Add terranix config for Gitea

Signed-off-by: Magic_RB <magic_rb@redalder.org>

terranix/containers/gitea/default.nix

@@ -0,0 +1,46 @@
+{ elib, ... }:
+let
+  inherit (elib)
+    nfsVolume
+    nomadJob;
+
+  flake_host = "";
+  flake_rev = "";
+  flake_ref = "";
+  flake_sha = "";
+in
+{
+  resource."nomad_volume"."gitea-db" = nfsVolume {
+    volume_name   = "gitea-db";
+    access_mode = "single-node-writer";
+    server = "blowhole.hosts.in.redalder.org";
+    share = "/var/nfs/gitea-db";
+    mount_flags = [ "nfsvers=3" "nolock" "async" ];
+  };
+
+  resource."nomad_volume"."gitea-data" = nfsVolume {
+    volume_name   = "gitea-data";
+    access_mode = "single-node-writer";
+    server = "blowhole.hosts.in.redalder.org";
+    share = "/var/nfs/gitea-data";
+    mount_flags = [ "nfsvers=3" "nolock" "async" ];
+  };
+
+  resource."vault_policy"."gitea-policy" = {
+    name = "gitea-policy";
+    policy = ''
+      path "kv/data/gitea" {
+        capabilities = ["read"]
+      }
+    '';
+  };
+
+  resource."nomad_job"."gitea" = nomadJob {
+    jobspec = ./job.hcl;
+
+    vars = {
+      flake_ref = "${flake_host}?rev=${flake_rev}&ref=${flake_ref}";
+      flake_sha = flake_sha;
+    };
+  };
+}

terranix/containers/gitea/job.hcl

@@ -0,0 +1,139 @@
+variable "flake_ref" {
+  type = string
+}
+
+variable "flake_sha" {
+  type = string
+}
+
+job "gitea" {
+  datacenters = [ "homelab-1" ]
+  type = "service"
+
+  constraint {
+    attribute = "${attr.unique.hostname}"
+    value = "blowhole"
+  }
+
+  group "svc" {
+    count = 1
+
+    volume "gitea-data" {
+      type = "csi"
+      source = "gitea-data"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    volume "gitea-db" {
+      type = "csi"
+      source = "gitea-db"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    restart {
+      attempts = 5
+      delay = "5s"
+    }
+
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "gitea"
+      port = "3000"
+
+      check {
+        type = "http"
+        address_mode = "alloc"
+        path = "/"
+        port = "3000"
+        interval = "2s"
+        timeout = "2s"
+      }
+
+      connect {
+        sidecar_service {}
+      }
+    }
+
+    task "app" {
+      driver = "docker"
+
+      volume_mount {
+        volume = "gitea-data"
+        destination = "/data/gitea"
+        read_only = false
+      }
+
+      volume_mount {
+        volume = "gitea-db"
+        destination = "/var/lib/mysql"
+        read_only = false
+      }
+
+      config {
+        nix_flake_ref = "${var.flake_ref}#nixngSystems.gitea.config.system.build.toplevel"
+        nix_flake_sha = var.flake_sha
+        entrypoint = [ "init" ]
+
+        # mounts = [
+        #    {
+        #         type    = "bind"
+        #         target  = "/var/nfs/gitea-data"
+        #         source  = "/data/gitea"
+        #         options = ["rbind","rw","x-mount.mkdir"]
+        #    }
+        # ]
+      }
+
+      env {
+        USER_UID = "5001"
+        USER_GID = "5001"
+      }
+
+      resources {
+        cpu = 500
+        memory = 1024
+      }
+
+      vault {
+        policies = ["gitea-policy"]
+      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/gitea" }}{{ .Data.data.secret_key }}{{ end }}
+EOF
+        destination = "secrets/secret_key"
+      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/gitea" }}{{ .Data.data.internal_token }}{{ end }}
+EOF
+        destination = "secrets/internal_token"
+      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/gitea" }}{{ .Data.data.jwt_secret }}{{ end }}
+EOF
+        destination = "secrets/jwt_secret"
+      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/gitea" }}{{ .Data.data.lfs_jwt_secret }}{{ end }}
+EOF
+        destination = "secrets/lfs_jwt_secret"
+      }
+    }
+  }
+}