Compare commits
No commits in common. "64c8eb3a9585c3b187d919166fe0c911e37de7e2" and "b71ced5fbfd1cf1bb14a95d684a821301c10634b" have entirely different histories.
64c8eb3a95
...
b71ced5fbf
118
pp-forgejo.nix
118
pp-forgejo.nix
|
|
@ -1,118 +0,0 @@
|
||||||
{ config, pkgs, lib, ... }:
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
cfgBase = config.base;
|
|
||||||
cfg = config.services.ppForgejo;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.services.ppForgejo = {
|
|
||||||
domain = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "git.${cfgBase.domainName}";
|
|
||||||
example = "git.example.com";
|
|
||||||
description = "The domain of the server";
|
|
||||||
};
|
|
||||||
openIdEnable = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = "If OpenId provider is setup and should be used exclusively.";
|
|
||||||
};
|
|
||||||
openIdClientName = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "";
|
|
||||||
description = "The name (id) of the openId client to use exclusively.";
|
|
||||||
};
|
|
||||||
customPackage = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
default = pkgs.fetchgit {
|
|
||||||
url = "https://git.mineau.eu/histausse/gitea_custom";
|
|
||||||
sha256 = "0r1kjkn0mkfyp2lb8j59frh1vnd1m54swpqwiasvg77r04ibfmn5";
|
|
||||||
};
|
|
||||||
description= "The package for custom configs like theme.";
|
|
||||||
};
|
|
||||||
dbPasswordFile = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "/etc/forgejo_db_pwd";
|
|
||||||
description = "The file containing the database password. Be sure to secure it.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = {
|
|
||||||
|
|
||||||
services.forgejo.appName = "git";
|
|
||||||
services.forgejo.stateDir = "/var/lib/forgejo"; # default value, /var/lib/gitea in gitea, move it before migration!
|
|
||||||
services.forgejo.enable = true;
|
|
||||||
services.forgejo.rootUrl = "https://${cfg.domain}/";
|
|
||||||
services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this???
|
|
||||||
|
|
||||||
# If true, openid users cannot create new account
|
|
||||||
#services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable);
|
|
||||||
services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce false;
|
|
||||||
services.forgejo.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable;
|
|
||||||
|
|
||||||
services.forgejo.lfs.enable = true;
|
|
||||||
services.forgejo.domain = cfg.domain;
|
|
||||||
# services.forgejo.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
|
|
||||||
services.forgejo.database.passwordFile = cfg.dbPasswordFile;
|
|
||||||
|
|
||||||
services.forgejo.settings.repository.ENABLE_PUSH_CREATE_USER = true;
|
|
||||||
services.forgejo.settings.repository.ENABLE_PUSH_CREATE_ORG = true;
|
|
||||||
|
|
||||||
# Set the permittions for the db file
|
|
||||||
system.activationScripts = {
|
|
||||||
forgejoDbFilePermission.text =
|
|
||||||
''
|
|
||||||
chmod 400 ${cfg.dbPasswordFile}
|
|
||||||
chown ${config.services.forgejo.user} ${cfg.dbPasswordFile}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
forgejo
|
|
||||||
];
|
|
||||||
systemd.services.forgejo.environment.FORGEJO_CUSTOM = "${config.services.forgejo.stateDir}/custom";
|
|
||||||
systemd.services.forgejo.preStart = lib.mkAfter ''
|
|
||||||
find ${config.services.forgejo.stateDir}/ -type d -exec chmod u+w {} \;
|
|
||||||
cp -f -s -r ${cfg.customPackage}/* ${config.services.forgejo.stateDir}/custom/
|
|
||||||
'';
|
|
||||||
services.forgejo.settings = {
|
|
||||||
ui = {
|
|
||||||
THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord";
|
|
||||||
DEFAULT_THEME = "forgejo-auto";
|
|
||||||
};
|
|
||||||
"ui.meta" = {
|
|
||||||
DESCRIPTION = "Code everywhere";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
# NGINX
|
|
||||||
security.acme.acceptTerms = true;
|
|
||||||
security.acme.defaults.email = cfgBase.adminEmail;
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
virtualHosts = {
|
|
||||||
"${cfg.domain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:3000";
|
|
||||||
extraConfig = ''
|
|
||||||
client_max_body_size 0;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_pass_request_headers on;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
locations."/user/login" = lib.mkIf (cfg.openIdEnable) {
|
|
||||||
return = "301 https://$host/user/oauth2/${cfg.openIdClientName}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
|
||||||
}
|
|
||||||
Loading…
Reference in New Issue