|
|
@@ -290,5 +290,129 @@ in { |
|
|
|
./hardware-configurations/machine-konjassiem-02.nix |
|
|
|
(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; }) |
|
|
|
]; |
|
|
|
|
|
|
|
services.postgresql = { |
|
|
|
enable = true; |
|
|
|
ensureDatabases = [ "gitea" ]; |
|
|
|
ensureUsers = [{ |
|
|
|
name = "git"; |
|
|
|
ensurePermissions = { |
|
|
|
"DATABASE gitea" = "ALL PRIVILEGES"; |
|
|
|
}; |
|
|
|
}]; |
|
|
|
}; |
|
|
|
|
|
|
|
users.users.git = { |
|
|
|
description = "Gitea Service"; |
|
|
|
home = "/var/lib/gitea"; |
|
|
|
useDefaultShell = true; |
|
|
|
group = "git"; |
|
|
|
isSystemUser = true; |
|
|
|
}; |
|
|
|
|
|
|
|
users.groups.git = {}; |
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ]; |
|
|
|
|
|
|
|
services.nginx = { |
|
|
|
enable = true; |
|
|
|
virtualHosts = { |
|
|
|
"404.cryto.net" = { |
|
|
|
default = true; |
|
|
|
extraConfig = '' |
|
|
|
return 404; |
|
|
|
''; |
|
|
|
}; |
|
|
|
"git.cryto.net" = lib.mkMerge [ |
|
|
|
(nginxPresets.letsEncrypt) |
|
|
|
(nginxPresets.reverseProxy "http://127.0.0.1:3000/") |
|
|
|
]; |
|
|
|
}; |
|
|
|
}; |
|
|
|
|
|
|
|
# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks |
|
|
|
systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap"; |
|
|
|
|
|
|
|
services.gitea = { |
|
|
|
enable = true; |
|
|
|
user = "git"; |
|
|
|
appName = "Cryto Git"; |
|
|
|
repositoryRoot = "/var/lib/repositories"; |
|
|
|
|
|
|
|
domain = "git.cryto.net"; |
|
|
|
httpAddress = "localhost"; |
|
|
|
httpPort = 3000; |
|
|
|
rootUrl = "https://git.cryto.net/"; |
|
|
|
|
|
|
|
database = { |
|
|
|
createDatabase = false; |
|
|
|
type = "postgres"; |
|
|
|
socket = "/run/postgresql"; |
|
|
|
user = "git"; |
|
|
|
}; |
|
|
|
|
|
|
|
extraConfig = '' |
|
|
|
[database] |
|
|
|
LOG_SQL = false |
|
|
|
|
|
|
|
[service] |
|
|
|
ENABLE_CAPTCHA = true |
|
|
|
REGISTER_EMAIL_CONFIRM = true |
|
|
|
ENABLE_NOTIFY_MAIL = true |
|
|
|
ENABLE_USER_HEATMAP = false |
|
|
|
|
|
|
|
[security] |
|
|
|
PASSWORD_COMPLEXITY = off |
|
|
|
|
|
|
|
[session] |
|
|
|
PROVIDER = file |
|
|
|
|
|
|
|
[mailer] |
|
|
|
ENABLED = true |
|
|
|
MAILER_TYPE = sendmail |
|
|
|
FROM = "Cryto Git" <noreply@git.cryto.net> |
|
|
|
SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail |
|
|
|
''; |
|
|
|
|
|
|
|
# FIXME: Use this instead of extraConfig in 20.09 |
|
|
|
# settings = { |
|
|
|
# database = { |
|
|
|
# LOG_SQL = false; |
|
|
|
# }; |
|
|
|
|
|
|
|
# service = { |
|
|
|
# ENABLE_CAPTCHA = true; |
|
|
|
# REGISTER_EMAIL_CONFIRM = true; |
|
|
|
# ENABLE_NOTIFY_MAIL = true; |
|
|
|
# ENABLE_USER_HEATMAP = false; |
|
|
|
# }; |
|
|
|
|
|
|
|
# security = { |
|
|
|
# PASSWORD_COMPLEXITY = "off"; |
|
|
|
# }; |
|
|
|
|
|
|
|
# session = { |
|
|
|
# PROVIDER = "file"; |
|
|
|
# }; |
|
|
|
|
|
|
|
# mailer = { |
|
|
|
# ENABLED = true; |
|
|
|
# MAILER_TYPE = "sendmail"; |
|
|
|
# FROM = "\"Cryto Git\" <noreply@git.cryto.net>"; |
|
|
|
# SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail"; |
|
|
|
# }; |
|
|
|
# }; |
|
|
|
}; |
|
|
|
|
|
|
|
# FIXME: DKIM/DMARC |
|
|
|
services.opensmtpd = { |
|
|
|
enable = true; |
|
|
|
serverConfiguration = '' |
|
|
|
listen on lo |
|
|
|
|
|
|
|
action "outbound" relay |
|
|
|
match from local for any action "outbound" |
|
|
|
''; |
|
|
|
}; |
|
|
|
}; |
|
|
|
} |