Natsu Kagami
c36f5f66b1
Move most things to Cloudflare R2, whilst gotosocial goes to local. Reviewed-on: #5 Co-authored-by: Natsu Kagami <nki@nkagami.me> Co-committed-by: Natsu Kagami <nki@nkagami.me>
240 lines
7.1 KiB
Nix
240 lines
7.1 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
with lib;
|
|
let
|
|
user = "gitea";
|
|
host = "git.dtth.ch";
|
|
port = 61116;
|
|
|
|
secrets = config.sops.secrets;
|
|
|
|
signingKey = "0x3681E15E5C14A241";
|
|
|
|
catppuccinThemes = pkgs.fetchurl {
|
|
url = "https://github.com/catppuccin/gitea/releases/download/v0.4.1/catppuccin-gitea.tar.gz";
|
|
hash = "sha256-/P4fLvswitlfeaKaUykrEKvjbNpw5Q/nzGQ/GZaLyUI=";
|
|
};
|
|
staticDir = pkgs.runCommandLocal "forgejo-static" { } ''
|
|
mkdir -p $out
|
|
tmp=$(mktemp -d)
|
|
cp -r ${config.services.forgejo.package.data}/* $tmp
|
|
chmod -R +w $tmp
|
|
|
|
# Copy icons
|
|
install -m 0644 ${./gitea/img}/* $tmp/public/assets/img
|
|
|
|
# Copy the themes
|
|
env PATH=${pkgs.gzip}/bin:${pkgs.gnutar}/bin:$PATH \
|
|
tar -xvf ${catppuccinThemes} -C $tmp/public/assets/css
|
|
|
|
cp -r $tmp/* $out
|
|
'';
|
|
|
|
default-themes = "forgejo-auto, forgejo-light, forgejo-dark, gitea-auto, gitea-light, gitea-dark, forgejo-auto-deuteranopia-protanopia, forgejo-light-deuteranopia-protanopia, forgejo-dark-deuteranopia-protanopia, forgejo-auto-tritanopia, forgejo-light-tritanopia, forgejo-dark-tritanopia";
|
|
themes = strings.concatStringsSep ", " [
|
|
"catppuccin-macchiato-green"
|
|
"catppuccin-mocha-teal"
|
|
"catppuccin-macchiato-sky"
|
|
"catppuccin-mocha-sky"
|
|
"catppuccin-mocha-yellow"
|
|
"catppuccin-mocha-lavender"
|
|
"catppuccin-macchiato-rosewater"
|
|
"catppuccin-macchiato-lavender"
|
|
"catppuccin-macchiato-pink"
|
|
"catppuccin-frappe-lavender"
|
|
"catppuccin-macchiato-yellow"
|
|
"catppuccin-frappe-yellow"
|
|
"catppuccin-latte-red"
|
|
"catppuccin-frappe-flamingo"
|
|
"catppuccin-mocha-blue"
|
|
"catppuccin-macchiato-peach"
|
|
"catppuccin-macchiato-flamingo"
|
|
"catppuccin-mocha-pink"
|
|
"catppuccin-macchiato-mauve"
|
|
"catppuccin-mocha-rosewater"
|
|
"catppuccin-latte-rosewater"
|
|
"catppuccin-mocha-red"
|
|
"catppuccin-macchiato-sapphire"
|
|
"catppuccin-latte-teal"
|
|
"catppuccin-latte-flamingo"
|
|
"catppuccin-macchiato-blue"
|
|
"catppuccin-latte-blue"
|
|
"catppuccin-latte-peach"
|
|
"catppuccin-frappe-mauve"
|
|
"catppuccin-frappe-green"
|
|
"catppuccin-frappe-teal"
|
|
"catppuccin-latte-mauve"
|
|
"catppuccin-macchiato-teal"
|
|
"catppuccin-frappe-red"
|
|
"catppuccin-latte-yellow"
|
|
"catppuccin-latte-lavender"
|
|
"catppuccin-mocha-flamingo"
|
|
"catppuccin-frappe-sapphire"
|
|
"catppuccin-frappe-blue"
|
|
"catppuccin-mocha-green"
|
|
"catppuccin-frappe-maroon"
|
|
"catppuccin-latte-green"
|
|
"catppuccin-frappe-rosewater"
|
|
"catppuccin-latte-sapphire"
|
|
"catppuccin-frappe-sky"
|
|
"catppuccin-mocha-sapphire"
|
|
"catppuccin-mocha-maroon"
|
|
"catppuccin-macchiato-red"
|
|
"catppuccin-latte-pink"
|
|
"catppuccin-frappe-peach"
|
|
"catppuccin-frappe-pink"
|
|
"catppuccin-mocha-mauve"
|
|
"catppuccin-macchiato-maroon"
|
|
"catppuccin-mocha-peach"
|
|
"catppuccin-latte-sky"
|
|
"catppuccin-latte-maroon"
|
|
];
|
|
in
|
|
{
|
|
users.users.${user} = {
|
|
home = config.services.forgejo.stateDir;
|
|
useDefaultShell = true;
|
|
isSystemUser = true;
|
|
group = user;
|
|
};
|
|
users.groups.${user} = { };
|
|
sops.secrets."gitea/signing-key".owner = user;
|
|
sops.secrets."gitea/minio-secret-key".owner = user;
|
|
sops.secrets."gitea/mailer-password".owner = user;
|
|
# database
|
|
cloud.postgresql.databases = [ user ];
|
|
# traefik
|
|
cloud.traefik.hosts.gitea = {
|
|
inherit port host;
|
|
noCloudflare = true;
|
|
};
|
|
|
|
systemd.services.forgejo.requires = [ "postgresql.service" ];
|
|
|
|
services.forgejo = {
|
|
enable = true;
|
|
|
|
inherit user;
|
|
|
|
settings = {
|
|
server = {
|
|
DOMAIN = host;
|
|
ROOT_URL = "https://${host}/";
|
|
HTTP_ADDRESS = "127.0.0.1";
|
|
HTTP_PORT = port;
|
|
STATIC_ROOT_PATH = staticDir;
|
|
};
|
|
repository = {
|
|
DEFAULT_PRIVATE = "private";
|
|
PREFERRED_LICENSES = strings.concatStringsSep "," [ "AGPL-3.0-or-later" "GPL-3.0-or-later" "Apache-2.0" ];
|
|
# DISABLE_HTTP_GIT = true;
|
|
DEFAULT_BRANCH = "master";
|
|
ENABLE_PUSH_CREATE_USER = true;
|
|
};
|
|
"repository.pull-request" = {
|
|
DEFAULT_MERGE_STYLE = "squash";
|
|
};
|
|
"repository.signing" = {
|
|
SIGNING_KEY = signingKey;
|
|
SIGNING_NAME = "DTTHgit";
|
|
SIGNING_EMAIL = "dtth-gitea@nkagami.me";
|
|
};
|
|
ui.THEMES = default-themes + "," + themes;
|
|
"ui.meta" = {
|
|
AUTHOR = "DTTHgit - Gitea instance for GTTH";
|
|
DESCRIPTION = "DTTHGit is a custom Gitea instance hosted for DTTH members only.";
|
|
KEYWORDS = "git,gitea,dtth";
|
|
};
|
|
service = {
|
|
DISABLE_REGISTRATION = true;
|
|
ENABLE_NOTIFY_MAIL = true;
|
|
ENABLE_BASIC_AUTHENTICATION = false;
|
|
REGISTER_EMAIL_CONFIRM = true;
|
|
};
|
|
"service.explore" = {
|
|
REQUIRE_SIGNIN_VIEW = true;
|
|
};
|
|
session = {
|
|
COOKIE_SECURE = true;
|
|
};
|
|
|
|
oauth2_client = {
|
|
REGISTER_EMAIL_CONFIRM = false;
|
|
ENABLE_AUTO_REGISTRATION = true;
|
|
};
|
|
|
|
mailer = {
|
|
ENABLED = true;
|
|
PROTOCOL = "smtps";
|
|
SMTP_ADDR = "mx1.nkagami.me";
|
|
SMTP_PORT = 465;
|
|
USER = "dtth-gitea@nkagami.me";
|
|
FROM = "DTTHGit <dtth-gitea@nkagami.me>";
|
|
};
|
|
|
|
git = {
|
|
PATH = "${pkgs.git}/bin/git";
|
|
};
|
|
|
|
storage = {
|
|
STORAGE_TYPE = "minio";
|
|
MINIO_USE_SSL = "true";
|
|
MINIO_ENDPOINT = "60c0807121eb35ef52cdcd4a33735fa6.r2.cloudflarestorage.com";
|
|
MINIO_ACCESS_KEY_ID = "704c29ade7a8b438b77ab520da2799ca";
|
|
MINIO_SECRET_ACCESS_KEY = "#miniosecretkey#";
|
|
MINIO_BUCKET = "dtth-gitea";
|
|
MINIO_LOCATION = "auto";
|
|
MINIO_CHECKSUM_ALGORITHM = "md5"; # R2 moment
|
|
};
|
|
|
|
federation.ENABLED = true;
|
|
DEFAULT.APP_NAME = "DTTHGit";
|
|
};
|
|
|
|
stateDir = "/mnt/data/gitea";
|
|
|
|
mailerPasswordFile = secrets."gitea/mailer-password".path;
|
|
|
|
database = {
|
|
inherit user;
|
|
createDatabase = false;
|
|
type = "postgres";
|
|
socket = "/var/run/postgresql";
|
|
name = user;
|
|
};
|
|
|
|
# LFS
|
|
lfs.enable = true;
|
|
|
|
# Backup
|
|
# dump.enable = true;
|
|
};
|
|
|
|
# Set up gpg signing key
|
|
systemd.services.forgejo = {
|
|
path = with pkgs; [ gnupg ];
|
|
environment.GNUPGHOME = "${config.services.gitea.stateDir}/.gnupg";
|
|
# https://github.com/NixOS/nixpkgs/commit/93c1d370db28ad4573fb9890c90164ba55391ce7
|
|
serviceConfig.SystemCallFilter = mkForce "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
|
|
preStart =
|
|
let
|
|
configFile = "${config.services.forgejo.customDir}/conf/app.ini";
|
|
in
|
|
''
|
|
# Update minio secret key
|
|
chmod u+w ${configFile} && \
|
|
${lib.getExe pkgs.replace-secret} '#miniosecretkey#' '${config.sops.secrets."gitea/minio-secret-key".path}' '${configFile}' && \
|
|
chmod u-w ${configFile}
|
|
# Import the signing subkey
|
|
if cat ${config.services.forgejo.stateDir}/.gnupg/gpg.conf | grep -q ${signingKey}; then
|
|
echo "Keys already imported"
|
|
# imported
|
|
else
|
|
echo "Import your keys!"
|
|
${pkgs.gnupg}/bin/gpg --quiet --import ${secrets."gitea/signing-key".path}
|
|
echo "trusted-key ${signingKey}" >> ${config.services.forgejo.stateDir}/.gnupg/gpg.conf
|
|
exit 1
|
|
fi
|
|
'';
|
|
};
|
|
}
|