2023-09-22 05:20:36 +01:00
|
|
|
{
|
|
|
|
pkgs,
|
|
|
|
config,
|
2023-10-07 21:14:43 +01:00
|
|
|
lib,
|
2023-09-22 05:20:36 +01:00
|
|
|
...
|
|
|
|
}: let
|
2022-10-12 19:43:24 +01:00
|
|
|
domain = "gitea.${config.services.nginx.domain}";
|
|
|
|
in {
|
|
|
|
services.gitea = {
|
|
|
|
enable = true;
|
|
|
|
database.type = "postgres";
|
2021-04-12 01:41:31 +01:00
|
|
|
|
2022-10-12 19:43:24 +01:00
|
|
|
appName = "Gitea: Git with a cup of tea";
|
2023-01-11 01:59:54 +00:00
|
|
|
|
|
|
|
settings = {
|
2023-07-28 10:23:56 +01:00
|
|
|
server = {
|
|
|
|
DOMAIN = domain;
|
|
|
|
HTTP_ADDR = "127.0.0.1";
|
|
|
|
ROOT_URL = "https://${domain}/";
|
|
|
|
SSH_PORT = 2222;
|
|
|
|
};
|
|
|
|
|
2023-10-07 21:14:43 +01:00
|
|
|
metrics = {
|
|
|
|
ENABLED = true;
|
|
|
|
TOKEN = "#metricstoken#";
|
|
|
|
};
|
2023-01-11 01:59:54 +00:00
|
|
|
service.DISABLE_REGISTRATION = true;
|
|
|
|
session.COOKIE_SECURE = true;
|
|
|
|
};
|
2022-10-12 19:43:24 +01:00
|
|
|
};
|
2021-04-28 23:02:27 +01:00
|
|
|
|
2023-10-07 21:14:43 +01:00
|
|
|
systemd.services.gitea.serviceConfig.ExecStartPre = let
|
|
|
|
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
|
|
|
|
secretPath = config.sops.secrets."gitea/metrics-token".path;
|
|
|
|
runConfig = "${config.services.gitea.customDir}/conf/app.ini";
|
|
|
|
in [
|
|
|
|
"+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
|
|
|
|
];
|
|
|
|
|
2022-10-12 19:43:24 +01:00
|
|
|
# Set up SSL
|
|
|
|
services.nginx.virtualHosts."${domain}" = let
|
2023-07-28 10:23:56 +01:00
|
|
|
httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
|
|
|
|
httpPort = config.services.gitea.settings.server.HTTP_PORT;
|
2022-10-12 19:43:24 +01:00
|
|
|
in {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
extraConfig = ''
|
|
|
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
2023-10-07 21:14:43 +01:00
|
|
|
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
2022-10-12 19:43:24 +01:00
|
|
|
'';
|
2021-04-12 01:41:31 +01:00
|
|
|
|
2022-10-12 19:43:24 +01:00
|
|
|
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
2023-10-07 21:14:43 +01:00
|
|
|
locations."/metrics" = {
|
|
|
|
extraConfig = ''
|
|
|
|
access_log off;
|
|
|
|
allow 127.0.0.1;
|
|
|
|
${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
2021-04-12 01:41:31 +01:00
|
|
|
};
|
2022-10-14 01:11:15 +01:00
|
|
|
|
|
|
|
# Block repeated failed login attempts
|
|
|
|
#
|
|
|
|
# TODO(tlater): Update to the new regex, since apparently this one
|
|
|
|
# is deprecated (but the new one doesn't work on the current version
|
|
|
|
# of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
|
|
|
|
environment.etc = {
|
|
|
|
"fail2ban/filter.d/gitea.conf".text = ''
|
|
|
|
[Definition]
|
|
|
|
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
|
|
|
journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
services.fail2ban.jails = {
|
|
|
|
gitea = ''
|
|
|
|
enabled = true
|
|
|
|
'';
|
|
|
|
};
|
2023-09-22 05:20:36 +01:00
|
|
|
|
|
|
|
services.backups.gitea = {
|
|
|
|
user = "gitea";
|
|
|
|
paths = [
|
|
|
|
"/var/lib/gitea/gitea-db.sql"
|
|
|
|
"/var/lib/gitea/repositories/"
|
|
|
|
"/var/lib/gitea/data/"
|
|
|
|
"/var/lib/gitea/custom/"
|
|
|
|
# Conf is backed up via nix
|
|
|
|
];
|
|
|
|
preparation = {
|
|
|
|
packages = [config.services.postgresql.package];
|
|
|
|
text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql";
|
|
|
|
};
|
|
|
|
cleanup = {
|
|
|
|
packages = [pkgs.coreutils];
|
|
|
|
text = "rm /var/lib/gitea/gitea-db.sql";
|
|
|
|
};
|
|
|
|
pauseServices = ["gitea.service"];
|
|
|
|
};
|
2021-04-12 01:41:31 +01:00
|
|
|
}
|