1 changed files with 124 additions and 0 deletions
Split View
Diff Options
-
+124 -0configuration/default.nix
+ 124
- 0
configuration/default.nix
View File
| @@ -290,5 +290,129 @@ in { | |||
| ./hardware-configurations/machine-konjassiem-02.nix | |||
| (tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; }) | |||
| ]; | |||
| services.postgresql = { | |||
| enable = true; | |||
| ensureDatabases = [ "gitea" ]; | |||
| ensureUsers = [{ | |||
| name = "git"; | |||
| ensurePermissions = { | |||
| "DATABASE gitea" = "ALL PRIVILEGES"; | |||
| }; | |||
| }]; | |||
| }; | |||
| users.users.git = { | |||
| description = "Gitea Service"; | |||
| home = "/var/lib/gitea"; | |||
| useDefaultShell = true; | |||
| group = "git"; | |||
| isSystemUser = true; | |||
| }; | |||
| users.groups.git = {}; | |||
| networking.firewall.allowedTCPPorts = [ 80 443 ]; | |||
| services.nginx = { | |||
| enable = true; | |||
| virtualHosts = { | |||
| "404.cryto.net" = { | |||
| default = true; | |||
| extraConfig = '' | |||
| return 404; | |||
| ''; | |||
| }; | |||
| "git.cryto.net" = lib.mkMerge [ | |||
| (nginxPresets.letsEncrypt) | |||
| (nginxPresets.reverseProxy "http://127.0.0.1:3000/") | |||
| ]; | |||
| }; | |||
| }; | |||
| # NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks | |||
| systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap"; | |||
| services.gitea = { | |||
| enable = true; | |||
| user = "git"; | |||
| appName = "Cryto Git"; | |||
| repositoryRoot = "/var/lib/repositories"; | |||
| domain = "git.cryto.net"; | |||
| httpAddress = "localhost"; | |||
| httpPort = 3000; | |||
| rootUrl = "https://git.cryto.net/"; | |||
| database = { | |||
| createDatabase = false; | |||
| type = "postgres"; | |||
| socket = "/run/postgresql"; | |||
| user = "git"; | |||
| }; | |||
| extraConfig = '' | |||
| [database] | |||
| LOG_SQL = false | |||
| [service] | |||
| ENABLE_CAPTCHA = true | |||
| REGISTER_EMAIL_CONFIRM = true | |||
| ENABLE_NOTIFY_MAIL = true | |||
| ENABLE_USER_HEATMAP = false | |||
| [security] | |||
| PASSWORD_COMPLEXITY = off | |||
| [session] | |||
| PROVIDER = file | |||
| [mailer] | |||
| ENABLED = true | |||
| MAILER_TYPE = sendmail | |||
| FROM = "Cryto Git" <noreply@git.cryto.net> | |||
| SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail | |||
| ''; | |||
| # FIXME: Use this instead of extraConfig in 20.09 | |||
| # settings = { | |||
| # database = { | |||
| # LOG_SQL = false; | |||
| # }; | |||
| # service = { | |||
| # ENABLE_CAPTCHA = true; | |||
| # REGISTER_EMAIL_CONFIRM = true; | |||
| # ENABLE_NOTIFY_MAIL = true; | |||
| # ENABLE_USER_HEATMAP = false; | |||
| # }; | |||
| # security = { | |||
| # PASSWORD_COMPLEXITY = "off"; | |||
| # }; | |||
| # session = { | |||
| # PROVIDER = "file"; | |||
| # }; | |||
| # mailer = { | |||
| # ENABLED = true; | |||
| # MAILER_TYPE = "sendmail"; | |||
| # FROM = "\"Cryto Git\" <noreply@git.cryto.net>"; | |||
| # SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail"; | |||
| # }; | |||
| # }; | |||
| }; | |||
| # FIXME: DKIM/DMARC | |||
| services.opensmtpd = { | |||
| enable = true; | |||
| serverConfiguration = '' | |||
| listen on lo | |||
| action "outbound" relay | |||
| match from local for any action "outbound" | |||
| ''; | |||
| }; | |||
| }; | |||
| } | |||