tlaternet-server/configuration/services/gitea.nix

{config, ...}: let
  domain = "gitea.${config.services.nginx.domain}";
in {
  services.gitea = {
    inherit domain;
    enable = true;

    httpAddress = "127.0.0.1";
    database.type = "postgres";

    rootUrl = "https://${domain}/";

    appName = "Gitea: Git with a cup of tea";

    settings = {
      server.SSH_PORT = 2222;
      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
    };
  };

  # Set up SSL
  services.nginx.virtualHosts."${domain}" = let
    inherit (config.services.gitea) httpAddress httpPort;
  in {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    '';

    locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
  };

  # Block repeated failed login attempts
  #
  # TODO(tlater): Update to the new regex, since apparently this one
  # is deprecated (but the new one doesn't work on the current version
  # of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
  environment.etc = {
    "fail2ban/filter.d/gitea.conf".text = ''
      [Definition]
      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
      journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
    '';
  };

  services.fail2ban.jails = {
    gitea = ''
      enabled = true
    '';
  };
}
gitea: Use a hardened systemd unit instead of a container 2022-10-12 19:43:24 +01:00			`{config, ...}: let`
			`domain = "gitea.${config.services.nginx.domain}";`
			`in {`
			`services.gitea = {`
			`inherit domain;`
			`enable = true;`
Add gitea service 2021-04-12 01:41:31 +01:00
gitea: Use a hardened systemd unit instead of a container 2022-10-12 19:43:24 +01:00			`httpAddress = "127.0.0.1";`
			`database.type = "postgres";`
Add gitea service 2021-04-12 01:41:31 +01:00
gitea: Use a hardened systemd unit instead of a container 2022-10-12 19:43:24 +01:00			`rootUrl = "https://${domain}/";`
Add gitea service 2021-04-12 01:41:31 +01:00
gitea: Use a hardened systemd unit instead of a container 2022-10-12 19:43:24 +01:00			`appName = "Gitea: Git with a cup of tea";`
gitea: Update configuration for 22.11 2023-01-11 01:59:54 +00:00
			`settings = {`
			`server.SSH_PORT = 2222;`
			`service.DISABLE_REGISTRATION = true;`
			`session.COOKIE_SECURE = true;`
			`};`
gitea: Use a hardened systemd unit instead of a container 2022-10-12 19:43:24 +01:00			`};`
gitea: Use a defined service UID The default of 1000 mapped to my admin user, which was both a bit concerning and a bit of an annoyance. 2021-04-28 23:02:27 +01:00
gitea: Use a hardened systemd unit instead of a container 2022-10-12 19:43:24 +01:00			`# Set up SSL`
			`services.nginx.virtualHosts."${domain}" = let`
			`inherit (config.services.gitea) httpAddress httpPort;`
			`in {`
			`forceSSL = true;`
			`enableACME = true;`
			`extraConfig = ''`
			`add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;`
			`'';`
Add gitea service 2021-04-12 01:41:31 +01:00
gitea: Use a hardened systemd unit instead of a container 2022-10-12 19:43:24 +01:00			`locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";`
Add gitea service 2021-04-12 01:41:31 +01:00			`};`
treewide: Add fail2ban 2022-10-14 01:11:15 +01:00
			`# Block repeated failed login attempts`
			`#`
			`# TODO(tlater): Update to the new regex, since apparently this one`
			`# is deprecated (but the new one doesn't work on the current version`
			`# of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/`
			`environment.etc = {`
			`"fail2ban/filter.d/gitea.conf".text = ''`
			`[Definition]`
			`failregex = .(Failed authentication attempt\|invalid credentials\|Attempted access of unknown user). from <HOST>`
			`journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea`
			`'';`
			`};`

			`services.fail2ban.jails = {`
			`gitea = ''`
			`enabled = true`
			`'';`
			`};`
Add gitea service 2021-04-12 01:41:31 +01:00			`}`