forked from pub-solar/os
121 lines
3.4 KiB
Nix
121 lines
3.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
self,
|
|
...
|
|
}: let
|
|
hostAddress = "10.10.42.1";
|
|
serviceAddress = "10.10.42.3";
|
|
|
|
hostname = "git.momo.koeln";
|
|
|
|
dbUserName = "gitea";
|
|
|
|
hostStateDir = "/mnt/internal/gitea";
|
|
containerStateDir = "/var/lib/gitea";
|
|
in {
|
|
age.secrets.gitea-database-password = {
|
|
file = "${self}/secrets/gitea-database-password.age";
|
|
mode = "600";
|
|
owner = "gitea";
|
|
};
|
|
|
|
age.secrets.gitea-mailer-password = {
|
|
file = "${self}/secrets/gitea-mailer-password.age";
|
|
mode = "600";
|
|
owner = "gitea";
|
|
};
|
|
|
|
services.caddy.virtualHosts.${hostname} = {
|
|
logFormat = lib.mkForce ''
|
|
output discard
|
|
'';
|
|
extraConfig = ''
|
|
redir /user/login /user/oauth2/${config.containers.keycloak.config.services.keycloak.settings.hostname} temporary
|
|
reverse_proxy ${serviceAddress}:8080
|
|
'';
|
|
};
|
|
|
|
containers."gitea" = {
|
|
privateNetwork = true;
|
|
hostAddress = hostAddress;
|
|
localAddress = serviceAddress;
|
|
|
|
bindMounts."${containerStateDir}" = {
|
|
hostPath = hostStateDir;
|
|
isReadOnly = false;
|
|
};
|
|
|
|
bindMounts."${config.age.secrets.gitea-database-password.path}" = {
|
|
hostPath = config.age.secrets.gitea-database-password.path;
|
|
isReadOnly = true;
|
|
};
|
|
|
|
bindMounts."${config.age.secrets.gitea-mailer-password.path}" = {
|
|
hostPath = config.age.secrets.gitea-mailer-password.path;
|
|
isReadOnly = true;
|
|
};
|
|
|
|
config = {
|
|
config,
|
|
pkgs,
|
|
...
|
|
}: {
|
|
# gitea
|
|
services.gitea = {
|
|
enable = true;
|
|
appName = "pub.solar git server";
|
|
database = {
|
|
type = "postgres";
|
|
passwordFile = config.age.secrets.gitea-database-password.path;
|
|
};
|
|
domain = domain;
|
|
httpAddress = "0.0.0.0";
|
|
httpPort = 3000;
|
|
lfs.enable = true;
|
|
mailerPasswordFile = config.pub-solar.infra-node.mailing.passwordFile;
|
|
rootUrl = "https://git.pub.solar";
|
|
settings = {
|
|
mailer = mkIf config.pub-solar.infra-node.mailing.enabled {
|
|
ENABLED = true;
|
|
MAILER_TYPE = config.pub-solar.infra-node.mailing.type;
|
|
HOST = config.pub-solar.infra-node.mailing.host;
|
|
FROM = config.pub-solar.infra-node.mailing.from;
|
|
USER = config.pub-solar.infra-node.mailing.user;
|
|
};
|
|
# currently broken, gpg core dumps
|
|
#"repository.signing" = {
|
|
# SIGNING_KEY = "default";
|
|
# MERGES = "always";
|
|
#};
|
|
openid = {
|
|
ENABLE_OPENID_SIGNIN = true;
|
|
ENABLE_OPENID_SIGNUP = true;
|
|
};
|
|
# uncomment after initial deployment, first user is admin user
|
|
# required to setup SSO (oauth openid-connect, keycloak auth provider)
|
|
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
session.COOKIE_SECURE = lib.mkForce true;
|
|
};
|
|
};
|
|
|
|
# Required for gitea server side gpg signatures
|
|
# configured / setup manually in
|
|
# /var/lib/gitea/data/home/.gitconfig and
|
|
# /var/lib/gitea/data/home/.gnupg/
|
|
programs.gnupg.agent = {
|
|
enable = true;
|
|
pinentryFlavor = "curses";
|
|
};
|
|
# Required to make gpg work without a graphical environment?
|
|
# otherwise generating a new gpg key fails with this error:
|
|
# gpg: agent_genkey failed: No pinentry
|
|
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
|
|
environment.variables = {
|
|
GPG_TTY = "$(tty)";
|
|
};
|
|
};
|
|
};
|
|
}
|