Tristan Daniël Maat
d63edbecc7
This will reject connections from anywhere except 127.0.0.1, i.e., the pod's network namespace. This makes password authentication properly obsolete, instead of just hiding the password (but still never authenticating with it), but required a change upstream: https://github.com/docker-library/postgres/pull/859
52 lines
1.3 KiB
Nix
52 lines
1.3 KiB
Nix
{ config, ... }:
|
|
|
|
{
|
|
users = {
|
|
extraUsers.gitea = {
|
|
uid = config.ids.uids.git;
|
|
isSystemUser = true;
|
|
description = "Gitea Service";
|
|
group = config.users.extraGroups.gitea.name;
|
|
};
|
|
extraGroups.gitea = { gid = config.ids.gids.git; };
|
|
};
|
|
|
|
virtualisation.pods.gitea = {
|
|
hostname = "gitea.tlater.net";
|
|
publish = [ "3000:3000" "2221:2221" ];
|
|
network = "slirp4netns";
|
|
|
|
containers = {
|
|
gitea = {
|
|
image = "gitea/gitea:latest";
|
|
volumes = [ "gitea:/data:Z" "/etc/localtime:/etc/localtime:ro" ];
|
|
dependsOn = [ "postgres" ];
|
|
|
|
environment = {
|
|
DB_TYPE = "postgres";
|
|
DB_HOST = "gitea-postgres:5432";
|
|
DB_NAME = "gitea";
|
|
DB_USER = "gitea";
|
|
|
|
USER_UID = toString config.users.extraUsers.gitea.uid;
|
|
USER_GID = toString config.users.extraGroups.gitea.gid;
|
|
|
|
RUN_MODE = "prod";
|
|
DOMAIN = "gitea.tlater.net";
|
|
SSH_PORT = "2221";
|
|
};
|
|
};
|
|
|
|
postgres = {
|
|
image = "postgres:alpine";
|
|
environment = {
|
|
POSTGRES_DB = "gitea";
|
|
POSTGRES_USER = "gitea";
|
|
POSTGRES_HOST_AUTH_METHOD = "reject";
|
|
};
|
|
volumes = [ "gitea-db-data:/var/lib/postgresql/data" ];
|
|
};
|
|
};
|
|
};
|
|
}
|