2024-04-20 13:42:06 +00:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
|
|
|
|
let
|
|
|
|
giteaPath = "/var/lib/gitea"; # Default service directory
|
|
|
|
in
|
|
|
|
{
|
2022-10-16 20:34:28 +00:00
|
|
|
|
2023-07-04 22:20:43 +00:00
|
|
|
config = lib.mkIf config.services.gitea.enable {
|
2022-10-16 20:34:28 +00:00
|
|
|
services.gitea = {
|
|
|
|
database.type = "sqlite3";
|
|
|
|
settings = {
|
2023-07-10 22:00:48 +00:00
|
|
|
actions.ENABLED = true;
|
2023-07-29 19:33:13 +00:00
|
|
|
metrics.ENABLED = true;
|
2022-10-16 20:34:28 +00:00
|
|
|
repository = {
|
2024-01-10 04:11:11 +00:00
|
|
|
# Pushing to a repo that doesn't exist automatically creates one as
|
|
|
|
# private.
|
2022-10-16 20:34:28 +00:00
|
|
|
DEFAULT_PUSH_CREATE_PRIVATE = true;
|
2024-01-10 04:11:11 +00:00
|
|
|
|
|
|
|
# Allow git over HTTP.
|
2022-10-16 20:34:28 +00:00
|
|
|
DISABLE_HTTP_GIT = false;
|
2024-01-10 04:11:11 +00:00
|
|
|
|
|
|
|
# Allow requests hitting the specified hostname.
|
2023-07-07 16:16:07 +00:00
|
|
|
ACCESS_CONTROL_ALLOW_ORIGIN = config.hostnames.git;
|
2024-01-10 04:11:11 +00:00
|
|
|
|
|
|
|
# Automatically create viable users/orgs on push.
|
2022-10-16 20:34:28 +00:00
|
|
|
ENABLE_PUSH_CREATE_USER = true;
|
|
|
|
ENABLE_PUSH_CREATE_ORG = true;
|
2024-01-10 04:11:11 +00:00
|
|
|
|
|
|
|
# Default when creating new repos.
|
2022-10-16 20:34:28 +00:00
|
|
|
DEFAULT_BRANCH = "main";
|
|
|
|
};
|
|
|
|
server = {
|
2023-04-30 21:51:35 +00:00
|
|
|
HTTP_PORT = 3001;
|
|
|
|
HTTP_ADDRESS = "127.0.0.1";
|
2023-07-07 16:16:07 +00:00
|
|
|
ROOT_URL = "https://${config.hostnames.git}/";
|
2022-10-16 20:34:28 +00:00
|
|
|
SSH_PORT = 22;
|
|
|
|
START_SSH_SERVER = false; # Use sshd instead
|
|
|
|
DISABLE_SSH = false;
|
|
|
|
};
|
2024-01-10 04:11:11 +00:00
|
|
|
|
|
|
|
# Don't allow public users to register accounts.
|
2022-10-16 20:34:28 +00:00
|
|
|
service.DISABLE_REGISTRATION = true;
|
2024-01-10 04:11:11 +00:00
|
|
|
|
|
|
|
# Force using HTTPS for all session access.
|
2022-10-16 20:34:28 +00:00
|
|
|
session.COOKIE_SECURE = true;
|
2024-01-10 04:11:11 +00:00
|
|
|
|
|
|
|
# Hide users' emails.
|
2022-10-16 20:34:28 +00:00
|
|
|
ui.SHOW_USER_EMAIL = false;
|
|
|
|
};
|
|
|
|
extraConfig = null;
|
|
|
|
};
|
|
|
|
|
2023-07-05 00:01:11 +00:00
|
|
|
users.users.${config.user}.extraGroups = [ "gitea" ];
|
2022-10-16 20:34:28 +00:00
|
|
|
|
2023-07-29 19:33:13 +00:00
|
|
|
caddy.routes = [
|
2024-01-10 04:11:11 +00:00
|
|
|
# Prevent public access to Prometheus metrics.
|
2023-07-29 19:33:13 +00:00
|
|
|
{
|
2024-04-20 13:42:06 +00:00
|
|
|
match = [
|
|
|
|
{
|
|
|
|
host = [ config.hostnames.git ];
|
|
|
|
path = [ "/metrics*" ];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
handle = [
|
|
|
|
{
|
|
|
|
handler = "static_response";
|
|
|
|
status_code = "403";
|
|
|
|
}
|
|
|
|
];
|
2023-07-29 19:33:13 +00:00
|
|
|
}
|
2024-01-10 04:11:11 +00:00
|
|
|
# Allow access to primary server.
|
2023-07-29 19:33:13 +00:00
|
|
|
{
|
2024-04-20 13:42:06 +00:00
|
|
|
match = [ { host = [ config.hostnames.git ]; } ];
|
|
|
|
handle = [
|
|
|
|
{
|
|
|
|
handler = "reverse_proxy";
|
|
|
|
upstreams = [
|
|
|
|
{ dial = "localhost:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"; }
|
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
2023-07-29 19:33:13 +00:00
|
|
|
}
|
|
|
|
];
|
|
|
|
|
2024-03-30 15:41:18 +00:00
|
|
|
# Configure Cloudflare DNS to point to this machine
|
|
|
|
services.cloudflare-dyndns.domains = [ config.hostnames.git ];
|
|
|
|
|
2024-01-10 04:11:11 +00:00
|
|
|
# Scrape the metrics endpoint for Prometheus.
|
2023-07-29 19:33:13 +00:00
|
|
|
prometheus.scrapeTargets = [
|
2024-04-20 13:42:06 +00:00
|
|
|
"127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"
|
2023-07-29 19:33:13 +00:00
|
|
|
];
|
2022-10-16 20:34:28 +00:00
|
|
|
|
|
|
|
## Backup config
|
|
|
|
|
|
|
|
# Open to groups, allowing for backups
|
2024-04-20 13:42:06 +00:00
|
|
|
systemd.services.gitea.serviceConfig.StateDirectoryMode = lib.mkForce "0770";
|
|
|
|
systemd.tmpfiles.rules = [ "f ${giteaPath}/data/gitea.db 0660 gitea gitea" ];
|
2022-10-16 20:34:28 +00:00
|
|
|
|
|
|
|
# Allow litestream and gitea to share a sqlite database
|
|
|
|
users.users.litestream.extraGroups = [ "gitea" ];
|
|
|
|
users.users.gitea.extraGroups = [ "litestream" ];
|
|
|
|
|
|
|
|
# Backup sqlite database with litestream
|
|
|
|
services.litestream = {
|
|
|
|
settings = {
|
2024-04-20 13:42:06 +00:00
|
|
|
dbs = [
|
|
|
|
{
|
|
|
|
path = "${giteaPath}/data/gitea.db";
|
|
|
|
replicas = [ { url = "s3://${config.backup.s3.bucket}.${config.backup.s3.endpoint}/gitea"; } ];
|
|
|
|
}
|
|
|
|
];
|
2022-10-16 20:34:28 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Don't start litestream unless gitea is up
|
|
|
|
systemd.services.litestream = {
|
|
|
|
after = [ "gitea.service" ];
|
|
|
|
requires = [ "gitea.service" ];
|
|
|
|
};
|
|
|
|
|
2023-07-05 00:01:11 +00:00
|
|
|
# Run a repository file backup on a schedule
|
|
|
|
systemd.timers.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {
|
|
|
|
timerConfig = {
|
|
|
|
OnCalendar = "*-*-* 00:00:00"; # Once per day
|
|
|
|
Unit = "gitea-backup.service";
|
|
|
|
};
|
|
|
|
wantedBy = [ "timers.target" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
# Backup Gitea repos to object storage
|
2024-04-20 13:42:06 +00:00
|
|
|
systemd.services.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {
|
|
|
|
description = "Backup Gitea data";
|
|
|
|
environment.AWS_ACCESS_KEY_ID = config.backup.s3.accessKeyId;
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
User = "gitea";
|
|
|
|
Group = "backup";
|
|
|
|
EnvironmentFile = config.secrets.backup.dest;
|
2023-07-05 00:01:11 +00:00
|
|
|
};
|
2024-04-20 13:42:06 +00:00
|
|
|
script = ''
|
|
|
|
${pkgs.awscli2}/bin/aws s3 sync --exclude */gitea.db* \
|
|
|
|
${giteaPath}/ \
|
|
|
|
s3://${config.backup.s3.bucket}/gitea-data/ \
|
|
|
|
--endpoint-url=https://${config.backup.s3.endpoint}
|
|
|
|
'';
|
|
|
|
};
|
2022-10-16 20:34:28 +00:00
|
|
|
};
|
|
|
|
}
|