fruitbasket/modules/forgejo/default.nix

130 lines
3.6 KiB
Nix
Raw Permalink Normal View History

2023-06-22 00:05:52 +02:00
{ config, lib, pkgs, ... }:
let
domain = "git.${config.networking.domain}";
2023-12-14 15:42:10 +01:00
gitUser = "git";
2023-06-22 00:05:52 +02:00
in
{
# imports = [
# ./actions.nix
# ];
2023-06-22 00:05:52 +02:00
sops.secrets.gitea_ldap_search = {
key = "portunus/search-password";
2023-12-14 15:42:10 +01:00
owner = config.services.forgejo.user;
2023-06-22 00:05:52 +02:00
};
2023-12-14 15:42:10 +01:00
users.users.${gitUser} = {
2023-06-22 00:05:52 +02:00
isSystemUser = true;
2024-01-10 15:23:56 +01:00
home = config.services.forgejo.stateDir;
2023-12-14 15:42:10 +01:00
group = gitUser;
2023-06-22 00:05:52 +02:00
useDefaultShell = true;
};
2023-12-14 15:42:10 +01:00
users.groups.${gitUser} = { };
2023-06-22 00:05:52 +02:00
2023-12-14 15:42:10 +01:00
services.forgejo = {
2023-06-22 00:05:52 +02:00
enable = true;
2024-06-21 14:46:36 +02:00
# package = pkgs.forgejo.overrideAttrs (_old: {
# # patches = [
# # # migration fix
# # (pkgs.fetchpatch {
# # url = "https://codeberg.org/forgejo/forgejo/commit/ae463c7c559e02975ce5e758d8780def978eebee.patch";
# # hash = "sha256-cOXPvkLS0n+ynSBTrmEtumZ2PYBeCZmxPpFktqkw6Fo=";
# # })
# # ];
# });
2023-12-14 15:42:10 +01:00
user = gitUser;
group = gitUser;
2023-06-22 00:05:52 +02:00
lfs.enable = true;
database = {
type = "postgres";
2023-12-14 15:42:10 +01:00
name = "git"; # legacy
2023-06-22 00:05:52 +02:00
createDatabase = true;
2023-12-14 15:42:10 +01:00
user = gitUser;
2023-06-22 00:05:52 +02:00
};
# TODO: enable periodic dumps of the DB and repos, maybe use this for backups?
# dump = { };
settings = {
2023-12-14 15:42:10 +01:00
DEFAULT = {
APP_NAME = "iFSR Git";
};
2023-06-22 00:05:52 +02:00
server = {
PROTOCOL = "http+unix";
DOMAIN = domain;
SSH_DOMAIN = config.networking.domain;
2023-06-22 00:05:52 +02:00
ROOT_URL = "https://${domain}";
OFFLINE_MODE = true; # disable use of CDNs
};
log.LEVEL = "Warn";
2023-06-22 00:05:52 +02:00
database.LOG_SQL = false;
service = {
DISABLE_REGISTRATION = true;
ENABLE_NOTIFY_MAIL = true;
NO_REPLY_ADDRESS = "noreply.${config.networking.domain}";
2023-06-22 00:05:52 +02:00
};
"service.explore".DISABLE_USERS_PAGE = true;
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = false;
};
mailer = {
ENABLED = true;
FROM = "\"iFSR Git\" <git@${config.networking.domain}>";
2023-06-22 00:05:52 +02:00
SMTP_ADDR = "localhost";
SMTP_PORT = 25;
};
session = {
COOKIE_SECURE = true;
PROVIDER = "db";
};
actions.ENABLED = true;
2023-06-22 00:05:52 +02:00
};
};
2023-12-26 17:56:32 +01:00
systemd.services.forgejo.preStart =
2023-06-22 00:05:52 +02:00
let
2023-12-14 15:42:10 +01:00
exe = lib.getExe config.services.forgejo.package;
2024-07-05 14:18:30 +02:00
basedn = "ou=users,dc=ifsr,dc=de";
2023-06-22 00:05:52 +02:00
ldapConfigArgs = ''
--name LDAP \
--active \
--security-protocol unencrypted \
2024-07-05 14:18:30 +02:00
--host 'auth.ifsr.de' \
2023-06-22 00:05:52 +02:00
--port 389 \
--user-search-base '${basedn}' \
--user-filter '(&(objectClass=posixAccount)(uid=%s))' \
2024-07-05 14:18:30 +02:00
--admin-filter '(isMemberOf=cn=admins,ou=groups,dc=ifsr,dc=de)' \
2023-06-22 00:05:52 +02:00
--username-attribute uid \
--firstname-attribute givenName \
--surname-attribute sn \
--email-attribute mail \
--public-ssh-key-attribute sshPublicKey \
--bind-dn 'uid=search,${basedn}' \
--bind-password "`cat ${config.sops.secrets.gitea_ldap_search.path}`" \
--synchronize-users
'';
in
lib.mkAfter /* sh */ ''
# Check if LDAP is already configured
ldap_line=$(${exe} admin auth list | grep "LDAP" | head -n 1)
if [[ -n "$ldap_line" ]]; then
# update ldap config
id=$(echo "$ldap_line" | ${pkgs.gawk}/bin/awk '{print $1}')
${exe} admin auth update-ldap --id $id ${ldapConfigArgs}
else
# initially configure ldap
${exe} admin auth add-ldap ${ldapConfigArgs}
fi
'';
services.nginx.virtualHosts.${domain} = {
locations."/" = {
2023-12-14 15:42:10 +01:00
proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
2023-06-22 00:05:52 +02:00
proxyWebsockets = true;
};
locations."/api/v1/users/search".return = "403";
};
}