default.nix (4101B) - Raw
1 { 2 config, 3 lib, 4 pkgs, 5 myData, 6 ... 7 }: 8 { 9 options.mj.services.gitea = with lib.types; { 10 enable = lib.mkEnableOption "Enable gitea"; 11 }; 12 13 config = lib.mkIf config.mj.services.gitea.enable { 14 users = { 15 users = { 16 git = { 17 description = "Gitea Service"; 18 home = "/var/lib/gitea"; 19 shell = "/bin/sh"; 20 group = "gitea"; 21 isSystemUser = true; 22 uid = myData.uidgid.gitea; 23 }; 24 caddy.extraGroups = [ config.users.groups.anubis.name ]; 25 }; 26 27 groups.gitea.gid = myData.uidgid.gitea; 28 }; 29 30 services = { 31 anubis = { 32 instances.gitea.settings = { 33 TARGET = "http://127.0.0.1:${toString myData.ports.gitea}"; 34 # TODO https://github.com/prometheus/prometheus/pull/18091 35 METRICS_BIND = "127.0.0.1:${toString myData.ports.exporters.anubis}"; 36 METRICS_BIND_NETWORK = "tcp"; 37 }; 38 }; 39 gitea = { 40 enable = true; 41 user = "git"; 42 database.user = "git"; 43 settings = { 44 admin.DISABLE_REGULAR_ORG_CREATION = true; 45 api.ENABLE_SWAGGER = false; 46 mirror.ENABLED = false; 47 other.SHOW_FOOTER_VERSION = false; 48 packages.ENABLED = true; 49 repo-archive.ENABLED = false; 50 repository = { 51 DEFAULT_REPO_UNITS = "repo.code,repo.releases"; 52 DISABLE_MIGRATIONS = true; 53 DISABLE_STARS = true; 54 ENABLE_PUSH_CREATE_USER = true; 55 }; 56 security.LOGIN_REMEMBER_DAYS = 30; 57 server = { 58 STATIC_URL_PREFIX = "/static"; 59 ENABLE_GZIP = true; 60 LANDING_PAGE = "/motiejus"; 61 ROOT_URL = "https://git.jakstys.lt"; 62 HTTP_ADDR = "127.0.0.1"; 63 HTTP_PORT = myData.ports.gitea; 64 DOMAIN = "git.jakstys.lt"; 65 }; 66 service = { 67 DISABLE_REGISTRATION = true; 68 ENABLE_TIMETRACKING = false; 69 ENABLE_USER_HEATMAP = false; 70 SHOW_MILESTONES_DASHBOARD_PAGE = false; 71 COOKIE_SECURE = true; 72 }; 73 session.COOKIE_SECURE = true; 74 log.LEVEL = "Error"; 75 mailer = { 76 ENABLED = true; 77 FROM = "<noreply@jakstys.lt>"; 78 PROTOCOL = "smtp"; 79 SMTP_ADDR = "localhost"; 80 SMTP_PORT = 25; 81 }; 82 "service.explore".DISABLE_USERS_PAGE = true; 83 }; 84 }; 85 86 openssh.extraConfig = '' 87 AcceptEnv GIT_PROTOCOL 88 ''; 89 90 caddy = { 91 virtualHosts."git.jakstys.lt".extraConfig = '' 92 header { 93 Strict-Transport-Security "max-age=15768000" 94 95 # https://github.com/go-gitea/gitea/issues/305#issuecomment-1049290764 96 Content-Security-Policy "frame-ancestors 'none'; default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https://ga-beacon.appspot.com https://raw.githubusercontent.com https://secure.gravatar.com https://sourcethemes.com; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self';" 97 X-Content-Type-Options "nosniff" 98 X-Frame-Options "DENY" 99 Alt-Svc "h3=\":443\"; ma=86400" 100 } 101 102 route { 103 handle /static/assets/* { 104 uri strip_prefix /static 105 file_server * { 106 root ${pkgs.compressDrvWeb pkgs.gitea.data { }}/public 107 precompressed zstd br gzip 108 } 109 } 110 111 @direct_gitea <<CEL 112 path('/api/healthz') || 113 header_regexp('User-Agent', '(?i)(curl|wget|git|elinks|uptimerobot)') 114 CEL 115 116 handle @direct_gitea { 117 reverse_proxy http://127.0.0.1:${toString myData.ports.gitea} 118 } 119 120 handle { 121 reverse_proxy unix/${config.services.anubis.instances.gitea.settings.BIND} { 122 header_up X-Real-IP {remote_host} 123 } 124 } 125 } 126 ''; 127 }; 128 }; 129 }; 130 }