Move forgejo to infra

container-config/nginx-home/git

@@ -5,8 +5,8 @@ server {
   include snippets/headers.conf;
   add_header Content-Security-Policy "default-src 'self'; font-src 'self' data:; img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
   location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass http://$upstream:8003;
+    set $upstream systemd-forgejo.;
+    proxy_pass http://$upstream:3000;
     include snippets/proxy.conf;
     proxy_hide_header Content-Security-Policy;
   }

containers/push-all.sh

@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cd "$(dirname "$0")"
 for container in */; do
   container=${container%/}

infra/etc/containers/systemd/certbot.container

@@ -2,7 +2,7 @@
 Image=docker.io/certbot/dns-cloudflare
 UserNS=host
 Entrypoint=run-certbot
-Volume=/etc/certificates:/etc/certificates:z
+Volume=/etc/certificates/certificates:/etc/certificates:z
 Volume=/var/lib/system-config/container-config/certbot/run-certbot:/usr/local/bin/run-certbot:Z,ro
 Tmpfs=/etc/letsencrypt
 Tmpfs=/var/lib/letsencrypt

infra/etc/containers/systemd/forgejo.container

@@ -7,7 +7,6 @@ Secret=forgejo-token
 Secret=forgejo-jwt-secret
 Environment=GITEA_APP_INI=/etc/gitea/app.ini
 PublishPort=2222:2222
-PublishPort=8003:3000
 AutoUpdate=registry
 [Install]
 WantedBy=multi-user.target

infra/etc/containers/systemd/nginx.container

@@ -4,7 +4,7 @@ Network=nginx.network
 Volume=/var/lib/system-config/container-config/nginx:/etc/nginx:z,ro
 Volume=/var/lib/system-config/container-config/nginx-home:/etc/nginx-sites:z,ro
 Volume=/var/lib/system-config/container-config/site:/var/www:z,ro
-Volume=/etc/certificates:/etc/certificates:z,ro
+Volume=/etc/certificates/certificates:/etc/certificates:z,ro
 Tmpfs=/var/lib/nginx/tmp
 Tmpfs=/var/lib/nginx/logs
 PublishPort=80:80

setup-common.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R common/* /
 sed -E "s/#(auth.+required)/\1/" -i /etc/pam.d/su

setup-desktop.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 flatpak remote-delete fedora || true
 dconf update

setup-home.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R home/* /
 sh setup-server.sh

setup-infra.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R infra/* /
 sh setup-server.sh

setup-k8s.sh

@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 helm upgrade --install metallb metallb --repo https://metallb.github.io/metallb --namespace metallb-system --create-namespace
 kubectl label namespaces metallb-system pod-security.kubernetes.io/enforce=privileged
 kubectl apply -f k8s/metallb.yaml

setup-laptop.sh

@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R desktop/* laptop/* /
 sh setup-desktop.sh
 systemctl disable auditd

setup-qubes-fedora.sh

@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R desktop/* qubes-fedora/* /
 dnf config-manager --set-enabled qubes-vm-r4.2-security-testing qubes-vm-r4.2-current-testing
 dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-utils butane default-fonts fcitx5-anthy fcitx5-autostart fedora-flathub-remote file-roller fuse-sshfs gcc gcc-gdb-plugin glibc-all-langpacks helm htop kubernetes-client nautilus netcat nodejs-npm pipx qubes-ctap ShellCheck toolbox wireguard-tools whois xdg-desktop-portal-gtk yt-dlp

setup-qubes.sh

@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 sudo cp -R qubes/* /
 qvm-pool set varlibqubes -o ephemeral_volatile=True
 qvm-features dom0 gui-default-secure-copy-sequence Ctrl-Mod4-c

setup-sandbox.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R sandbox/* /
 sh setup-server.sh

setup-server.sh

@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R server/* /
 systemctl disable auditd
 systemctl disable --now docker.socket rpm-ostree-countme.timer

setup-vps.sh

@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cp -R vps/* /
 ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
 sh setup-server.sh

setup.sh

@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
 cd "$(dirname "$0")"
 if [ "$USER" != root ]; then
   echo "Needs to be run as root" >&2

vps/etc/containers/systemd/certbot.container

@@ -3,7 +3,7 @@ Image=docker.io/certbot/dns-cloudflare
 UserNS=host
 Network=certbot.network
 Entrypoint=run-certbot
-Volume=/etc/certificates:/etc/certificates:z
+Volume=/etc/certificates/certificates:/etc/certificates:z
 Volume=/var/lib/system-config/container-config/certbot/run-certbot:/usr/local/bin/run-certbot:Z,ro
 Tmpfs=/etc/letsencrypt
 Tmpfs=/var/lib/letsencrypt

vps/etc/containers/systemd/dovecot.container

@@ -1,7 +1,7 @@
 [Container]
 Image=git.strypsteen.com/mathieu/dovecot
 Network=mail.network
-Volume=/etc/certificates:/etc/certificates:z,ro
+Volume=/etc/certificates/certificates:/etc/certificates:z,ro
 Volume=/var/lib/container-data/dovecot:/etc/dovecot-local:z,ro
 Volume=/var/lib/container-data/dovecot/local.sieve:/tmp/local.sieve:z,ro
 Volume=dovecot.volume:/srv/mail:U,Z

vps/etc/containers/systemd/postfix.container

@@ -5,7 +5,7 @@ After=dovecot.service rspamd.service unbound.service
 Image=git.strypsteen.com/mathieu/postfix
 UserNS=host
 Network=mail.network
-Volume=/etc/certificates:/etc/certificates:z,ro
+Volume=/etc/certificates/certificates:/etc/certificates:z,ro
 Volume=postfix.volume:/var/spool/postfix:Z
 Tmpfs=/var/lib/postfix
 PublishPort=25:25