1
0
Fork 0

Set up konjassiem-02 (Git)

master
Sven Slootweg vor 3 Jahren
Ursprung 1d3745e32e
Commit 97981c9224

@ -290,5 +290,129 @@ in {
./hardware-configurations/machine-konjassiem-02.nix
(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; })
];
services.postgresql = {
enable = true;
ensureDatabases = [ "gitea" ];
ensureUsers = [{
name = "git";
ensurePermissions = {
"DATABASE gitea" = "ALL PRIVILEGES";
};
}];
};
users.users.git = {
description = "Gitea Service";
home = "/var/lib/gitea";
useDefaultShell = true;
group = "git";
isSystemUser = true;
};
users.groups.git = {};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
virtualHosts = {
"404.cryto.net" = {
default = true;
extraConfig = ''
return 404;
'';
};
"git.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
};
};
# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
services.gitea = {
enable = true;
user = "git";
appName = "Cryto Git";
repositoryRoot = "/var/lib/repositories";
domain = "git.cryto.net";
httpAddress = "localhost";
httpPort = 3000;
rootUrl = "https://git.cryto.net/";
database = {
createDatabase = false;
type = "postgres";
socket = "/run/postgresql";
user = "git";
};
extraConfig = ''
[database]
LOG_SQL = false
[service]
ENABLE_CAPTCHA = true
REGISTER_EMAIL_CONFIRM = true
ENABLE_NOTIFY_MAIL = true
ENABLE_USER_HEATMAP = false
[security]
PASSWORD_COMPLEXITY = off
[session]
PROVIDER = file
[mailer]
ENABLED = true
MAILER_TYPE = sendmail
FROM = "Cryto Git" <noreply@git.cryto.net>
SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail
'';
# FIXME: Use this instead of extraConfig in 20.09
# settings = {
# database = {
# LOG_SQL = false;
# };
# service = {
# ENABLE_CAPTCHA = true;
# REGISTER_EMAIL_CONFIRM = true;
# ENABLE_NOTIFY_MAIL = true;
# ENABLE_USER_HEATMAP = false;
# };
# security = {
# PASSWORD_COMPLEXITY = "off";
# };
# session = {
# PROVIDER = "file";
# };
# mailer = {
# ENABLED = true;
# MAILER_TYPE = "sendmail";
# FROM = "\"Cryto Git\" <noreply@git.cryto.net>";
# SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
# };
# };
};
# FIXME: DKIM/DMARC
services.opensmtpd = {
enable = true;
serverConfiguration = ''
listen on lo
action "outbound" relay
match from local for any action "outbound"
'';
};
};
}

Laden…
Abbrechen
Speichern