{ lib, pkgs, config, assignments, allAssignments, ... }: let inherit (lib) mkMerge; inherit (lib.my.c) pubDomain; inherit (lib.my.c.colony) prefixes; in { config = { fileSystems = { "/var/lib/gitea" = { device = "/dev/disk/by-label/git"; fsType = "ext4"; }; }; users = { users.git = { description = "Gitea Service"; home = config.services.gitea.stateDir; useDefaultShell = true; group = config.services.gitea.group; isSystemUser = true; }; groups.git = {}; }; systemd = { services = { # TODO: Figure out a way to do this properly... redirecting localhost is awkward... local-http-forward = { description = "Forward local HTTP connections"; serviceConfig.ExecStart = "${pkgs.socat}/bin/socat tcp-listen:80,fork tcp:${allAssignments.middleman.internal.ipv4.address}:80"; wantedBy = [ "multi-user.target" ]; }; local-https-forward = { description = "Forward local HTTPS connections"; serviceConfig.ExecStart = "${pkgs.socat}/bin/socat tcp-listen:443,fork tcp:${allAssignments.middleman.internal.ipv4.address}:443"; wantedBy = [ "multi-user.target" ]; }; gitea = mkMerge [ (lib.my.systemdAwaitPostgres pkgs.postgresql "colony-psql") { preStart = let repSec = "${pkgs.replace-secret}/bin/replace-secret"; confPath = "${config.services.gitea.customDir}/conf/app.ini"; in '' gitea_extra_setup() { chmod u+w '${confPath}' ${repSec} '#miniosecret#' '${config.age.secrets."gitea/minio.txt".path}' '${confPath}' chmod u-w '${confPath}' } (umask 027; gitea_extra_setup) ''; } ]; }; }; services = { gitea = { enable = true; user = "git"; group = "git"; appName = "/dev/player0 git"; stateDir = "/var/lib/gitea"; lfs.enable = true; database = { type = "postgres"; createDatabase = false; host = "colony-psql"; user = "gitea"; passwordFile = config.age.secrets."gitea/db.txt".path; }; mailerPasswordFile = config.age.secrets."gitea/mail.txt".path; settings = { server = { DOMAIN = "git.${pubDomain}"; HTTP_ADDR = "::"; ROOT_URL = "https://git.${pubDomain}"; }; service = { DISABLE_REGISTRATION = true; ENABLE_NOTIFY_MAIL = true; }; session = { COOKIE_SECURE = true; }; repository = { DEFAULT_BRANCH = "master"; }; mailer = { ENABLED = true; PROTOCOL = "smtp+starttls"; SMTP_ADDR = "mail.nul.ie"; SMTP_PORT = 587; USER = "git@nul.ie"; FROM = "Gitea "; }; "email.incoming" = { ENABLED = true; HOST = "mail.nul.ie"; PORT = 993; USE_TLS = true; USERNAME = "git@nul.ie"; PASSWORD = "#mailerpass#"; REPLY_TO_ADDRESS = "git+%{token}@nul.ie"; }; storage = { STORAGE_TYPE = "minio"; SERVE_DIRECT = true; MINIO_ENDPOINT = "s3.${pubDomain}"; MINIO_ACCESS_KEY_ID = "gitea"; MINIO_SECRET_ACCESS_KEY = "#miniosecret#"; MINIO_BUCKET = "gitea"; MINIO_LOCATION = "eu-central-1"; MINIO_USE_SSL = true; }; actions = { ENABLED = true; }; }; }; }; my = { secrets = { files = let ownedByGit = { owner = "git"; group = "git"; }; in { "gitea/db.txt" = ownedByGit; "gitea/mail.txt" = ownedByGit; "gitea/minio.txt" = ownedByGit; }; }; firewall.extraRules = '' table inet filter { chain input { ip saddr ${prefixes.all.v4} tcp dport 3000 accept ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept } } table inet nat { chain prerouting { ip daddr ${assignments.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address} ip6 daddr ${assignments.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address} } } ''; }; }; }