dotfiles/modules/nixos/services/gitea.nix

154 lines
4.3 KiB
Nix
Raw Permalink Normal View History

2024-04-20 13:42:06 +00:00
{
config,
pkgs,
lib,
...
}:
let
giteaPath = "/var/lib/gitea"; # Default service directory
in
{
2022-10-16 20:34:28 +00:00
config = lib.mkIf config.services.gitea.enable {
2022-10-16 20:34:28 +00:00
services.gitea = {
database.type = "sqlite3";
settings = {
2023-07-10 22:00:48 +00:00
actions.ENABLED = true;
2023-07-29 19:33:13 +00:00
metrics.ENABLED = true;
2022-10-16 20:34:28 +00:00
repository = {
2024-01-10 04:11:11 +00:00
# Pushing to a repo that doesn't exist automatically creates one as
# private.
2022-10-16 20:34:28 +00:00
DEFAULT_PUSH_CREATE_PRIVATE = true;
2024-01-10 04:11:11 +00:00
# Allow git over HTTP.
2022-10-16 20:34:28 +00:00
DISABLE_HTTP_GIT = false;
2024-01-10 04:11:11 +00:00
# Allow requests hitting the specified hostname.
2023-07-07 16:16:07 +00:00
ACCESS_CONTROL_ALLOW_ORIGIN = config.hostnames.git;
2024-01-10 04:11:11 +00:00
# Automatically create viable users/orgs on push.
2022-10-16 20:34:28 +00:00
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
2024-01-10 04:11:11 +00:00
# Default when creating new repos.
2022-10-16 20:34:28 +00:00
DEFAULT_BRANCH = "main";
};
server = {
2023-04-30 21:51:35 +00:00
HTTP_PORT = 3001;
HTTP_ADDRESS = "127.0.0.1";
2023-07-07 16:16:07 +00:00
ROOT_URL = "https://${config.hostnames.git}/";
2022-10-16 20:34:28 +00:00
SSH_PORT = 22;
START_SSH_SERVER = false; # Use sshd instead
DISABLE_SSH = false;
};
2024-01-10 04:11:11 +00:00
# Don't allow public users to register accounts.
2022-10-16 20:34:28 +00:00
service.DISABLE_REGISTRATION = true;
2024-01-10 04:11:11 +00:00
# Force using HTTPS for all session access.
2022-10-16 20:34:28 +00:00
session.COOKIE_SECURE = true;
2024-01-10 04:11:11 +00:00
# Hide users' emails.
2022-10-16 20:34:28 +00:00
ui.SHOW_USER_EMAIL = false;
};
extraConfig = null;
};
2023-07-05 00:01:11 +00:00
users.users.${config.user}.extraGroups = [ "gitea" ];
2022-10-16 20:34:28 +00:00
2023-07-29 19:33:13 +00:00
caddy.routes = [
2024-01-10 04:11:11 +00:00
# Prevent public access to Prometheus metrics.
2023-07-29 19:33:13 +00:00
{
2024-04-20 13:42:06 +00:00
match = [
{
host = [ config.hostnames.git ];
path = [ "/metrics*" ];
}
];
handle = [
{
handler = "static_response";
status_code = "403";
}
];
2023-07-29 19:33:13 +00:00
}
2024-01-10 04:11:11 +00:00
# Allow access to primary server.
2023-07-29 19:33:13 +00:00
{
2024-04-20 13:42:06 +00:00
match = [ { host = [ config.hostnames.git ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [
{ dial = "localhost:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"; }
];
}
];
2023-07-29 19:33:13 +00:00
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.git ];
2024-01-10 04:11:11 +00:00
# Scrape the metrics endpoint for Prometheus.
2023-07-29 19:33:13 +00:00
prometheus.scrapeTargets = [
2024-04-20 13:42:06 +00:00
"127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"
2023-07-29 19:33:13 +00:00
];
2022-10-16 20:34:28 +00:00
## Backup config
# Open to groups, allowing for backups
2024-04-20 13:42:06 +00:00
systemd.services.gitea.serviceConfig.StateDirectoryMode = lib.mkForce "0770";
systemd.tmpfiles.rules = [ "f ${giteaPath}/data/gitea.db 0660 gitea gitea" ];
2022-10-16 20:34:28 +00:00
# Allow litestream and gitea to share a sqlite database
users.users.litestream.extraGroups = [ "gitea" ];
users.users.gitea.extraGroups = [ "litestream" ];
# Backup sqlite database with litestream
services.litestream = {
settings = {
2024-04-20 13:42:06 +00:00
dbs = [
{
path = "${giteaPath}/data/gitea.db";
replicas = [ { url = "s3://${config.backup.s3.bucket}.${config.backup.s3.endpoint}/gitea"; } ];
}
];
2022-10-16 20:34:28 +00:00
};
};
# Don't start litestream unless gitea is up
systemd.services.litestream = {
after = [ "gitea.service" ];
requires = [ "gitea.service" ];
};
2023-07-05 00:01:11 +00:00
# Run a repository file backup on a schedule
systemd.timers.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {
timerConfig = {
OnCalendar = "*-*-* 00:00:00"; # Once per day
Unit = "gitea-backup.service";
};
wantedBy = [ "timers.target" ];
};
# Backup Gitea repos to object storage
2024-04-20 13:42:06 +00:00
systemd.services.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {
description = "Backup Gitea data";
environment.AWS_ACCESS_KEY_ID = config.backup.s3.accessKeyId;
serviceConfig = {
Type = "oneshot";
User = "gitea";
Group = "backup";
EnvironmentFile = config.secrets.backup.dest;
2023-07-05 00:01:11 +00:00
};
2024-04-20 13:42:06 +00:00
script = ''
${pkgs.awscli2}/bin/aws s3 sync --exclude */gitea.db* \
${giteaPath}/ \
s3://${config.backup.s3.bucket}/gitea-data/ \
--endpoint-url=https://${config.backup.s3.endpoint}
'';
};
2022-10-16 20:34:28 +00:00
};
}