYLENCFqutTtH0DqEoQKiNhY1TXorS3g==,iv:6vBiIpZvLjWb1X2mQRf/IGDvU60NtJ8TaYPtKA5GepA=,tag:f4sW9OAO4BA3gHwLuaR/rw==,type:str] @@ -28,7 +33,7 @@ sops: TUIyZG5rVC9PM21RR1ZtaXhKUytyL2sKH49RFJJi94RFtbyJMYM2oLETQ3sgpXkJ BFyQJClKlbE5In6XnvJ0PjXForr8tYFIZ2YG7/Y2jf/hXMtIHO/02g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-16T00:52:21Z" - mac: ENC[AES256_GCM,data:4ewookSW0JwDM+c4aVrMSifZRsLH6D7hMMp9EuEl7ksu6w1azbVyDCdB3t+bBfzeqmulfE6K2c0Bhw6ldESQp3ovv+IV6IYbIhwj6Y7eUq4eH3yYlU00+9LM8o/yreS82kxihWIp7QsvGOwp96Vovdcji4XBw+OGwN1vEsoPYd0=,iv:OCTGPm10V4ZC33MAgTDBEesvZ029x+1ctCTq0PxxJIM=,tag:/GdwOa42MmE1xdCa9c9d1w==,type:str] + lastmodified: "2026-05-20T22:34:38Z" + mac: ENC[AES256_GCM,data:+ymZYgCol0g0VBTGN9UIHruL79AkUp3IJkxWgiAua8OshRlvcpPtmVf8o80bO7Vr3VSkGYEJQ1Sra4WqDDlBVFS46HqHMYRUlLP6j7Q5kw8GaSrV/j328HgcC+feg7YjHYjzNs/jdNjf8l4WyFAGU/dP07EBPT1/lh6zL+A8ki0=,iv:jApzTmb7R84Y34op/qr9Ykjsg3GUG79NBhMfUeXdC4M=,tag:6D5Ru0MsVQlfse0ZBUCmwg==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 diff --git a/services/capytal/gitea.nix b/services/capytal/gitea.nix index b8ffed4..63d8a06 100644 --- a/services/capytal/gitea.nix +++ b/services/capytal/gitea.nix @@ -9,8 +9,8 @@ in { services.gitea = { enable = true; - package = inputs.lored-gitea.packages.${pkgs.stdenv.hostPlatform.system}.default; - lfs.enable = true; + package = inputs.loreddev-gitea.packages.${pkgs.stdenv.hostPlatform.system}.default; + # lfs.enable = true; settings = with lib; let initList = l: (concatStringsSep "," l); in rec { @@ -72,7 +72,7 @@ in { DOMAIN = "code.capytal.cc"; ROOT_URL = "https://${server.DOMAIN}"; PUBLIC_URL_DETECTION = "auto"; - HTTP_PORT = 9964; + HTTP_PORT = 9965; }; database = { DB_TYPE = "sqlite3"; @@ -85,6 +85,7 @@ in { COOKIE_REMEMBER_NAME = "__Host-capytal_code_forge_incredible"; PASSWORD_COMPLEXITY = initList ["lower" "upper" "digit" "spec"]; PASSWORD_CHECK_PWN = true; + TWO_FACTOR_AUTH = ""; }; qos = { ENABLED = true; # For endpoints not protected by Anubis and protect from overload in general. @@ -118,76 +119,77 @@ in { federation = { ENABLED = true; }; - lfs = {}; - storage = { - STORAGE_TYPE = "minio"; - MINIO_USE_SSL = false; - MINIO_ENDPOINT = "localhost:3461"; - MINIO_BUCKET = "gitea"; - MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region; - }; + # lfs = {}; + # storage = { + # STORAGE_TYPE = "minio"; + # MINIO_USE_SSL = false; + # MINIO_ENDPOINT = "localhost:3461"; + # MINIO_BUCKET = "gitea"; + # MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region; + # }; "storage.repo-archive" = {}; "repo-archive" = {}; - actions = { - ENABLE = true; - DEFAULT_ACTIONS_URL = "self"; - }; - }; - secrets = { - server = { - LFS_JWT_SECRET = config.sops.secrets."gitea/server/lfs_jwt_secret".path; - }; - security = { - SECRET_KEY = config.sops.secrets."gitea/security/secret_key".path; - INTERNAL_TOKEN = config.sops.secrets."gitea/security/internal_token".path; - }; - oauth2 = { - JWT_SECRET = config.sops.secrets."gitea/oauth2/jwt_secret".path; - }; - storage = { - MINIO_ACCESS_KEY_ID = config.sops.secrets."gitea/storage/access_key_id".path; - MINIO_SECRET_ACCESS_KEY = config.sops.secrets."gitea/storage/secret_access_key".path; - }; + # actions = { + # ENABLE = true; + # DEFAULT_ACTIONS_URL = "self"; + # }; }; }; - services.gitea-actions-runner.instances = { - "gitea-runner" = { - enable = true; - name = "Gitea Runner (${config.networking.hostName}) 1"; - url = cfg.settings.server.ROOT_URL; - tokenFile = config.sops.secrets."gitea/actions/token".path; - labels = ["nix-latest:docker://code.capytal.cc/images/nix:2.31.3"]; - }; + systemd.services.gitea.serviceConfig = { + EnvironmentFile = config.sops.secrets."services/gitea/env-file".path; }; - services.anubis.instances."gitea".settings = { - BIND = ":${toString (cfg.settings.server.HTTP_PORT + 2)}"; - BIND_NETWORK = "tcp"; - METRICS_BIND = ":${toString (cfg.settings.server.HTTP_PORT + 3)}"; - METRICS_BIND_NETWORK = "tcp"; - SERVE_ROBOTS_TXT = true; - TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}"; - ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/gitea/hex_file".path; + # services.gitea-actions-runner.instances = { + # "gitea-runner" = { + # enable = true; + # name = "Gitea Runner (${config.networking.hostName}) 1"; + # url = cfg.settings.server.ROOT_URL; + # tokenFile = config.sops.secrets."gitea/actions/token".path; + # labels = ["nix-latest:docker://code.capytal.cc/images/nix:2.31.3"]; + # }; + # }; + + # services.anubis.instances."gitea".settings = { + # BIND = ":${toString (cfg.settings.server.HTTP_PORT + 2)}"; + # BIND_NETWORK = "tcp"; + # METRICS_BIND = ":${toString (cfg.settings.server.HTTP_PORT + 3)}"; + # METRICS_BIND_NETWORK = "tcp"; + # SERVE_ROBOTS_TXT = true; + # TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}"; + # ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/gitea/hex_file".path; + # }; + + services.caddy.virtualHosts = { + "${cfg.settings.server.DOMAIN}:80".extraConfig = '' + header { + X-Frame-Options "SAMEORIGIN" + X-Content-Type-Options "nosniff" + X-XSS-Protection "1; mode=block" + Referrer-Policy "strict-origin-when-cross-origin" + Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self' data:; upgrade-insecure-requests; report-to csp-endpoint" + -Server + } + + reverse_proxy http://localhost:${toString cfg.settings.server.HTTP_PORT} { + header_up X-Real-Ip {header.Cf-Connecting-Ip} + header_up X-Forwarded-For {header.Cf-Connecting-Ip} + header_up X-Forwarded-Proto https + header_up Host {host} + } + ''; }; - services.caddy.virtualHosts = let - redir = { - extraConfig = '' - redir https://code.capytal.cc{uri} permanent - ''; - }; - in { - ":${toString (cfg.settings.server.HTTP_PORT + 1)}" = { - extraConfig = '' - request_body { - max_size 1GiB - } - reverse_proxy http://localhost:${toString cfg.settings.server.HTTP_PORT} - ''; - }; - # Old ports used by legacy https://forge.capytal.company - ":9961" = redir; - ":9962" = redir; + environment.persistence."/persist".directories = [ + { + directory = cfg.stateDir; + user = cfg.user; + group = cfg.group; + } + ]; + + sops.secrets = { + "services/gitea/actions-token" = {owner = cfg.user;}; + "services/gitea/env-file" = {owner = cfg.user;}; }; } diff --git a/services/cloudflared.nix b/services/cloudflared.nix index f358e8d..2ac796c 100644 --- a/services/cloudflared.nix +++ b/services/cloudflared.nix @@ -9,6 +9,12 @@ services.cloudflared.enable = true; services.cloudflared.tunnels = { + "a17157ee-5c16-4522-9d86-15b8f1830aa2" = { + certificateFile = config.sops.secrets."services/cloudflared/capytalcc-cert".path; + credentialsFile = config.sops.secrets."services/cloudflared/capytalcc-cred".path; + caddy-domain = "capytal.cc"; + default = "http_status:404"; + }; "9ed8b48f-9585-4a67-9895-114b162172fb" = { certificateFile = config.sops.secrets."services/cloudflared/guzone-cert".path; credentialsFile = config.sops.secrets."services/cloudflared/guzone-cred".path; @@ -20,6 +26,8 @@ services.caddy.enable = true; sops.secrets = { + "services/cloudflared/capytalcc-cert" = {}; + "services/cloudflared/capytalcc-cred" = {}; "services/cloudflared/guzone-cert" = {}; "services/cloudflared/guzone-cred" = {}; }; diff --git a/services/minecraft-servers.nix b/services/minecraft-servers.nix index 7fbdc0f..8fe56d1 100644 --- a/services/minecraft-servers.nix +++ b/services/minecraft-servers.nix @@ -12,7 +12,6 @@ with lib; let in { imports = [ self.nixosModules.playit - self.nixosModules.services.cloudflared inputs.nix-minecraft.nixosModules.minecraft-servers ];