nixos/gitea: Add option to supply the metrics token via file

2023-10-07 01:21:21 +02:00 · 2023-10-07 01:21:21 +02:00 · b59e5a34e7
commit b59e5a34e7
parent 4d675aec00
2 changed files with 23 additions and 0 deletions
--- a/nixos/modules/services/misc/gitea.nix
+++ b/nixos/modules/services/misc/gitea.nix
@ -246,6 +246,13 @@ in
        description = lib.mdDoc "Path to a file containing the SMTP password.";
      };

+      metricsTokenFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "/var/lib/secrets/gitea/metrics_token";
+        description = lib.mdDoc "Path to a file containing the metrics authentication token.";
+      };
+
      settings = mkOption {
        default = {};
        description = lib.mdDoc ''
@ -433,6 +440,10 @@ in
        PASSWD = "#mailerpass#";
      };

+      metrics = mkIf (cfg.metricsTokenFile != null) {
+        TOKEN = "#metricstoken#";
+      };
+
      oauth2 = {
        JWT_SECRET = "#oauth2jwtsecret#";
      };
@ -559,6 +570,10 @@ in
            ${lib.optionalString (cfg.mailerPasswordFile != null) ''
              ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}'
            ''}
+
+            ${lib.optionalString (cfg.metricsTokenFile != null) ''
+              ${replaceSecretBin} '#metricstoken#' '${cfg.metricsTokenFile}' '${runConfig}'
+            ''}
            chmod u-w '${runConfig}'
          }
          (umask 027; gitea_setup)
--- a/nixos/tests/gitea.nix
+++ b/nixos/tests/gitea.nix
@ -35,9 +35,11 @@ let
          enable = true;
          database = { inherit type; };
          package = giteaPackage;
+          metricsTokenFile = (pkgs.writeText "metrics_secret" "fakesecret").outPath;
          settings.service.DISABLE_REGISTRATION = true;
          settings."repository.signing".SIGNING_KEY = signingPrivateKeyId;
          settings.actions.ENABLED = true;
+          settings.metrics.ENABLED = true;
        };
        environment.systemPackages = [ giteaPackage pkgs.gnupg pkgs.jq ];
        services.openssh.enable = true;
@ -143,6 +145,12 @@ let
          + '-H "Accept: application/json" | jq length)" = "1"'
      )

+      with subtest("Testing metrics endpoint"):
+          server.succeed('curl '
+                         + '-H "Authorization: Bearer fakesecret" '
+                         + 'http://localhost:3000/metrics '
+                         + '| grep gitea_accesses')
+
      with subtest("Testing runner registration"):
          server.succeed(
              "su -l gitea -c 'GITEA_WORK_DIR=/var/lib/gitea gitea actions generate-runner-token' | sed 's/^/TOKEN=/' | tee /var/lib/gitea/runner_token"