From b146868f577161f80875ccc9cf5affe12230b9db Mon Sep 17 00:00:00 2001 From: Emile Date: Fri, 2 Aug 2024 23:50:58 +0200 Subject: git --- nix/hosts/corrino/www/git/git.nix | 102 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 nix/hosts/corrino/www/git/git.nix (limited to 'nix/hosts/corrino/www/git/git.nix') diff --git a/nix/hosts/corrino/www/git/git.nix b/nix/hosts/corrino/www/git/git.nix new file mode 100644 index 0000000..d815f9c --- /dev/null +++ b/nix/hosts/corrino/www/git/git.nix @@ -0,0 +1,102 @@ +{ lib, pkgs, config, ... }: + +let + cfg = config.services.gitea; +in { + services.nginx.virtualHosts."git.emile.space" = { + forceSSL = true; + enableACME = true; + + # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia + # extraConfig = authelia-location; + + locations = { + "/" = { + # proxyPass = "http://127.0.0.1:3000"; + proxyPass = "http://127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"; + + # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia + # extraConfig = authelia-authrequest; + }; + }; + }; + + # auth via authelia + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "git"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + "https://git.emile.space/user/oauth2/authelia/callback" + ]; + scopes = [ + "openid" + "email" + "profile" + ]; + } + ]; + + services.gitea = rec { + enable = true; + + appName = "git.emile.space"; + + # unstable in order to use the 1.20... version + #package = pkgs.forgejo; + package = pkgs.unstable.forgejo; + + stateDir = "/var/lib/gitea"; + repositoryRoot = "${stateDir}/repositories"; + + settings = { + service.DISABLE_REGISTRATION = true; + + DEFAULT = { + WORK_PATH = "/var/lib/gitea"; + }; + + server = { + DOMAIN = pkgs.lib.mkForce "git.emile.space"; + ROOT_URL = pkgs.lib.mkForce "https://git.emile.space"; + HTTP_PORT = config.emile.ports.git; + + #START_SSH_SERVER = true; + BUILTIN_SSH_SERVER_USER = "git"; + SSH_USER = "gitea"; + SSH_DOMAIN = "git.emile.space"; + + REPO_INDEXER_ENABLED = true; + }; + + indexer = { + REPO_INDEXER_ENABLED = true; + ISSUE_INDEXER_PATH = "${stateDir}/indexers/issues.bleve"; + REPO_INDEXER_PATH = "${stateDir}/indexers/repos.bleve"; + MAX_FILE_SIZE = 1048576; + REPO_INDEXER_INCLUDE = ""; + REPO_INDEXER_EXCLUDE = "resources/bin/**"; + }; + + #federation = { + # enable = true; + # share_user_statistics = true; + # max_size = 4; + #}; + }; + }; + + users.users.git = { + isSystemUser = true; + useDefaultShell = true; + group = "git"; + extraGroups = [ "gitea" ]; + home = cfg.stateDir; + uid = 127; + }; + users.groups.git = { }; +} -- cgit 1.4.1