tlaternet-server/configuration/services/gitea.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

101 lines
2.6 KiB
Nix
Raw Normal View History

{ pkgs
, config
, lib
, ...
}:
let
domain = "gitea.${config.services.nginx.domain}";
in
{
2023-12-29 15:11:16 +00:00
services.forgejo = {
enable = true;
database.type = "postgres";
2021-04-12 01:41:31 +01:00
2023-01-11 01:59:54 +00:00
settings = {
2023-07-28 10:23:56 +01:00
server = {
DOMAIN = domain;
HTTP_ADDR = "127.0.0.1";
ROOT_URL = "https://${domain}/";
SSH_PORT = 2222;
};
metrics = {
ENABLED = true;
TOKEN = "#metricstoken#";
};
2023-01-11 01:59:54 +00:00
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
2023-12-29 15:11:16 +00:00
systemd.services.forgejo.serviceConfig.ExecStartPre =
let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
2023-12-29 15:11:16 +00:00
secretPath = config.sops.secrets."forgejo/metrics-token".path;
runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
in
[
"+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
];
# Set up SSL
services.nginx.virtualHosts."${domain}" =
let
2023-12-29 15:11:16 +00:00
httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
httpPort = config.services.forgejo.settings.server.HTTP_PORT;
in
{
forceSSL = true;
2024-04-16 00:08:13 +01:00
useACMEHost = "tlater.net";
2024-04-13 03:34:53 +01:00
enableHSTS = true;
2021-04-12 01:41:31 +01:00
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
locations."/metrics" = {
extraConfig = ''
access_log off;
allow 127.0.0.1;
${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
deny all;
'';
};
};
2022-10-14 01:11:15 +01:00
# Block repeated failed login attempts
#
2023-12-29 15:11:16 +00:00
# TODO(tlater): Update this - we switched to forgejo, who knows what
# the new matches are.
# environment.etc = {
# "fail2ban/filter.d/gitea.conf".text = ''
# [Definition]
# failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
# journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
# '';
# };
2022-10-14 01:11:15 +01:00
2023-12-29 15:11:16 +00:00
# services.fail2ban.jails = {
# gitea = ''
# enabled = true
# '';
# };
2024-03-02 01:27:24 +00:00
services.backups.forgejo = {
user = "forgejo";
paths = [
"/var/lib/forgejo/forgejo-db.sql"
"/var/lib/forgejo/repositories/"
"/var/lib/forgejo/data/"
"/var/lib/forgejo/custom/"
# Conf is backed up via nix
];
preparation = {
packages = [ config.services.postgresql.package ];
text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
};
cleanup = {
packages = [ pkgs.coreutils ];
text = "rm /var/lib/forgejo/forgejo-db.sql";
};
pauseServices = [ "forgejo.service" ];
};
2021-04-12 01:41:31 +01:00
}