fruitbasket/modules/gitea.nix

121 lines
3.3 KiB
Nix
Raw Normal View History

2023-06-22 00:05:52 +02:00
{ config, lib, pkgs, ... }:
let
domain = "git.${config.networking.domain}";
2023-12-14 15:42:10 +01:00
gitUser = "git";
2023-06-22 00:05:52 +02:00
in
{
sops.secrets.gitea_ldap_search = {
key = "portunus/search-password";
2023-12-14 15:42:10 +01:00
owner = config.services.forgejo.user;
2023-06-22 00:05:52 +02:00
};
2023-12-14 15:42:10 +01:00
users.users.${gitUser} = {
2023-06-22 00:05:52 +02:00
isSystemUser = true;
2024-01-10 15:23:56 +01:00
home = config.services.forgejo.stateDir;
2023-12-14 15:42:10 +01:00
group = gitUser;
2023-06-22 00:05:52 +02:00
useDefaultShell = true;
};
2023-12-14 15:42:10 +01:00
users.groups.${gitUser} = { };
2023-06-22 00:05:52 +02:00
2023-12-14 15:42:10 +01:00
services.forgejo = {
2023-06-22 00:05:52 +02:00
enable = true;
2023-12-14 15:42:10 +01:00
# package = pkgs.forgejo; # community fork
user = gitUser;
group = gitUser;
2023-06-22 00:05:52 +02:00
lfs.enable = true;
database = {
type = "postgres";
2023-12-14 15:42:10 +01:00
name = "git"; # legacy
2023-06-22 00:05:52 +02:00
createDatabase = true;
2023-12-14 15:42:10 +01:00
user = gitUser;
2023-06-22 00:05:52 +02:00
};
# TODO: enable periodic dumps of the DB and repos, maybe use this for backups?
# dump = { };
settings = {
2023-12-14 15:42:10 +01:00
DEFAULT = {
APP_NAME = "iFSR Git";
};
2023-06-22 00:05:52 +02:00
server = {
PROTOCOL = "http+unix";
DOMAIN = domain;
SSH_DOMAIN = config.networking.domain;
2023-06-22 00:05:52 +02:00
ROOT_URL = "https://${domain}";
OFFLINE_MODE = true; # disable use of CDNs
};
log.LEVEL = "Warn";
2023-06-22 00:05:52 +02:00
database.LOG_SQL = false;
service = {
DISABLE_REGISTRATION = true;
ENABLE_NOTIFY_MAIL = true;
NO_REPLY_ADDRESS = "noreply.${config.networking.domain}";
2023-06-22 00:05:52 +02:00
};
"service.explore".DISABLE_USERS_PAGE = true;
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = false;
};
mailer = {
ENABLED = true;
FROM = "\"iFSR Git\" <git@${config.networking.domain}>";
2023-06-22 00:05:52 +02:00
SMTP_ADDR = "localhost";
SMTP_PORT = 25;
};
session = {
COOKIE_SECURE = true;
PROVIDER = "db";
};
};
};
2023-12-26 17:56:32 +01:00
systemd.services.forgejo.preStart =
2023-06-22 00:05:52 +02:00
let
2023-12-14 15:42:10 +01:00
exe = lib.getExe config.services.forgejo.package;
2023-06-22 00:05:52 +02:00
portunus = config.services.portunus;
basedn = "ou=users,${portunus.ldap.suffix}";
ldapConfigArgs = ''
--name LDAP \
--active \
--security-protocol unencrypted \
--host '${portunus.domain}' \
--port 389 \
--user-search-base '${basedn}' \
--user-filter '(&(objectClass=posixAccount)(uid=%s))' \
--admin-filter '(isMemberOf=cn=admins,ou=groups,${portunus.ldap.suffix})' \
--username-attribute uid \
--firstname-attribute givenName \
--surname-attribute sn \
--email-attribute mail \
--public-ssh-key-attribute sshPublicKey \
--bind-dn 'uid=search,${basedn}' \
--bind-password "`cat ${config.sops.secrets.gitea_ldap_search.path}`" \
--synchronize-users
'';
in
lib.mkAfter /* sh */ ''
# Check if LDAP is already configured
ldap_line=$(${exe} admin auth list | grep "LDAP" | head -n 1)
if [[ -n "$ldap_line" ]]; then
# update ldap config
id=$(echo "$ldap_line" | ${pkgs.gawk}/bin/awk '{print $1}')
${exe} admin auth update-ldap --id $id ${ldapConfigArgs}
else
# initially configure ldap
${exe} admin auth add-ldap ${ldapConfigArgs}
fi
'';
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
2023-12-14 15:42:10 +01:00
proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
2023-06-22 00:05:52 +02:00
proxyWebsockets = true;
};
locations."/api/v1/users/search".return = "403";
};
}