dotfiles/modules/nixos/services/gitea.nix

{
  config,
  pkgs,
  lib,
  ...
}:

let
  giteaPath = "/var/lib/gitea"; # Default service directory
in
{

  config = lib.mkIf config.services.gitea.enable {
    services.gitea = {
      database.type = "sqlite3";
      settings = {
        actions.ENABLED = true;
        metrics.ENABLED = true;
        repository = {
          # Pushing to a repo that doesn't exist automatically creates one as
          # private.
          DEFAULT_PUSH_CREATE_PRIVATE = true;

          # Allow git over HTTP.
          DISABLE_HTTP_GIT = false;

          # Allow requests hitting the specified hostname.
          ACCESS_CONTROL_ALLOW_ORIGIN = config.hostnames.git;

          # Automatically create viable users/orgs on push.
          ENABLE_PUSH_CREATE_USER = true;
          ENABLE_PUSH_CREATE_ORG = true;

          # Default when creating new repos.
          DEFAULT_BRANCH = "main";
        };
        server = {
          HTTP_PORT = 3001;
          HTTP_ADDRESS = "127.0.0.1";
          ROOT_URL = "https://${config.hostnames.git}/";
          SSH_PORT = 22;
          START_SSH_SERVER = false; # Use sshd instead
          DISABLE_SSH = false;
        };

        # Don't allow public users to register accounts.
        service.DISABLE_REGISTRATION = true;

        # Force using HTTPS for all session access.
        session.COOKIE_SECURE = true;

        # Hide users' emails.
        ui.SHOW_USER_EMAIL = false;
      };
      extraConfig = null;
    };

    users.users.${config.user}.extraGroups = [ "gitea" ];

    caddy.routes = [
      # Prevent public access to Prometheus metrics.
      {
        match = [
          {
            host = [ config.hostnames.git ];
            path = [ "/metrics*" ];
          }
        ];
        handle = [
          {
            handler = "static_response";
            status_code = "403";
          }
        ];
      }
      # Allow access to primary server.
      {
        match = [ { host = [ config.hostnames.git ]; } ];
        handle = [
          {
            handler = "reverse_proxy";
            upstreams = [
              { dial = "localhost:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"; }
            ];
          }
        ];
      }
    ];

    # Configure Cloudflare DNS to point to this machine
    services.cloudflare-dyndns.domains = [ config.hostnames.git ];

    # Scrape the metrics endpoint for Prometheus.
    prometheus.scrapeTargets = [
      "127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"
    ];

    ## Backup config

    # Open to groups, allowing for backups
    systemd.services.gitea.serviceConfig.StateDirectoryMode = lib.mkForce "0770";
    systemd.tmpfiles.rules = [ "f ${giteaPath}/data/gitea.db 0660 gitea gitea" ];

    # Allow litestream and gitea to share a sqlite database
    users.users.litestream.extraGroups = [ "gitea" ];
    users.users.gitea.extraGroups = [ "litestream" ];

    # Backup sqlite database with litestream
    services.litestream = {
      settings = {
        dbs = [
          {
            path = "${giteaPath}/data/gitea.db";
            replicas = [ { url = "s3://${config.backup.s3.bucket}.${config.backup.s3.endpoint}/gitea"; } ];
          }
        ];
      };
    };

    # Don't start litestream unless gitea is up
    systemd.services.litestream = {
      after = [ "gitea.service" ];
      requires = [ "gitea.service" ];
    };

    # Run a repository file backup on a schedule
    systemd.timers.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {
      timerConfig = {
        OnCalendar = "*-*-* 00:00:00"; # Once per day
        Unit = "gitea-backup.service";
      };
      wantedBy = [ "timers.target" ];
    };

    # Backup Gitea repos to object storage
    systemd.services.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {
      description = "Backup Gitea data";
      environment.AWS_ACCESS_KEY_ID = config.backup.s3.accessKeyId;
      serviceConfig = {
        Type = "oneshot";
        User = "gitea";
        Group = "backup";
        EnvironmentFile = config.secrets.backup.dest;
      };
      script = ''
        ${pkgs.awscli2}/bin/aws s3 sync --exclude */gitea.db* \
            ${giteaPath}/ \
            s3://${config.backup.s3.bucket}/gitea-data/ \
            --endpoint-url=https://${config.backup.s3.endpoint}
      '';
    };
  };
}
move all files to new nixfmt rfc 2024-04-20 13:42:06 +00:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}:`

			`let`
			`giteaPath = "/var/lib/gitea"; # Default service directory`
			`in`
			`{`
add gitea service 2022-10-16 20:34:28 +00:00
remote prometheus and reconfig server modules 2023-07-04 22:20:43 +00:00			`config = lib.mkIf config.services.gitea.enable {`
add gitea service 2022-10-16 20:34:28 +00:00			`services.gitea = {`
			`database.type = "sqlite3";`
			`settings = {`
enable gitea actions and runner 2023-07-10 22:00:48 +00:00			`actions.ENABLED = true;`
enable gitea metrics 2023-07-29 19:33:13 +00:00			`metrics.ENABLED = true;`
add gitea service 2022-10-16 20:34:28 +00:00			`repository = {`
add more services documentation 2024-01-10 04:11:11 +00:00			`# Pushing to a repo that doesn't exist automatically creates one as`
			`# private.`
add gitea service 2022-10-16 20:34:28 +00:00			`DEFAULT_PUSH_CREATE_PRIVATE = true;`
add more services documentation 2024-01-10 04:11:11 +00:00
			`# Allow git over HTTP.`
add gitea service 2022-10-16 20:34:28 +00:00			`DISABLE_HTTP_GIT = false;`
add more services documentation 2024-01-10 04:11:11 +00:00
			`# Allow requests hitting the specified hostname.`
create universal options for hostnames 2023-07-07 16:16:07 +00:00			`ACCESS_CONTROL_ALLOW_ORIGIN = config.hostnames.git;`
add more services documentation 2024-01-10 04:11:11 +00:00
			`# Automatically create viable users/orgs on push.`
add gitea service 2022-10-16 20:34:28 +00:00			`ENABLE_PUSH_CREATE_USER = true;`
			`ENABLE_PUSH_CREATE_ORG = true;`
add more services documentation 2024-01-10 04:11:11 +00:00
			`# Default when creating new repos.`
add gitea service 2022-10-16 20:34:28 +00:00			`DEFAULT_BRANCH = "main";`
			`};`
			`server = {`
update flame, cleanup host config file 2023-04-30 21:51:35 +00:00			`HTTP_PORT = 3001;`
			`HTTP_ADDRESS = "127.0.0.1";`
create universal options for hostnames 2023-07-07 16:16:07 +00:00			`ROOT_URL = "https://${config.hostnames.git}/";`
add gitea service 2022-10-16 20:34:28 +00:00			`SSH_PORT = 22;`
			`START_SSH_SERVER = false; # Use sshd instead`
			`DISABLE_SSH = false;`
			`};`
add more services documentation 2024-01-10 04:11:11 +00:00
			`# Don't allow public users to register accounts.`
add gitea service 2022-10-16 20:34:28 +00:00			`service.DISABLE_REGISTRATION = true;`
add more services documentation 2024-01-10 04:11:11 +00:00
			`# Force using HTTPS for all session access.`
add gitea service 2022-10-16 20:34:28 +00:00			`session.COOKIE_SECURE = true;`
add more services documentation 2024-01-10 04:11:11 +00:00
			`# Hide users' emails.`
add gitea service 2022-10-16 20:34:28 +00:00			`ui.SHOW_USER_EMAIL = false;`
			`};`
			`extraConfig = null;`
			`};`

have gitea actually backup full repos 2023-07-05 00:01:11 +00:00			`users.users.${config.user}.extraGroups = [ "gitea" ];`
add gitea service 2022-10-16 20:34:28 +00:00
enable gitea metrics 2023-07-29 19:33:13 +00:00			`caddy.routes = [`
add more services documentation 2024-01-10 04:11:11 +00:00			`# Prevent public access to Prometheus metrics.`
enable gitea metrics 2023-07-29 19:33:13 +00:00			`{`
move all files to new nixfmt rfc 2024-04-20 13:42:06 +00:00			`match = [`
			`{`
			`host = [ config.hostnames.git ];`
			`path = [ "/metrics*" ];`
			`}`
			`];`
			`handle = [`
			`{`
			`handler = "static_response";`
			`status_code = "403";`
			`}`
			`];`
enable gitea metrics 2023-07-29 19:33:13 +00:00			`}`
add more services documentation 2024-01-10 04:11:11 +00:00			`# Allow access to primary server.`
enable gitea metrics 2023-07-29 19:33:13 +00:00			`{`
move all files to new nixfmt rfc 2024-04-20 13:42:06 +00:00			`match = [ { host = [ config.hostnames.git ]; } ];`
			`handle = [`
			`{`
			`handler = "reverse_proxy";`
			`upstreams = [`
			`{ dial = "localhost:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"; }`
			`];`
			`}`
			`];`
enable gitea metrics 2023-07-29 19:33:13 +00:00			`}`
			`];`

add cloudflare-dyndns domains for flame 2024-03-30 15:41:18 +00:00			`# Configure Cloudflare DNS to point to this machine`
			`services.cloudflare-dyndns.domains = [ config.hostnames.git ];`

add more services documentation 2024-01-10 04:11:11 +00:00			`# Scrape the metrics endpoint for Prometheus.`
enable gitea metrics 2023-07-29 19:33:13 +00:00			`prometheus.scrapeTargets = [`
move all files to new nixfmt rfc 2024-04-20 13:42:06 +00:00			`"127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"`
enable gitea metrics 2023-07-29 19:33:13 +00:00			`];`
add gitea service 2022-10-16 20:34:28 +00:00
			`## Backup config`

			`# Open to groups, allowing for backups`
move all files to new nixfmt rfc 2024-04-20 13:42:06 +00:00			`systemd.services.gitea.serviceConfig.StateDirectoryMode = lib.mkForce "0770";`
			`systemd.tmpfiles.rules = [ "f ${giteaPath}/data/gitea.db 0660 gitea gitea" ];`
add gitea service 2022-10-16 20:34:28 +00:00
			`# Allow litestream and gitea to share a sqlite database`
			`users.users.litestream.extraGroups = [ "gitea" ];`
			`users.users.gitea.extraGroups = [ "litestream" ];`

			`# Backup sqlite database with litestream`
			`services.litestream = {`
			`settings = {`
move all files to new nixfmt rfc 2024-04-20 13:42:06 +00:00			`dbs = [`
			`{`
			`path = "${giteaPath}/data/gitea.db";`
			`replicas = [ { url = "s3://${config.backup.s3.bucket}.${config.backup.s3.endpoint}/gitea"; } ];`
			`}`
			`];`
add gitea service 2022-10-16 20:34:28 +00:00			`};`
			`};`

			`# Don't start litestream unless gitea is up`
			`systemd.services.litestream = {`
			`after = [ "gitea.service" ];`
			`requires = [ "gitea.service" ];`
			`};`

have gitea actually backup full repos 2023-07-05 00:01:11 +00:00			`# Run a repository file backup on a schedule`
			`systemd.timers.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {`
			`timerConfig = {`
			`OnCalendar = "--* 00:00:00"; # Once per day`
			`Unit = "gitea-backup.service";`
			`};`
			`wantedBy = [ "timers.target" ];`
			`};`

			`# Backup Gitea repos to object storage`
move all files to new nixfmt rfc 2024-04-20 13:42:06 +00:00			`systemd.services.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {`
			`description = "Backup Gitea data";`
			`environment.AWS_ACCESS_KEY_ID = config.backup.s3.accessKeyId;`
			`serviceConfig = {`
			`Type = "oneshot";`
			`User = "gitea";`
			`Group = "backup";`
			`EnvironmentFile = config.secrets.backup.dest;`
have gitea actually backup full repos 2023-07-05 00:01:11 +00:00			`};`
move all files to new nixfmt rfc 2024-04-20 13:42:06 +00:00			`script = ''`
			`${pkgs.awscli2}/bin/aws s3 sync --exclude /gitea.db \`
			`${giteaPath}/ \`
			`s3://${config.backup.s3.bucket}/gitea-data/ \`
			`--endpoint-url=https://${config.backup.s3.endpoint}`
			`'';`
			`};`
add gitea service 2022-10-16 20:34:28 +00:00			`};`
			`}`