{ config, pkgs, lib, ... }: let inherit (config.nmasur.settings) hostnames username; cfg = config.nmasur.presets.services.gitea; giteaPath = "/var/lib/gitea"; # Default service directory in { options.nmasur.presets.services.gitea.enable = lib.mkEnableOption "Gitea git server"; config = lib.mkIf cfg.enable { services.gitea = { enable = true; database.type = "sqlite3"; settings = { actions.ENABLED = true; metrics.ENABLED = true; repository = { # Pushing to a repo that doesn't exist automatically creates one as # private. DEFAULT_PUSH_CREATE_PRIVATE = true; # Allow git over HTTP. DISABLE_HTTP_GIT = false; # Allow requests hitting the specified hostname. ACCESS_CONTROL_ALLOW_ORIGIN = hostnames.git; # Automatically create viable users/orgs on push. ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; # Default when creating new repos. DEFAULT_BRANCH = "main"; }; server = { HTTP_PORT = 3001; HTTP_ADDRESS = "127.0.0.1"; ROOT_URL = "https://${hostnames.git}/"; SSH_PORT = 22; START_SSH_SERVER = false; # Use sshd instead DISABLE_SSH = false; }; # Don't allow public users to register accounts. service.DISABLE_REGISTRATION = true; # Force using HTTPS for all session access. session.COOKIE_SECURE = true; # Hide users' emails. ui.SHOW_USER_EMAIL = false; }; extraConfig = null; }; users.users.${username}.extraGroups = [ "gitea" ]; nmasur.presets.services.caddy.routes = [ # Prevent public access to Prometheus metrics. { match = [ { host = [ hostnames.git ]; path = [ "/metrics*" ]; } ]; handle = [ { handler = "static_response"; status_code = "403"; } ]; } # Allow access to primary server. { match = [ { host = [ hostnames.git ]; } ]; handle = [ { handler = "reverse_proxy"; upstreams = [ { dial = "localhost:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"; } ]; } ]; } ]; # Configure Cloudflare DNS to point to this machine services.cloudflare-dyndns.domains = [ hostnames.git ]; # Scrape the metrics endpoint for Prometheus. nmasur.presets.services.prometheus-exporters.scrapeTargets = [ "127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}" ]; ## Backup config # Open to groups, allowing for backups systemd.services.gitea.serviceConfig.StateDirectoryMode = lib.mkForce "0770"; systemd.tmpfiles.rules = [ "f ${giteaPath}/data/gitea.db 0660 gitea gitea" ]; # Allow litestream and gitea to share a sqlite database users.users.litestream.extraGroups = [ "gitea" ]; users.users.gitea.extraGroups = [ "litestream" ]; # Backup sqlite database with litestream services.litestream = { settings = { dbs = [ { path = "${giteaPath}/data/gitea.db"; replicas = [ { url = "s3://${config.nmasur.presets.services.litestream.s3.bucket}.${config.nmasur.presets.services.litestream.s3.endpoint}/gitea"; } ]; } ]; }; }; # Don't start litestream unless gitea is up systemd.services.litestream = { after = [ "gitea.service" ]; requires = [ "gitea.service" ]; }; # Run a repository file backup on a schedule systemd.timers.gitea-backup = lib.mkIf (config.nmasur.presets.services.litestream.s3.endpoint != null) { timerConfig = { OnCalendar = "*-*-* 00:00:00"; # Once per day Unit = "gitea-backup.service"; }; wantedBy = [ "timers.target" ]; }; # Backup Gitea repos to object storage systemd.services.gitea-backup = lib.mkIf config.nmasur.presets.services.litestream.enable { description = "Backup Gitea data"; environment.AWS_ACCESS_KEY_ID = config.nmasur.presets.services.litestream.s3.accessKeyId; serviceConfig = { Type = "oneshot"; User = "gitea"; Group = "backup"; EnvironmentFile = config.secrets.litestream-backup.dest; }; script = '' ${pkgs.awscli2}/bin/aws s3 sync --exclude */gitea.db* \ ${giteaPath}/ \ s3://${config.nmasur.presets.services.litestream.s3.bucket}/gitea-data/ \ --endpoint-url=https://${config.nmasur.presets.services.litestream.s3.endpoint} ''; }; }; }