11255ef03c
Also updates my information and contact info. I no longer use The Hedgehog as my github username or online presence username, so this fixes that. It also matches my github username, so it should be easier for others to mention me if needed.
726 lines
26 KiB
Nix
726 lines
26 KiB
Nix
{ config, lib, options, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.gitea;
|
|
opt = options.services.gitea;
|
|
exe = lib.getExe cfg.package;
|
|
pg = config.services.postgresql;
|
|
useMysql = cfg.database.type == "mysql";
|
|
usePostgresql = cfg.database.type == "postgres";
|
|
useSqlite = cfg.database.type == "sqlite3";
|
|
format = pkgs.formats.ini { };
|
|
configFile = pkgs.writeText "app.ini" ''
|
|
APP_NAME = ${cfg.appName}
|
|
RUN_USER = ${cfg.user}
|
|
RUN_MODE = prod
|
|
WORK_PATH = ${cfg.stateDir}
|
|
|
|
${generators.toINI {} cfg.settings}
|
|
|
|
${optionalString (cfg.extraConfig != null) cfg.extraConfig}
|
|
'';
|
|
in
|
|
|
|
{
|
|
imports = [
|
|
(mkRenamedOptionModule [ "services" "gitea" "cookieSecure" ] [ "services" "gitea" "settings" "session" "COOKIE_SECURE" ])
|
|
(mkRenamedOptionModule [ "services" "gitea" "disableRegistration" ] [ "services" "gitea" "settings" "service" "DISABLE_REGISTRATION" ])
|
|
(mkRenamedOptionModule [ "services" "gitea" "domain" ] [ "services" "gitea" "settings" "server" "DOMAIN" ])
|
|
(mkRenamedOptionModule [ "services" "gitea" "httpAddress" ] [ "services" "gitea" "settings" "server" "HTTP_ADDR" ])
|
|
(mkRenamedOptionModule [ "services" "gitea" "httpPort" ] [ "services" "gitea" "settings" "server" "HTTP_PORT" ])
|
|
(mkRenamedOptionModule [ "services" "gitea" "log" "level" ] [ "services" "gitea" "settings" "log" "LEVEL" ])
|
|
(mkRenamedOptionModule [ "services" "gitea" "log" "rootPath" ] [ "services" "gitea" "settings" "log" "ROOT_PATH" ])
|
|
(mkRenamedOptionModule [ "services" "gitea" "rootUrl" ] [ "services" "gitea" "settings" "server" "ROOT_URL" ])
|
|
(mkRenamedOptionModule [ "services" "gitea" "ssh" "clonePort" ] [ "services" "gitea" "settings" "server" "SSH_PORT" ])
|
|
(mkRenamedOptionModule [ "services" "gitea" "staticRootPath" ] [ "services" "gitea" "settings" "server" "STATIC_ROOT_PATH" ])
|
|
|
|
(mkChangedOptionModule [ "services" "gitea" "enableUnixSocket" ] [ "services" "gitea" "settings" "server" "PROTOCOL" ] (
|
|
config: if config.services.gitea.enableUnixSocket then "http+unix" else "http"
|
|
))
|
|
|
|
(mkRemovedOptionModule [ "services" "gitea" "ssh" "enable" ] "services.gitea.ssh.enable has been migrated into freeform setting services.gitea.settings.server.DISABLE_SSH. Keep in mind that the setting is inverted")
|
|
];
|
|
|
|
options = {
|
|
services.gitea = {
|
|
enable = mkOption {
|
|
default = false;
|
|
type = types.bool;
|
|
description = "Enable Gitea Service.";
|
|
};
|
|
|
|
package = mkPackageOption pkgs "gitea" { };
|
|
|
|
useWizard = mkOption {
|
|
default = false;
|
|
type = types.bool;
|
|
description = "Do not generate a configuration and use gitea' installation wizard instead. The first registered user will be administrator.";
|
|
};
|
|
|
|
stateDir = mkOption {
|
|
default = "/var/lib/gitea";
|
|
type = types.str;
|
|
description = "Gitea data directory.";
|
|
};
|
|
|
|
customDir = mkOption {
|
|
default = "${cfg.stateDir}/custom";
|
|
defaultText = literalExpression ''"''${config.${opt.stateDir}}/custom"'';
|
|
type = types.str;
|
|
description = "Gitea custom directory. Used for config, custom templates and other options.";
|
|
};
|
|
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "gitea";
|
|
description = "User account under which gitea runs.";
|
|
};
|
|
|
|
group = mkOption {
|
|
type = types.str;
|
|
default = "gitea";
|
|
description = "Group under which gitea runs.";
|
|
};
|
|
|
|
database = {
|
|
type = mkOption {
|
|
type = types.enum [ "sqlite3" "mysql" "postgres" ];
|
|
example = "mysql";
|
|
default = "sqlite3";
|
|
description = "Database engine to use.";
|
|
};
|
|
|
|
host = mkOption {
|
|
type = types.str;
|
|
default = "127.0.0.1";
|
|
description = "Database host address.";
|
|
};
|
|
|
|
port = mkOption {
|
|
type = types.port;
|
|
default = if usePostgresql then pg.settings.port else 3306;
|
|
defaultText = literalExpression ''
|
|
if config.${opt.database.type} != "postgresql"
|
|
then 3306
|
|
else 5432
|
|
'';
|
|
description = "Database host port.";
|
|
};
|
|
|
|
name = mkOption {
|
|
type = types.str;
|
|
default = "gitea";
|
|
description = "Database name.";
|
|
};
|
|
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "gitea";
|
|
description = "Database user.";
|
|
};
|
|
|
|
password = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = ''
|
|
The password corresponding to {option}`database.user`.
|
|
Warning: this is stored in cleartext in the Nix store!
|
|
Use {option}`database.passwordFile` instead.
|
|
'';
|
|
};
|
|
|
|
passwordFile = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = null;
|
|
example = "/run/keys/gitea-dbpassword";
|
|
description = ''
|
|
A file containing the password corresponding to
|
|
{option}`database.user`.
|
|
'';
|
|
};
|
|
|
|
socket = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = if (cfg.database.createDatabase && usePostgresql) then "/run/postgresql" else if (cfg.database.createDatabase && useMysql) then "/run/mysqld/mysqld.sock" else null;
|
|
defaultText = literalExpression "null";
|
|
example = "/run/mysqld/mysqld.sock";
|
|
description = "Path to the unix socket file to use for authentication.";
|
|
};
|
|
|
|
path = mkOption {
|
|
type = types.str;
|
|
default = "${cfg.stateDir}/data/gitea.db";
|
|
defaultText = literalExpression ''"''${config.${opt.stateDir}}/data/gitea.db"'';
|
|
description = "Path to the sqlite3 database file.";
|
|
};
|
|
|
|
createDatabase = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = "Whether to create a local database automatically.";
|
|
};
|
|
};
|
|
|
|
dump = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Enable a timer that runs gitea dump to generate backup-files of the
|
|
current gitea database and repositories.
|
|
'';
|
|
};
|
|
|
|
interval = mkOption {
|
|
type = types.str;
|
|
default = "04:31";
|
|
example = "hourly";
|
|
description = ''
|
|
Run a gitea dump at this interval. Runs by default at 04:31 every day.
|
|
|
|
The format is described in
|
|
{manpage}`systemd.time(7)`.
|
|
'';
|
|
};
|
|
|
|
backupDir = mkOption {
|
|
type = types.str;
|
|
default = "${cfg.stateDir}/dump";
|
|
defaultText = literalExpression ''"''${config.${opt.stateDir}}/dump"'';
|
|
description = "Path to the dump files.";
|
|
};
|
|
|
|
type = mkOption {
|
|
type = types.enum [ "zip" "rar" "tar" "sz" "tar.gz" "tar.xz" "tar.bz2" "tar.br" "tar.lz4" "tar.zst" ];
|
|
default = "zip";
|
|
description = "Archive format used to store the dump file.";
|
|
};
|
|
|
|
file = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = "Filename to be used for the dump. If `null` a default name is chosen by gitea.";
|
|
example = "gitea-dump";
|
|
};
|
|
};
|
|
|
|
lfs = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Enables git-lfs support.";
|
|
};
|
|
|
|
contentDir = mkOption {
|
|
type = types.str;
|
|
default = "${cfg.stateDir}/data/lfs";
|
|
defaultText = literalExpression ''"''${config.${opt.stateDir}}/data/lfs"'';
|
|
description = "Where to store LFS files.";
|
|
};
|
|
};
|
|
|
|
appName = mkOption {
|
|
type = types.str;
|
|
default = "gitea: Gitea Service";
|
|
description = "Application name.";
|
|
};
|
|
|
|
repositoryRoot = mkOption {
|
|
type = types.str;
|
|
default = "${cfg.stateDir}/repositories";
|
|
defaultText = literalExpression ''"''${config.${opt.stateDir}}/repositories"'';
|
|
description = "Path to the git repositories.";
|
|
};
|
|
|
|
camoHmacKeyFile = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "/var/lib/secrets/gitea/camoHmacKey";
|
|
description = "Path to a file containing the camo HMAC key.";
|
|
};
|
|
|
|
mailerPasswordFile = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "/var/lib/secrets/gitea/mailpw";
|
|
description = "Path to a file containing the SMTP password.";
|
|
};
|
|
|
|
metricsTokenFile = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "/var/lib/secrets/gitea/metrics_token";
|
|
description = "Path to a file containing the metrics authentication token.";
|
|
};
|
|
|
|
settings = mkOption {
|
|
default = {};
|
|
description = ''
|
|
Gitea configuration. Refer to <https://docs.gitea.io/en-us/config-cheat-sheet/>
|
|
for details on supported values.
|
|
'';
|
|
example = literalExpression ''
|
|
{
|
|
"cron.sync_external_users" = {
|
|
RUN_AT_START = true;
|
|
SCHEDULE = "@every 24h";
|
|
UPDATE_EXISTING = true;
|
|
};
|
|
mailer = {
|
|
ENABLED = true;
|
|
MAILER_TYPE = "sendmail";
|
|
FROM = "do-not-reply@example.org";
|
|
SENDMAIL_PATH = "''${pkgs.system-sendmail}/bin/sendmail";
|
|
};
|
|
other = {
|
|
SHOW_FOOTER_VERSION = false;
|
|
};
|
|
}
|
|
'';
|
|
type = types.submodule {
|
|
freeformType = format.type;
|
|
options = {
|
|
log = {
|
|
ROOT_PATH = mkOption {
|
|
default = "${cfg.stateDir}/log";
|
|
defaultText = literalExpression ''"''${config.${opt.stateDir}}/log"'';
|
|
type = types.str;
|
|
description = "Root path for log files.";
|
|
};
|
|
LEVEL = mkOption {
|
|
default = "Info";
|
|
type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ];
|
|
description = "General log level.";
|
|
};
|
|
};
|
|
|
|
server = {
|
|
PROTOCOL = mkOption {
|
|
type = types.enum [ "http" "https" "fcgi" "http+unix" "fcgi+unix" ];
|
|
default = "http";
|
|
description = ''Listen protocol. `+unix` means "over unix", not "in addition to."'';
|
|
};
|
|
|
|
HTTP_ADDR = mkOption {
|
|
type = types.either types.str types.path;
|
|
default = if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0";
|
|
defaultText = literalExpression ''if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"'';
|
|
description = "Listen address. Must be a path when using a unix socket.";
|
|
};
|
|
|
|
HTTP_PORT = mkOption {
|
|
type = types.port;
|
|
default = 3000;
|
|
description = "Listen port. Ignored when using a unix socket.";
|
|
};
|
|
|
|
DOMAIN = mkOption {
|
|
type = types.str;
|
|
default = "localhost";
|
|
description = "Domain name of your server.";
|
|
};
|
|
|
|
ROOT_URL = mkOption {
|
|
type = types.str;
|
|
default = "http://${cfg.settings.server.DOMAIN}:${toString cfg.settings.server.HTTP_PORT}/";
|
|
defaultText = literalExpression ''"http://''${config.services.gitea.settings.server.DOMAIN}:''${toString config.services.gitea.settings.server.HTTP_PORT}/"'';
|
|
description = "Full public URL of gitea server.";
|
|
};
|
|
|
|
STATIC_ROOT_PATH = mkOption {
|
|
type = types.either types.str types.path;
|
|
default = cfg.package.data;
|
|
defaultText = literalExpression "config.${opt.package}.data";
|
|
example = "/var/lib/gitea/data";
|
|
description = "Upper level of template and static files path.";
|
|
};
|
|
|
|
DISABLE_SSH = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Disable external SSH feature.";
|
|
};
|
|
|
|
SSH_PORT = mkOption {
|
|
type = types.port;
|
|
default = 22;
|
|
example = 2222;
|
|
description = ''
|
|
SSH port displayed in clone URL.
|
|
The option is required to configure a service when the external visible port
|
|
differs from the local listening port i.e. if port forwarding is used.
|
|
'';
|
|
};
|
|
};
|
|
|
|
service = {
|
|
DISABLE_REGISTRATION = mkEnableOption "the registration lock" // {
|
|
description = ''
|
|
By default any user can create an account on this `gitea` instance.
|
|
This can be disabled by using this option.
|
|
|
|
*Note:* please keep in mind that this should be added after the initial
|
|
deploy unless [](#opt-services.gitea.useWizard)
|
|
is `true` as the first registered user will be the administrator if
|
|
no install wizard is used.
|
|
'';
|
|
};
|
|
};
|
|
|
|
session = {
|
|
COOKIE_SECURE = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Marks session cookies as "secure" as a hint for browsers to only send
|
|
them via HTTPS. This option is recommend, if gitea is being served over HTTPS.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
extraConfig = mkOption {
|
|
type = with types; nullOr str;
|
|
default = null;
|
|
description = "Configuration lines appended to the generated gitea configuration file.";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
assertions = [
|
|
{ assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user;
|
|
message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned";
|
|
}
|
|
{ assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name;
|
|
message = ''
|
|
When creating a database via NixOS, the db user and db name must be equal!
|
|
If you already have an existing DB+user and this assertion is new, you can safely set
|
|
`services.gitea.createDatabase` to `false` because removal of `ensureUsers`
|
|
and `ensureDatabases` doesn't have any effect.
|
|
'';
|
|
}
|
|
];
|
|
|
|
services.gitea.settings = {
|
|
"cron.update_checker".ENABLED = lib.mkDefault false;
|
|
|
|
database = mkMerge [
|
|
{
|
|
DB_TYPE = cfg.database.type;
|
|
}
|
|
(mkIf (useMysql || usePostgresql) {
|
|
HOST = if cfg.database.socket != null then cfg.database.socket else cfg.database.host + ":" + toString cfg.database.port;
|
|
NAME = cfg.database.name;
|
|
USER = cfg.database.user;
|
|
PASSWD = "#dbpass#";
|
|
})
|
|
(mkIf useSqlite {
|
|
PATH = cfg.database.path;
|
|
})
|
|
(mkIf usePostgresql {
|
|
SSL_MODE = "disable";
|
|
})
|
|
];
|
|
|
|
repository = {
|
|
ROOT = cfg.repositoryRoot;
|
|
};
|
|
|
|
server = mkIf cfg.lfs.enable {
|
|
LFS_START_SERVER = true;
|
|
LFS_JWT_SECRET = "#lfsjwtsecret#";
|
|
};
|
|
|
|
camo = mkIf (cfg.camoHmacKeyFile != null) {
|
|
HMAC_KEY = "#hmackey#";
|
|
};
|
|
|
|
session = {
|
|
COOKIE_NAME = lib.mkDefault "session";
|
|
};
|
|
|
|
security = {
|
|
SECRET_KEY = "#secretkey#";
|
|
INTERNAL_TOKEN = "#internaltoken#";
|
|
INSTALL_LOCK = true;
|
|
};
|
|
|
|
mailer = mkIf (cfg.mailerPasswordFile != null) {
|
|
PASSWD = "#mailerpass#";
|
|
};
|
|
|
|
metrics = mkIf (cfg.metricsTokenFile != null) {
|
|
TOKEN = "#metricstoken#";
|
|
};
|
|
|
|
oauth2 = {
|
|
JWT_SECRET = "#oauth2jwtsecret#";
|
|
};
|
|
|
|
lfs = mkIf cfg.lfs.enable {
|
|
PATH = cfg.lfs.contentDir;
|
|
};
|
|
|
|
packages.CHUNKED_UPLOAD_PATH = "${cfg.stateDir}/tmp/package-upload";
|
|
};
|
|
|
|
services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) {
|
|
enable = mkDefault true;
|
|
|
|
ensureDatabases = [ cfg.database.name ];
|
|
ensureUsers = [
|
|
{ name = cfg.database.user;
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
services.mysql = optionalAttrs (useMysql && cfg.database.createDatabase) {
|
|
enable = mkDefault true;
|
|
package = mkDefault pkgs.mariadb;
|
|
|
|
ensureDatabases = [ cfg.database.name ];
|
|
ensureUsers = [
|
|
{ name = cfg.database.user;
|
|
ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
|
|
}
|
|
];
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"d '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"d '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"d '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"d '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"d '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -"
|
|
|
|
# If we have a folder or symlink with gitea locales, remove it
|
|
# And symlink the current gitea locales in place
|
|
"L+ '${cfg.stateDir}/conf/locale' - - - - ${cfg.package.out}/locale"
|
|
|
|
] ++ lib.optionals cfg.lfs.enable [
|
|
"d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
];
|
|
|
|
systemd.services.gitea = {
|
|
description = "gitea";
|
|
after = [ "network.target" ] ++ optional usePostgresql "postgresql.service" ++ optional useMysql "mysql.service";
|
|
requires = optional (cfg.database.createDatabase && usePostgresql) "postgresql.service" ++ optional (cfg.database.createDatabase && useMysql) "mysql.service";
|
|
wantedBy = [ "multi-user.target" ];
|
|
path = [ cfg.package pkgs.git pkgs.gnupg ];
|
|
|
|
# In older versions the secret naming for JWT was kind of confusing.
|
|
# The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET
|
|
# wasn't persistent at all.
|
|
# To fix that, there is now the file oauth2_jwt_secret containing the
|
|
# values for JWT_SECRET and the file jwt_secret gets renamed to
|
|
# lfs_jwt_secret.
|
|
# We have to consider this to stay compatible with older installations.
|
|
preStart = let
|
|
runConfig = "${cfg.customDir}/conf/app.ini";
|
|
secretKey = "${cfg.customDir}/conf/secret_key";
|
|
oauth2JwtSecret = "${cfg.customDir}/conf/oauth2_jwt_secret";
|
|
oldLfsJwtSecret = "${cfg.customDir}/conf/jwt_secret"; # old file for LFS_JWT_SECRET
|
|
lfsJwtSecret = "${cfg.customDir}/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
|
|
internalToken = "${cfg.customDir}/conf/internal_token";
|
|
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
|
|
in ''
|
|
# copy custom configuration and generate random secrets if needed
|
|
${optionalString (!cfg.useWizard) ''
|
|
function gitea_setup {
|
|
cp -f '${configFile}' '${runConfig}'
|
|
|
|
if [ ! -s '${secretKey}' ]; then
|
|
${exe} generate secret SECRET_KEY > '${secretKey}'
|
|
fi
|
|
|
|
# Migrate LFS_JWT_SECRET filename
|
|
if [[ -s '${oldLfsJwtSecret}' && ! -s '${lfsJwtSecret}' ]]; then
|
|
mv '${oldLfsJwtSecret}' '${lfsJwtSecret}'
|
|
fi
|
|
|
|
if [ ! -s '${oauth2JwtSecret}' ]; then
|
|
${exe} generate secret JWT_SECRET > '${oauth2JwtSecret}'
|
|
fi
|
|
|
|
${lib.optionalString cfg.lfs.enable ''
|
|
if [ ! -s '${lfsJwtSecret}' ]; then
|
|
${exe} generate secret LFS_JWT_SECRET > '${lfsJwtSecret}'
|
|
fi
|
|
''}
|
|
|
|
if [ ! -s '${internalToken}' ]; then
|
|
${exe} generate secret INTERNAL_TOKEN > '${internalToken}'
|
|
fi
|
|
|
|
chmod u+w '${runConfig}'
|
|
${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}'
|
|
${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}'
|
|
${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}'
|
|
${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}'
|
|
|
|
${lib.optionalString cfg.lfs.enable ''
|
|
${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}'
|
|
''}
|
|
|
|
${lib.optionalString (cfg.camoHmacKeyFile != null) ''
|
|
${replaceSecretBin} '#hmackey#' '${cfg.camoHmacKeyFile}' '${runConfig}'
|
|
''}
|
|
|
|
${lib.optionalString (cfg.mailerPasswordFile != null) ''
|
|
${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}'
|
|
''}
|
|
|
|
${lib.optionalString (cfg.metricsTokenFile != null) ''
|
|
${replaceSecretBin} '#metricstoken#' '${cfg.metricsTokenFile}' '${runConfig}'
|
|
''}
|
|
chmod u-w '${runConfig}'
|
|
}
|
|
(umask 027; gitea_setup)
|
|
''}
|
|
|
|
# run migrations/init the database
|
|
${exe} migrate
|
|
|
|
# update all hooks' binary paths
|
|
${exe} admin regenerate hooks
|
|
|
|
# update command option in authorized_keys
|
|
if [ -r ${cfg.stateDir}/.ssh/authorized_keys ]
|
|
then
|
|
${exe} admin regenerate keys
|
|
fi
|
|
'';
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
WorkingDirectory = cfg.stateDir;
|
|
ExecStart = "${exe} web --pid /run/gitea/gitea.pid";
|
|
Restart = "always";
|
|
# Runtime directory and mode
|
|
RuntimeDirectory = "gitea";
|
|
RuntimeDirectoryMode = "0755";
|
|
# Proc filesystem
|
|
ProcSubset = "pid";
|
|
ProtectProc = "invisible";
|
|
# Access write directories
|
|
ReadWritePaths = [ cfg.customDir cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ];
|
|
UMask = "0027";
|
|
# Capabilities
|
|
CapabilityBoundingSet = "";
|
|
# Security
|
|
NoNewPrivileges = true;
|
|
# Sandboxing
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
PrivateUsers = true;
|
|
ProtectHostname = true;
|
|
ProtectClock = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
|
RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
RemoveIPC = true;
|
|
PrivateMounts = true;
|
|
# System Call Filtering
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" "setrlimit" ];
|
|
};
|
|
|
|
environment = {
|
|
USER = cfg.user;
|
|
HOME = cfg.stateDir;
|
|
GITEA_WORK_DIR = cfg.stateDir;
|
|
GITEA_CUSTOM = cfg.customDir;
|
|
};
|
|
};
|
|
|
|
users.users = mkIf (cfg.user == "gitea") {
|
|
gitea = {
|
|
description = "Gitea Service";
|
|
home = cfg.stateDir;
|
|
useDefaultShell = true;
|
|
group = cfg.group;
|
|
isSystemUser = true;
|
|
};
|
|
};
|
|
|
|
users.groups = mkIf (cfg.group == "gitea") {
|
|
gitea = {};
|
|
};
|
|
|
|
warnings =
|
|
optional (cfg.database.password != "") "config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead." ++
|
|
optional (cfg.extraConfig != null) ''
|
|
services.gitea.`extraConfig` is deprecated, please use services.gitea.`settings`.
|
|
'' ++
|
|
optional (lib.getName cfg.package == "forgejo") ''
|
|
Running forgejo via services.gitea.package is no longer supported.
|
|
Please use services.forgejo instead.
|
|
See https://nixos.org/manual/nixos/unstable/#module-forgejo for migration instructions.
|
|
'';
|
|
|
|
# Create database passwordFile default when password is configured.
|
|
services.gitea.database.passwordFile =
|
|
mkDefault (toString (pkgs.writeTextFile {
|
|
name = "gitea-database-password";
|
|
text = cfg.database.password;
|
|
}));
|
|
|
|
systemd.services.gitea-dump = mkIf cfg.dump.enable {
|
|
description = "gitea dump";
|
|
after = [ "gitea.service" ];
|
|
path = [ cfg.package ];
|
|
|
|
environment = {
|
|
USER = cfg.user;
|
|
HOME = cfg.stateDir;
|
|
GITEA_WORK_DIR = cfg.stateDir;
|
|
GITEA_CUSTOM = cfg.customDir;
|
|
};
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
User = cfg.user;
|
|
ExecStart = "${exe} dump --type ${cfg.dump.type}" + optionalString (cfg.dump.file != null) " --file ${cfg.dump.file}";
|
|
WorkingDirectory = cfg.dump.backupDir;
|
|
};
|
|
};
|
|
|
|
systemd.timers.gitea-dump = mkIf cfg.dump.enable {
|
|
description = "Update timer for gitea-dump";
|
|
partOf = [ "gitea-dump.service" ];
|
|
wantedBy = [ "timers.target" ];
|
|
timerConfig.OnCalendar = cfg.dump.interval;
|
|
};
|
|
};
|
|
meta.maintainers = with lib.maintainers; [ srhb ma27 pyrox0 ];
|
|
}
|