os/hosts/flora-6/gitea.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

81 lines
2.3 KiB
Nix
Raw Normal View History

2022-11-27 22:31:08 +00:00
{
2023-01-28 22:51:33 +00:00
config,
lib,
pkgs,
self,
...
}: {
2022-11-27 22:31:08 +00:00
age.secrets.gitea-database-password = {
file = "${self}/secrets/gitea-database-password.age";
2023-01-28 20:26:13 +00:00
mode = "600";
2022-11-27 22:31:08 +00:00
owner = "gitea";
};
age.secrets.gitea-mailer-password = {
file = "${self}/secrets/gitea-mailer-password.age";
2023-01-28 20:26:13 +00:00
mode = "600";
2022-11-27 22:31:08 +00:00
owner = "gitea";
};
# gitea
services.gitea = {
enable = true;
package = pkgs.forgejo;
2022-11-27 22:31:08 +00:00
appName = "pub.solar git server";
database = {
type = "postgres";
passwordFile = config.age.secrets.gitea-database-password.path;
};
domain = "git.pub.solar";
httpAddress = "127.0.0.1";
httpPort = 3000;
lfs.enable = true;
mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
rootUrl = "https://git.pub.solar";
settings = {
mailer = {
ENABLED = true;
PROTOCOL = "smtps";
SMTP_ADDR = "mx2.greenbaum.cloud";
SMTP_PORT = 465;
2022-11-27 22:31:08 +00:00
FROM = ''"pub.solar git server" <gitea@pub.solar>'';
USER = "admins@pub.solar";
};
"repository.signing" = {
SIGNING_KEY = "default";
MERGES = "always";
};
2022-11-27 22:31:08 +00:00
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
# uncomment after initial deployment, first user is admin user
# required to setup SSO (oauth openid-connect, keycloak auth provider)
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
service.ENABLE_NOTIFY_MAIL = true;
2022-11-27 22:31:08 +00:00
session.COOKIE_SECURE = lib.mkForce true;
};
};
# See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
2022-11-27 22:31:08 +00:00
# Required for gitea server side gpg signatures
# configured/setup manually in:
# /var/lib/gitea/data/home/.gitconfig
2022-11-27 22:31:08 +00:00
# /var/lib/gitea/data/home/.gnupg/
# sudo su gitea
# export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
# gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
# TODO: implement declarative GPG key generation and
# gitea gitconfig
2022-11-27 22:31:08 +00:00
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
# Required to make gpg work without a graphical environment?
# otherwise generating a new gpg key fails with this error:
# gpg: agent_genkey failed: No pinentry
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
environment.variables = {
GPG_TTY = "$(tty)";
};
}