Set up konjassiem-02 (Git)

4 years ago · 97981c9224
parent 1d3745e32e
commit 97981c9224
1 changed files with 124 additions and 0 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -290,5 +290,129 @@ in {
 			./hardware-configurations/machine-konjassiem-02.nix
 			(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; })
 		];
 		services.postgresql = {
 			enable = true;
 			ensureDatabases = [ "gitea" ];
 			ensureUsers = [{
 				name = "git";
 				ensurePermissions = {
 					"DATABASE gitea" = "ALL PRIVILEGES";
 				};
 			}];
 		};
 		users.users.git = {
 			description = "Gitea Service";
 			home = "/var/lib/gitea";
 			useDefaultShell = true;
 			group = "git";
 			isSystemUser = true;
 		};
 		users.groups.git = {};
 		networking.firewall.allowedTCPPorts = [ 80 443 ];
 		services.nginx = {
 			enable = true;
 			virtualHosts = {
 				"404.cryto.net" = {
 					default = true;
 					extraConfig = ''
 						return 404;
 					'';
 				};
 				"git.cryto.net" = lib.mkMerge [
 					(nginxPresets.letsEncrypt)
 					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
 				];
 			};
 		};
 		# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
 		systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
 		services.gitea = {
 			enable = true;
 			user = "git";
 			appName = "Cryto Git";
 			repositoryRoot = "/var/lib/repositories";
 			domain = "git.cryto.net";
 			httpAddress = "localhost";
 			httpPort = 3000;
 			rootUrl = "https://git.cryto.net/";
 			database = {
 				createDatabase = false;
 				type = "postgres";
 				socket = "/run/postgresql";
 				user = "git";
 			};
 			extraConfig = ''
 				[database]
 				LOG_SQL = false
 				[service]
 				ENABLE_CAPTCHA = true
 				REGISTER_EMAIL_CONFIRM = true
 				ENABLE_NOTIFY_MAIL = true
 				ENABLE_USER_HEATMAP = false
 				[security]
 				PASSWORD_COMPLEXITY = off
 				[session]
 				PROVIDER = file
 				[mailer]
 				ENABLED = true
 				MAILER_TYPE = sendmail
 				FROM = "Cryto Git" <noreply@git.cryto.net>
 				SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail
 			'';
 			# FIXME: Use this instead of extraConfig in 20.09
 			# settings = {
 			# 	database = {
 			# 		LOG_SQL = false;
 			# 	};
 			# 	service = {
 			# 		ENABLE_CAPTCHA = true;
 			# 		REGISTER_EMAIL_CONFIRM = true;
 			# 		ENABLE_NOTIFY_MAIL = true;
 			# 		ENABLE_USER_HEATMAP = false;
 			# 	};
 			# 	security = {
 			# 		PASSWORD_COMPLEXITY = "off";
 			# 	};
 			# 	session = {
 			# 		PROVIDER = "file";
 			# 	};
 			# 	mailer = {
 			# 		ENABLED = true;
 			# 		MAILER_TYPE = "sendmail";
 			# 		FROM = "\"Cryto Git\" <noreply@git.cryto.net>";
 			# 		SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
 			# 	};
 			# };
 		};
 		# FIXME: DKIM/DMARC
 		services.opensmtpd = {
 			enable = true;
 			serverConfiguration = ''
 				listen on lo
 				action "outbound" relay
 				match from local for any action "outbound"
 			'';
 		};
 	};
 }