tlaternet-server/configuration/services/gitea.nix
Tristan Daniël Maat d63edbecc7
postgres: Set auth method to "reject"
This will reject connections from anywhere except 127.0.0.1, i.e., the
pod's network namespace.

This makes password authentication properly obsolete, instead of just
hiding the password (but still never authenticating with it), but
required a change upstream:
https://github.com/docker-library/postgres/pull/859
2021-06-11 01:48:54 +01:00

52 lines
1.3 KiB
Nix

{ config, ... }:
{
users = {
extraUsers.gitea = {
uid = config.ids.uids.git;
isSystemUser = true;
description = "Gitea Service";
group = config.users.extraGroups.gitea.name;
};
extraGroups.gitea = { gid = config.ids.gids.git; };
};
virtualisation.pods.gitea = {
hostname = "gitea.tlater.net";
publish = [ "3000:3000" "2221:2221" ];
network = "slirp4netns";
containers = {
gitea = {
image = "gitea/gitea:latest";
volumes = [ "gitea:/data:Z" "/etc/localtime:/etc/localtime:ro" ];
dependsOn = [ "postgres" ];
environment = {
DB_TYPE = "postgres";
DB_HOST = "gitea-postgres:5432";
DB_NAME = "gitea";
DB_USER = "gitea";
USER_UID = toString config.users.extraUsers.gitea.uid;
USER_GID = toString config.users.extraGroups.gitea.gid;
RUN_MODE = "prod";
DOMAIN = "gitea.tlater.net";
SSH_PORT = "2221";
};
};
postgres = {
image = "postgres:alpine";
environment = {
POSTGRES_DB = "gitea";
POSTGRES_USER = "gitea";
POSTGRES_HOST_AUTH_METHOD = "reject";
};
volumes = [ "gitea-db-data:/var/lib/postgresql/data" ];
};
};
};
}