nixos-config/machines/fuuko/services/gitea.nix

72 lines
1.6 KiB
Nix

{ config, lib, pkgs, ... }:
let
cfg = config.services.gitea;
in
{
sops.secrets.gitea-mail = {
owner = cfg.user;
sopsFile = ../secrets.yaml;
};
systemd.services.gitea.serviceConfig.SupplementaryGroups = lib.singleton "keys";
services.gitea = {
enable = true;
rootUrl = "https://git.sbruder.de/";
appName = "sbrudergit";
cookieSecure = true;
log.level = "Warn";
lfs = {
enable = true;
contentDir = "/data/gitea/lfs/";
};
enableUnixSocket = true;
ssh = {
clonePort = 2022;
};
database.type = "postgres";
mailerPasswordFile = config.sops.secrets.gitea-mail.path;
settings = {
mailer = {
ENABLED = true;
HOST = "vueko.sbruder.de:587";
FROM = "gitea@sbruder.de";
USER = "gitea@sbruder.de";
};
avatar = {
DISABLE_GRAVATAR = true;
};
server = {
# privacy
DISABLE_ROUTER_LOG = true;
OFFLINE_MODE = true;
# internal ssh server
BUILTIN_SSH_SERVER_USER = "git";
START_SSH_SERVER = true;
SSH_SERVER_HOST_KEYS = "ssh/gitea.ed25519,ssh/gitea.rsa";
};
service = {
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_NOTIFY_MAIL = true;
NO_REPLY_ADDRESS = "users.git.sbruder.de";
REGISTER_EMAIL_CONFIRM = true;
};
session = {
PROVIDER = "file";
};
};
};
networking.firewall.allowedTCPPorts = [ cfg.ssh.clonePort ];
services.nginx.virtualHosts."git.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://unix:/run/gitea/gitea.sock";
};
};
}