selfprivacy-nixos-config/sp-modules/gitea/module.nix

149 lines
4 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
2023-12-04 11:59:22 +00:00
let
sp = config.selfprivacy;
stateDir =
if sp.useBinds
2024-02-15 09:56:12 +00:00
then "/volumes/${cfg.location}/gitea"
else "/var/lib/gitea";
2024-02-15 09:56:12 +00:00
cfg = sp.modules.gitea;
2023-12-04 11:59:22 +00:00
in
{
options.selfprivacy.modules.gitea = {
enable = lib.mkOption {
default = false;
2023-12-28 08:54:59 +00:00
type = lib.types.bool;
2023-12-04 11:59:22 +00:00
};
location = lib.mkOption {
2023-12-28 08:54:59 +00:00
type = lib.types.str;
2023-12-04 11:59:22 +00:00
};
2024-02-15 09:56:12 +00:00
subdomain = lib.mkOption {
default = "git";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
appName = lib.mkOption {
default = "SelfPrivacy git Service";
type = lib.types.str;
};
enableLfs = lib.mkOption {
default = true;
type = lib.types.bool;
};
forcePrivate = lib.mkOption {
default = false;
type = lib.types.bool;
description = "Force all new repositories to be private";
};
disableRegistration = lib.mkOption {
default = false;
type = lib.types.bool;
description = "Disable registration of new users";
};
requireSigninView = lib.mkOption {
default = false;
type = lib.types.bool;
description = "Require signin to view any page";
};
2023-12-04 11:59:22 +00:00
};
2024-02-15 09:56:12 +00:00
config = lib.mkIf cfg.enable {
2023-12-19 12:20:28 +00:00
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/gitea" = {
2024-02-15 09:56:12 +00:00
device = "/volumes/${cfg.location}/gitea";
2023-12-19 12:20:28 +00:00
options = [ "bind" ];
};
};
2024-06-30 18:15:30 +00:00
services.gitea.enable = false;
services.forgejo = {
enable = true;
package = pkgs.forgejo;
inherit stateDir;
user = "gitea";
2024-06-30 18:15:30 +00:00
group = "gitea";
database = {
type = "sqlite3";
host = "127.0.0.1";
name = "gitea";
2023-12-04 11:59:22 +00:00
user = "gitea";
path = "${stateDir}/data/gitea.db";
createDatabase = true;
};
# ssh = {
# enable = true;
# clonePort = 22;
# };
lfs = {
enable = cfg.enableLfs;
contentDir = "${stateDir}/lfs";
};
repositoryRoot = "${stateDir}/repositories";
# cookieSecure = true;
settings = {
DEFAULT = {
APP_NAME = "${cfg.appName}";
};
server = {
2024-02-15 09:56:12 +00:00
DOMAIN = "${cfg.subdomain}.${sp.domain}";
ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 3000;
};
mailer = {
ENABLED = false;
};
ui = {
2024-06-30 18:15:30 +00:00
DEFAULT_THEME = "forgejo-auto";
SHOW_USER_EMAIL = false;
2023-12-04 11:59:22 +00:00
};
picture = {
DISABLE_GRAVATAR = true;
2023-12-04 11:59:22 +00:00
};
admin = {
ENABLE_KANBAN_BOARD = true;
};
repository = {
FORCE_PRIVATE = cfg.forcePrivate;
};
session = {
COOKIE_SECURE = true;
};
log = {
ROOT_PATH = "${stateDir}/log";
LEVEL = "Warn";
};
service = {
DISABLE_REGISTRATION = cfg.disableRegistration;
REQUIRE_SIGNIN_VIEW = cfg.requireSigninView;
};
};
};
2024-06-30 18:15:30 +00:00
users.users.gitea = {
home = "${stateDir}";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = { };
2024-02-15 09:56:12 +00:00
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
2023-12-22 15:57:48 +00:00
useACMEHost = sp.domain;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3000";
2023-12-04 11:59:22 +00:00
};
};
};
2024-06-30 18:15:30 +00:00
systemd.services.forgejo.unitConfig.RequiresMountsFor =
2024-02-15 09:56:12 +00:00
lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
2023-12-04 11:59:22 +00:00
};
}