{ config, lib, pkgs, self, ... }: let hostAddress = "10.10.42.1"; serviceAddress = "10.10.42.3"; hostname = "git.momo.koeln"; dbUserName = "gitea"; hostStateDir = "/mnt/internal/gitea"; containerStateDir = "/var/lib/gitea"; in { age.secrets.gitea-database-password = { file = "${self}/secrets/gitea-database-password.age"; mode = "600"; owner = "gitea"; }; age.secrets.gitea-mailer-password = { file = "${self}/secrets/gitea-mailer-password.age"; mode = "600"; owner = "gitea"; }; services.caddy.virtualHosts.${hostname} = { logFormat = lib.mkForce '' output discard ''; extraConfig = '' redir /user/login /user/oauth2/${config.containers.keycloak.config.services.keycloak.settings.hostname} temporary reverse_proxy ${serviceAddress}:8080 ''; }; containers."gitea" = { privateNetwork = true; hostAddress = hostAddress; localAddress = serviceAddress; bindMounts."${containerStateDir}" = { hostPath = hostStateDir; isReadOnly = false; }; bindMounts."${config.age.secrets.gitea-database-password.path}" = { hostPath = config.age.secrets.gitea-database-password.path; isReadOnly = true; }; bindMounts."${config.age.secrets.gitea-mailer-password.path}" = { hostPath = config.age.secrets.gitea-mailer-password.path; isReadOnly = true; }; config = { config, pkgs, ... }: { # gitea services.gitea = { enable = true; appName = "pub.solar git server"; database = { type = "postgres"; passwordFile = config.age.secrets.gitea-database-password.path; }; domain = domain; httpAddress = "0.0.0.0"; httpPort = 3000; lfs.enable = true; mailerPasswordFile = config.pub-solar.infra-node.mailing.passwordFile; rootUrl = "https://git.pub.solar"; settings = { mailer = mkIf config.pub-solar.infra-node.mailing.enabled { ENABLED = true; MAILER_TYPE = config.pub-solar.infra-node.mailing.type; HOST = config.pub-solar.infra-node.mailing.host; FROM = config.pub-solar.infra-node.mailing.from; USER = config.pub-solar.infra-node.mailing.user; }; # currently broken, gpg core dumps #"repository.signing" = { # SIGNING_KEY = "default"; # MERGES = "always"; #}; openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; }; # uncomment after initial deployment, first user is admin user # required to setup SSO (oauth openid-connect, keycloak auth provider) service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true; session.COOKIE_SECURE = lib.mkForce true; }; }; # Required for gitea server side gpg signatures # configured / setup manually in # /var/lib/gitea/data/home/.gitconfig and # /var/lib/gitea/data/home/.gnupg/ programs.gnupg.agent = { enable = true; pinentryFlavor = "curses"; }; # Required to make gpg work without a graphical environment? # otherwise generating a new gpg key fails with this error: # gpg: agent_genkey failed: No pinentry # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675 environment.variables = { GPG_TTY = "$(tty)"; }; }; }; }