diff --git a/nixos/boxes/colony/vms/shill/gitea.nix b/nixos/boxes/colony/vms/shill/gitea.nix index f59fc98..6830d9e 100644 --- a/nixos/boxes/colony/vms/shill/gitea.nix +++ b/nixos/boxes/colony/vms/shill/gitea.nix @@ -23,6 +23,25 @@ in groups.git = {}; }; + systemd = { + services = { + gitea.preStart = + let + repSec = "${pkgs.replace-secret}/bin/replace-secret"; + confPath = "${config.services.gitea.customDir}/conf/app.ini"; + in + '' + gitea_extra_setup() { + chmod u+w '${confPath}' + ${repSec} '#miniosecret#' '${config.age.secrets."gitea/minio.txt".path}' '${confPath}' + chmod u-w '${confPath}' + } + + (umask 027; gitea_extra_setup) + ''; + }; + }; + services = { gitea = { enable = true; @@ -72,6 +91,16 @@ in PASSWORD = "#mailerpass#"; REPLY_TO_ADDRESS = "git+%{token}@nul.ie"; }; + storage = { + STORAGE_TYPE = "minio"; + SERVE_DIRECT = true; + MINIO_ENDPOINT = "s3.${pubDomain}"; + MINIO_ACCESS_KEY_ID = "gitea"; + MINIO_SECRET_ACCESS_KEY = "#miniosecret#"; + MINIO_BUCKET = "gitea"; + MINIO_LOCATION = "eu-central-1"; + MINIO_USE_SSL = true; + }; actions = { ENABLED = true; }; @@ -91,6 +120,7 @@ in { "gitea/db.txt" = ownedByGit; "gitea/mail.txt" = ownedByGit; + "gitea/minio.txt" = ownedByGit; }; }; diff --git a/secrets/gitea/minio.txt.age b/secrets/gitea/minio.txt.age new file mode 100644 index 0000000..56e691e --- /dev/null +++ b/secrets/gitea/minio.txt.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEJhUWxSZyBxbXBS +L0lhYVlEM0ZjdW9ESEFnSy9haDBDYk13SVU2VkF4c2VuclNwUkJrClRSei9aNVVU +V21CVi9wNWVDa1A0VUJVa3lkTmFGRktjTVQwTjFSUXNpb0EKLT4gWDI1NTE5IFZm +SmplRjRsSmx0WHNVRk1mZXdDa3BWSnFGckJab053N2x1MmsrZC9qd3MKUHdSY3lp +YVBqcGFvamF4ajFjeHpFMVN6U2FBTElVNlRlV2pBV2FSMTh1WQotPiAxKXl+PFIt +Z3JlYXNlIDdJTjYrICE4NnVIKD1jCjl3UjhGV1UyMUxxbVNXMXlmZXBNQlhXRlFh +R0lpQXFlSEUxUjdiNThUYVFpNU5zCi0tLSBjeVhQVnJHS0Fsb2drSHJGZWhsankv +MkJOY3g1WnBzS0doa2ZEbFRyaDU4CtUkWHxzTHEczny17RbpuuZphcdRdBjl+xHU +ysTSxxajA7yJ0u1l440nc3WC9Aikw3w= +-----END AGE ENCRYPTED FILE-----