56 lines
1.5 KiB
Nix
56 lines
1.5 KiB
Nix
{config, ...}: let
|
|
domain = "gitea.${config.services.nginx.domain}";
|
|
in {
|
|
services.gitea = {
|
|
enable = true;
|
|
database.type = "postgres";
|
|
|
|
appName = "Gitea: Git with a cup of tea";
|
|
|
|
settings = {
|
|
server = {
|
|
DOMAIN = domain;
|
|
HTTP_ADDR = "127.0.0.1";
|
|
ROOT_URL = "https://${domain}/";
|
|
SSH_PORT = 2222;
|
|
};
|
|
|
|
service.DISABLE_REGISTRATION = true;
|
|
session.COOKIE_SECURE = true;
|
|
};
|
|
};
|
|
|
|
# Set up SSL
|
|
services.nginx.virtualHosts."${domain}" = let
|
|
httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
|
|
httpPort = config.services.gitea.settings.server.HTTP_PORT;
|
|
in {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
extraConfig = ''
|
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
|
'';
|
|
|
|
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
|
};
|
|
|
|
# Block repeated failed login attempts
|
|
#
|
|
# TODO(tlater): Update to the new regex, since apparently this one
|
|
# is deprecated (but the new one doesn't work on the current version
|
|
# of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
|
|
environment.etc = {
|
|
"fail2ban/filter.d/gitea.conf".text = ''
|
|
[Definition]
|
|
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
|
journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
|
|
'';
|
|
};
|
|
|
|
services.fail2ban.jails = {
|
|
gitea = ''
|
|
enabled = true
|
|
'';
|
|
};
|
|
}
|