From 97981c922498b12fc6b6bcee6e9671ce0600d526 Mon Sep 17 00:00:00 2001
From: Sven Slootweg <admin@cryto.net>
Date: Sun, 15 Nov 2020 16:15:53 +0100
Subject: [PATCH] Set up konjassiem-02 (Git)

---
 configuration/default.nix | 124 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 124 insertions(+)

diff --git a/configuration/default.nix b/configuration/default.nix
index 52e3c85..30216d7 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -290,5 +290,129 @@ in {
 			./hardware-configurations/machine-konjassiem-02.nix
 			(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; })
 		];
+
+		services.postgresql = {
+			enable = true;
+			ensureDatabases = [ "gitea" ];
+			ensureUsers = [{
+				name = "git";
+				ensurePermissions = {
+					"DATABASE gitea" = "ALL PRIVILEGES";
+				};
+			}];
+		};
+
+		users.users.git = {
+			description = "Gitea Service";
+			home = "/var/lib/gitea";
+			useDefaultShell = true;
+			group = "git";
+			isSystemUser = true;
+		};
+
+		users.groups.git = {};
+
+		networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+		services.nginx = {
+			enable = true;
+			virtualHosts = {
+				"404.cryto.net" = {
+					default = true;
+					extraConfig = ''
+						return 404;
+					'';
+				};
+				"git.cryto.net" = lib.mkMerge [
+					(nginxPresets.letsEncrypt)
+					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
+				];
+			};
+		};
+
+		# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
+		systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
+
+		services.gitea = {
+			enable = true;
+			user = "git";
+			appName = "Cryto Git";
+			repositoryRoot = "/var/lib/repositories";
+
+			domain = "git.cryto.net";
+			httpAddress = "localhost";
+			httpPort = 3000;
+			rootUrl = "https://git.cryto.net/";
+			
+			database = {
+				createDatabase = false;
+				type = "postgres";
+				socket = "/run/postgresql";
+				user = "git";
+			};
+
+			extraConfig = ''
+				[database]
+				LOG_SQL = false
+
+				[service]
+				ENABLE_CAPTCHA = true
+				REGISTER_EMAIL_CONFIRM = true
+				ENABLE_NOTIFY_MAIL = true
+				ENABLE_USER_HEATMAP = false
+
+				[security]
+				PASSWORD_COMPLEXITY = off
+
+				[session]
+				PROVIDER = file
+
+				[mailer]
+				ENABLED = true
+				MAILER_TYPE = sendmail
+				FROM = "Cryto Git" <noreply@git.cryto.net>
+				SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail
+			'';
+
+			# FIXME: Use this instead of extraConfig in 20.09
+			# settings = {
+			# 	database = {
+			# 		LOG_SQL = false;
+			# 	};
+
+			# 	service = {
+			# 		ENABLE_CAPTCHA = true;
+			# 		REGISTER_EMAIL_CONFIRM = true;
+			# 		ENABLE_NOTIFY_MAIL = true;
+			# 		ENABLE_USER_HEATMAP = false;
+			# 	};
+
+			# 	security = {
+			# 		PASSWORD_COMPLEXITY = "off";
+			# 	};
+
+			# 	session = {
+			# 		PROVIDER = "file";
+			# 	};
+
+			# 	mailer = {
+			# 		ENABLED = true;
+			# 		MAILER_TYPE = "sendmail";
+			# 		FROM = "\"Cryto Git\" <noreply@git.cryto.net>";
+			# 		SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+			# 	};
+			# };
+		};
+
+		# FIXME: DKIM/DMARC
+		services.opensmtpd = {
+			enable = true;
+			serverConfiguration = ''
+				listen on lo
+
+				action "outbound" relay
+				match from local for any action "outbound"
+			'';
+		};
 	};
 }