tlaternet-server/configuration/services/gitea.nix

99 lines
2.7 KiB
Nix
Raw Normal View History

{
pkgs,
config,
lib,
...
}: let
domain = "gitea.${config.services.nginx.domain}";
in {
2023-12-29 15:11:16 +00:00
services.forgejo = {
enable = true;
database.type = "postgres";
2021-04-12 01:41:31 +01:00
2023-01-11 01:59:54 +00:00
settings = {
2023-07-28 10:23:56 +01:00
server = {
DOMAIN = domain;
HTTP_ADDR = "127.0.0.1";
ROOT_URL = "https://${domain}/";
SSH_PORT = 2222;
};
metrics = {
ENABLED = true;
TOKEN = "#metricstoken#";
};
2023-01-11 01:59:54 +00:00
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
2023-12-29 15:11:16 +00:00
systemd.services.forgejo.serviceConfig.ExecStartPre = let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
2023-12-29 15:11:16 +00:00
secretPath = config.sops.secrets."forgejo/metrics-token".path;
runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
in [
"+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
];
# Set up SSL
services.nginx.virtualHosts."${domain}" = let
2023-12-29 15:11:16 +00:00
httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
httpPort = config.services.forgejo.settings.server.HTTP_PORT;
in {
forceSSL = true;
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
2021-04-12 01:41:31 +01:00
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
locations."/metrics" = {
extraConfig = ''
access_log off;
allow 127.0.0.1;
${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
deny all;
'';
};
2021-04-12 01:41:31 +01:00
};
2022-10-14 01:11:15 +01:00
# Block repeated failed login attempts
#
2023-12-29 15:11:16 +00:00
# TODO(tlater): Update this - we switched to forgejo, who knows what
# the new matches are.
# environment.etc = {
# "fail2ban/filter.d/gitea.conf".text = ''
# [Definition]
# failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
# journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
# '';
# };
2022-10-14 01:11:15 +01:00
2023-12-29 15:11:16 +00:00
# services.fail2ban.jails = {
# gitea = ''
# enabled = true
# '';
# };
2024-03-02 01:27:24 +00:00
services.backups.forgejo = {
user = "forgejo";
paths = [
"/var/lib/forgejo/forgejo-db.sql"
"/var/lib/forgejo/repositories/"
"/var/lib/forgejo/data/"
"/var/lib/forgejo/custom/"
# Conf is backed up via nix
];
preparation = {
packages = [config.services.postgresql.package];
text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
};
cleanup = {
packages = [pkgs.coreutils];
text = "rm /var/lib/forgejo/forgejo-db.sql";
};
pauseServices = ["forgejo.service"];
};
2021-04-12 01:41:31 +01:00
}