os/hosts/0001/gitea.nix

121 lines
3.4 KiB
Nix

{
config,
lib,
pkgs,
self,
...
}: let
hostAddress = "10.10.42.1";
serviceAddress = "10.10.42.3";
hostname = "git.momo.koeln";
dbUserName = "gitea";
hostStateDir = "/mnt/internal/gitea";
containerStateDir = "/var/lib/gitea";
in {
age.secrets.gitea-database-password = {
file = "${self}/secrets/gitea-database-password.age";
mode = "600";
owner = "gitea";
};
age.secrets.gitea-mailer-password = {
file = "${self}/secrets/gitea-mailer-password.age";
mode = "600";
owner = "gitea";
};
services.caddy.virtualHosts.${hostname} = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir /user/login /user/oauth2/${config.containers.keycloak.config.services.keycloak.settings.hostname} temporary
reverse_proxy ${serviceAddress}:8080
'';
};
containers."gitea" = {
privateNetwork = true;
hostAddress = hostAddress;
localAddress = serviceAddress;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
bindMounts."${config.age.secrets.gitea-database-password.path}" = {
hostPath = config.age.secrets.gitea-database-password.path;
isReadOnly = true;
};
bindMounts."${config.age.secrets.gitea-mailer-password.path}" = {
hostPath = config.age.secrets.gitea-mailer-password.path;
isReadOnly = true;
};
config = {
config,
pkgs,
...
}: {
# gitea
services.gitea = {
enable = true;
appName = "pub.solar git server";
database = {
type = "postgres";
passwordFile = config.age.secrets.gitea-database-password.path;
};
domain = domain;
httpAddress = "0.0.0.0";
httpPort = 3000;
lfs.enable = true;
mailerPasswordFile = config.pub-solar.infra-node.mailing.passwordFile;
rootUrl = "https://git.pub.solar";
settings = {
mailer = mkIf config.pub-solar.infra-node.mailing.enabled {
ENABLED = true;
MAILER_TYPE = config.pub-solar.infra-node.mailing.type;
HOST = config.pub-solar.infra-node.mailing.host;
FROM = config.pub-solar.infra-node.mailing.from;
USER = config.pub-solar.infra-node.mailing.user;
};
# currently broken, gpg core dumps
#"repository.signing" = {
# SIGNING_KEY = "default";
# MERGES = "always";
#};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
# uncomment after initial deployment, first user is admin user
# required to setup SSO (oauth openid-connect, keycloak auth provider)
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
session.COOKIE_SECURE = lib.mkForce true;
};
};
# Required for gitea server side gpg signatures
# configured / setup manually in
# /var/lib/gitea/data/home/.gitconfig and
# /var/lib/gitea/data/home/.gnupg/
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
# Required to make gpg work without a graphical environment?
# otherwise generating a new gpg key fails with this error:
# gpg: agent_genkey failed: No pinentry
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
environment.variables = {
GPG_TTY = "$(tty)";
};
};
};
}