Browse Source

Set up konjassiem-02 (Git)

master
Sven Slootweg 2 months ago
parent
commit
97981c9224
1 changed files with 124 additions and 0 deletions
  1. +124
    -0
      configuration/default.nix

+ 124
- 0
configuration/default.nix View File

@@ -290,5 +290,129 @@ in {
./hardware-configurations/machine-konjassiem-02.nix
(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; })
];

services.postgresql = {
enable = true;
ensureDatabases = [ "gitea" ];
ensureUsers = [{
name = "git";
ensurePermissions = {
"DATABASE gitea" = "ALL PRIVILEGES";
};
}];
};

users.users.git = {
description = "Gitea Service";
home = "/var/lib/gitea";
useDefaultShell = true;
group = "git";
isSystemUser = true;
};

users.groups.git = {};

networking.firewall.allowedTCPPorts = [ 80 443 ];

services.nginx = {
enable = true;
virtualHosts = {
"404.cryto.net" = {
default = true;
extraConfig = ''
return 404;
'';
};
"git.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
};
};

# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";

services.gitea = {
enable = true;
user = "git";
appName = "Cryto Git";
repositoryRoot = "/var/lib/repositories";

domain = "git.cryto.net";
httpAddress = "localhost";
httpPort = 3000;
rootUrl = "https://git.cryto.net/";
database = {
createDatabase = false;
type = "postgres";
socket = "/run/postgresql";
user = "git";
};

extraConfig = ''
[database]
LOG_SQL = false

[service]
ENABLE_CAPTCHA = true
REGISTER_EMAIL_CONFIRM = true
ENABLE_NOTIFY_MAIL = true
ENABLE_USER_HEATMAP = false

[security]
PASSWORD_COMPLEXITY = off

[session]
PROVIDER = file

[mailer]
ENABLED = true
MAILER_TYPE = sendmail
FROM = "Cryto Git" <noreply@git.cryto.net>
SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail
'';

# FIXME: Use this instead of extraConfig in 20.09
# settings = {
# database = {
# LOG_SQL = false;
# };

# service = {
# ENABLE_CAPTCHA = true;
# REGISTER_EMAIL_CONFIRM = true;
# ENABLE_NOTIFY_MAIL = true;
# ENABLE_USER_HEATMAP = false;
# };

# security = {
# PASSWORD_COMPLEXITY = "off";
# };

# session = {
# PROVIDER = "file";
# };

# mailer = {
# ENABLED = true;
# MAILER_TYPE = "sendmail";
# FROM = "\"Cryto Git\" <noreply@git.cryto.net>";
# SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
# };
# };
};

# FIXME: DKIM/DMARC
services.opensmtpd = {
enable = true;
serverConfiguration = ''
listen on lo

action "outbound" relay
match from local for any action "outbound"
'';
};
};
}

Loading…
Cancel
Save