teutat3s
7cbe86ff11
inputs: • Updated input 'agenix': 'github:ryantm/agenix/e64961977f60388dd0b49572bb0fc453b871f896' (2023-03-31) → 'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21) • Updated input 'darwin': 'github:LnL7/nix-darwin/025912529dd0b31dead95519e944ea05f1ad56f2' (2023-04-10) → 'github:LnL7/nix-darwin/252541bd05a7f55f3704a3d014ad1badc1e3360d' (2023-05-10) • Updated input 'deploy': 'github:serokell/deploy-rs/8c9ea9605eed20528bf60fae35a2b613b901fd77' (2023-01-19) → 'github:serokell/deploy-rs/c80189917086e43d49eece2bd86f56813500a0eb' (2023-05-11) • Updated input 'latest': 'github:nixos/nixpkgs/db24d86dd8a4769c50d6b7295e81aa280cd93f35' (2023-04-10) → 'github:nixos/nixpkgs/897876e4c484f1e8f92009fd11b7d988a121a4e7' (2023-05-06) • Updated input 'nixos': 'github:nixos/nixpkgs/ea96b4af6148114421fda90df33cf236ff5ecf1d' (2023-04-10) → 'github:nixos/nixpkgs/9656e85a15a0fe67847ee8cdb99a20d8df499962' (2023-05-12) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/3006d2860a6ed5e01b0c3e7ffb730e9b293116e2' (2023-04-07) → 'github:nixos/nixos-hardware/81cd886719e10d4822b2a6caa96e95d56cc915ef' (2023-05-13)
81 lines
2.3 KiB
Nix
81 lines
2.3 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
self,
|
|
...
|
|
}: {
|
|
age.secrets.gitea-database-password = {
|
|
file = "${self}/secrets/gitea-database-password.age";
|
|
mode = "600";
|
|
owner = "gitea";
|
|
};
|
|
age.secrets.gitea-mailer-password = {
|
|
file = "${self}/secrets/gitea-mailer-password.age";
|
|
mode = "600";
|
|
owner = "gitea";
|
|
};
|
|
|
|
# gitea
|
|
services.gitea = {
|
|
enable = true;
|
|
package = pkgs.forgejo;
|
|
appName = "pub.solar git server";
|
|
database = {
|
|
type = "postgres";
|
|
passwordFile = config.age.secrets.gitea-database-password.path;
|
|
};
|
|
domain = "git.pub.solar";
|
|
httpAddress = "127.0.0.1";
|
|
httpPort = 3000;
|
|
lfs.enable = true;
|
|
mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
|
|
rootUrl = "https://git.pub.solar";
|
|
settings = {
|
|
mailer = {
|
|
ENABLED = true;
|
|
PROTOCOL = "smtps";
|
|
SMTP_ADDR = "mx2.greenbaum.cloud";
|
|
SMTP_PORT = 465;
|
|
FROM = ''"pub.solar git server" <gitea@pub.solar>'';
|
|
USER = "admins@pub.solar";
|
|
};
|
|
"repository.signing" = {
|
|
SIGNING_KEY = "default";
|
|
MERGES = "always";
|
|
};
|
|
openid = {
|
|
ENABLE_OPENID_SIGNIN = true;
|
|
ENABLE_OPENID_SIGNUP = true;
|
|
};
|
|
# uncomment after initial deployment, first user is admin user
|
|
# required to setup SSO (oauth openid-connect, keycloak auth provider)
|
|
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
service.ENABLE_NOTIFY_MAIL = true;
|
|
session.COOKIE_SECURE = lib.mkForce true;
|
|
};
|
|
};
|
|
|
|
# See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
|
|
# Required for gitea server side gpg signatures
|
|
# configured/setup manually in:
|
|
# /var/lib/gitea/data/home/.gitconfig
|
|
# /var/lib/gitea/data/home/.gnupg/
|
|
# sudo su gitea
|
|
# export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
|
|
# gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
|
|
# TODO: implement declarative GPG key generation and
|
|
# gitea gitconfig
|
|
programs.gnupg.agent = {
|
|
enable = true;
|
|
pinentryFlavor = "curses";
|
|
};
|
|
# Required to make gpg work without a graphical environment?
|
|
# otherwise generating a new gpg key fails with this error:
|
|
# gpg: agent_genkey failed: No pinentry
|
|
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
|
|
environment.variables = {
|
|
GPG_TTY = "$(tty)";
|
|
};
|
|
}
|