about summary refs log tree commit diff
path: root/nix/hosts/corrino/www/git/git.nix
diff options
context:
space:
mode:
authorEmile <git@emile.space>2024-08-02 23:50:58 +0200
committerEmile <git@emile.space>2024-08-02 23:50:58 +0200
commitb146868f577161f80875ccc9cf5affe12230b9db (patch)
tree1f5605dc418102636cbcb333205c608a7600a073 /nix/hosts/corrino/www/git/git.nix
parent84c5cbd22a2475ab21afb2e4a8b97a6645352ab9 (diff)
git
Diffstat (limited to 'nix/hosts/corrino/www/git/git.nix')
-rw-r--r--nix/hosts/corrino/www/git/git.nix102
1 files changed, 102 insertions, 0 deletions
diff --git a/nix/hosts/corrino/www/git/git.nix b/nix/hosts/corrino/www/git/git.nix
new file mode 100644
index 0000000..d815f9c
--- /dev/null
+++ b/nix/hosts/corrino/www/git/git.nix
@@ -0,0 +1,102 @@
+{ lib, pkgs, config, ... }:
+
+let
+  cfg = config.services.gitea;
+in {
+  services.nginx.virtualHosts."git.emile.space" = {
+    forceSSL = true;
+    enableACME = true;
+
+    # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
+    # extraConfig = authelia-location;
+
+    locations = {
+      "/" = {
+        # proxyPass = "http://127.0.0.1:3000";
+        proxyPass = "http://127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}";
+
+        # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
+        # extraConfig = authelia-authrequest;
+      };
+    };
+  };
+
+	# auth via authelia
+	services.authelia.instances.main.settings.identity_providers.oidc.clients = [
+  	{
+  		id = "git";
+
+  		# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+  		secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA";
+  		public = false;
+  		authorization_policy = "two_factor";
+  		redirect_uris = [
+  			"https://git.emile.space/user/oauth2/authelia/callback"
+  		];
+  		scopes = [
+  			"openid"
+  			"email"
+  			"profile"
+  		];
+  	}
+  ];
+
+  services.gitea = rec {
+    enable = true;
+
+    appName = "git.emile.space";
+
+    # unstable in order to use the 1.20... version
+    #package = pkgs.forgejo;
+    package = pkgs.unstable.forgejo;
+
+    stateDir = "/var/lib/gitea";
+    repositoryRoot = "${stateDir}/repositories";
+
+    settings = {
+      service.DISABLE_REGISTRATION = true;
+
+      DEFAULT = {
+        WORK_PATH = "/var/lib/gitea";
+      };
+
+      server = {
+        DOMAIN = pkgs.lib.mkForce "git.emile.space";
+        ROOT_URL = pkgs.lib.mkForce "https://git.emile.space";
+        HTTP_PORT = config.emile.ports.git;
+
+        #START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_USER = "gitea";
+        SSH_DOMAIN = "git.emile.space";
+
+        REPO_INDEXER_ENABLED = true;
+      };
+
+      indexer = {
+        REPO_INDEXER_ENABLED = true;
+        ISSUE_INDEXER_PATH = "${stateDir}/indexers/issues.bleve";
+        REPO_INDEXER_PATH = "${stateDir}/indexers/repos.bleve";
+        MAX_FILE_SIZE = 1048576;
+        REPO_INDEXER_INCLUDE = "";
+        REPO_INDEXER_EXCLUDE = "resources/bin/**";
+      };
+
+      #federation = {
+      #  enable = true;
+      #  share_user_statistics = true;
+      #  max_size = 4;
+      #};
+    };
+  };
+
+  users.users.git = {
+    isSystemUser = true;
+    useDefaultShell = true;
+    group = "git";
+    extraGroups = [ "gitea" ];
+    home = cfg.stateDir;
+    uid = 127;
+  };
+  users.groups.git = { };
+}