Initial commit
This commit is contained in:
195
hosts/cepheus/gitea.nix
Normal file
195
hosts/cepheus/gitea.nix
Normal file
@@ -0,0 +1,195 @@
|
||||
{ config, pkgs, lib, ... }: {
|
||||
age.secrets.kanidm-oauth2-gitea = lib.mkSecret "kanidm";
|
||||
services.kanidm.provision = {
|
||||
groups."gitea.access" = {};
|
||||
groups."gitea.admins" = {};
|
||||
systems.oauth2.gitea = {
|
||||
displayName = "gitea";
|
||||
originUrl = "https://tea.nothing.run/user/oauth2/kanidm/callback";
|
||||
originLanding = "https://tea.nothing.run/";
|
||||
basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
|
||||
scopeMaps."gitea.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
allowInsecureClientDisablePkce = true;
|
||||
preferShortUsername = true;
|
||||
claimMaps.groups = {
|
||||
joinType = "array";
|
||||
valuesByGroup."gitea.admins" = [ "admins" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
containers.gitea = let host-config = config; in {
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/var/lib/gitea" = { hostPath = "/nix/persist/services/gitea"; isReadOnly = false; };
|
||||
# "${config.age.secretsDir}" = { hostPath = config.age.secretsDir; isReadOnly = true; };
|
||||
"/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
|
||||
};
|
||||
# tmpfs = [ "/" ];
|
||||
hostAddress = "192.168.102.10";
|
||||
localAddress = "192.168.102.11";
|
||||
|
||||
# forwardPorts = [
|
||||
# {
|
||||
# containerPort = 22;
|
||||
# hostPort = 9922;
|
||||
# protocol = "tcp";
|
||||
# }
|
||||
# ];
|
||||
privateNetwork = true;
|
||||
|
||||
config = { lib, config, ... }: {
|
||||
imports = [
|
||||
../../modules/global/dnscrypt-proxy.nix
|
||||
];
|
||||
|
||||
users.groups.kanidm = {};
|
||||
users.groups.git = { };
|
||||
users.users.git = {
|
||||
isSystemUser = true;
|
||||
useDefaultShell = true;
|
||||
group = "git";
|
||||
extraGroups = [ "kanidm" ];
|
||||
home = config.services.gitea.stateDir;
|
||||
openssh.authorizedKeys.keys = lib.mkForce host-config.users.users.root.openssh.authorizedKeys.keys;
|
||||
};
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
# settings = {
|
||||
# PasswordAuthentication = false;
|
||||
# KbdInteractiveAuthentication = false;
|
||||
# PermitRootLogin = "prohibit-password";
|
||||
# };
|
||||
# openFirewall = true;
|
||||
# ports = [ 22 ];
|
||||
# settings.AcceptEnv = "GIT_PROTOCOL";
|
||||
};
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
package = pkgs.gitea;
|
||||
user = "git";
|
||||
group = "git";
|
||||
settings = {
|
||||
DEFAULT.APP_NAME = "Hollow Tea";
|
||||
mailer.ENABLED = false;
|
||||
metrics.ENABLED = false;
|
||||
oauth2_client = {
|
||||
ACCOUNT_LINKING = "login";
|
||||
USERNAME = "nickname";
|
||||
ENABLE_AUTO_REGISTRATION = false;
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
UPDATE_AVATAR = true;
|
||||
};
|
||||
repository = {
|
||||
DEFAULT_PRIVATE = "private";
|
||||
ENABLE_PUSH_CREATE_USER = true;
|
||||
ENABLE_PUSH_CREATE_ORG = true;
|
||||
};
|
||||
server = {
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
HTTP_PORT = 3000;
|
||||
DOMAIN = "tea.nothing.run";
|
||||
ROOT_URL = "https://tea.nothing.run";
|
||||
LANDING_PAGE = "login";
|
||||
SSH_PORT = 9922;
|
||||
SSH_USER = "git";
|
||||
};
|
||||
service = {
|
||||
DISABLE_REGISTRATION = false;
|
||||
ALLOW_ONLY_INTERNAL_REGISTRATION = false;
|
||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
||||
SHOW_REGISTRATION_BUTTON = false;
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
ENABLE_NOTIFY_MAIL = false;
|
||||
};
|
||||
"service.explore" = {
|
||||
REQUIRE_SIGNIN_VIEW = true;
|
||||
DISABLE_USERS_PAGE = false;
|
||||
DISABLE_ORGANIZATIONS_PAGE = true;
|
||||
DISABLE_CODE_PAGE = true;
|
||||
};
|
||||
admin.DISABLE_REGULAR_ORG_CREATION = true; # Prohibit creation of organizations by non-admin users
|
||||
session.COOKIE_SECURE = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.gitea = {
|
||||
enable = true;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.RestartSec = "60"; # Retry every minute
|
||||
preStart =
|
||||
let
|
||||
exe = lib.getExe config.services.gitea.package;
|
||||
providerName = "kanidm";
|
||||
clientId = "gitea";
|
||||
args = lib.escapeShellArgs (
|
||||
lib.concatLists [
|
||||
[
|
||||
"--name"
|
||||
providerName
|
||||
]
|
||||
[
|
||||
"--provider"
|
||||
"openidConnect"
|
||||
]
|
||||
[
|
||||
"--key"
|
||||
clientId
|
||||
]
|
||||
[
|
||||
"--auto-discover-url"
|
||||
"https://idm.nothing.run/oauth2/openid/${clientId}/.well-known/openid-configuration"
|
||||
]
|
||||
[
|
||||
"--scopes"
|
||||
"email"
|
||||
]
|
||||
[
|
||||
"--scopes"
|
||||
"profile"
|
||||
]
|
||||
[
|
||||
"--group-claim-name"
|
||||
"groups"
|
||||
]
|
||||
[
|
||||
"--admin-group"
|
||||
"admin"
|
||||
]
|
||||
[ "--skip-local-2fa" ]
|
||||
]
|
||||
);
|
||||
in
|
||||
lib.mkAfter ''
|
||||
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
|
||||
SECRET="$(< ${host-config.age.secrets.kanidm-oauth2-gitea.path})"
|
||||
if [[ -z "$provider_id" ]]; then
|
||||
${exe} admin auth add-oauth ${args} --secret "$SECRET"
|
||||
else
|
||||
${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 3000 22 ];
|
||||
};
|
||||
system.stateVersion = "25.05";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 9922 ];
|
||||
|
||||
services.caddy.virtualHosts = {
|
||||
"tea.nothing.run".extraConfig = ''
|
||||
reverse_proxy http://192.168.102.11:3000
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user