{ ... }: { flake.nixosModules.default = { config, lib, ... }: { options.sysconfig.containers.gitea.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; config = lib.mkIf config.sysconfig.containers.gitea.enable { networking = { nat.internalInterfaces = [ "ve-gitea" ]; }; sops.secrets = { "gitea/dbpass" = {}; }; containers.gitea = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.20"; bindMounts = { "/etc/gitea/data" = { hostPath = "/ssd1/Gitea/data"; isReadOnly = false; }; }; extraFlags = [ "--load-credential=dbpass:${config.sops.secrets."gitea/dbpass".path}" ]; config = { systemd.services.secrets_setup = { wantedBy = [ "gitea.service" ]; serviceConfig = { LoadCredential = [ "dbpass" ]; }; script = '' cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitea/dbpass chown gitea:gitea /etc/gitea/* ''; }; services.gitea = { enable = true; stateDir = "/etc/gitea/data"; dump.enable = false; appName = "Gitea"; settings = { server = { DOMAIN = "gitea.esotericbytes.com"; HTTP_PORT = 3000; ROOT_URL = "https://gitea.esotericbytes.com/"; }; service = { DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; REQUIRE_SIGNIN_VIEW = false; }; oauth2_client = { ENABLE_AUTO_REGISTRATION = true; }; session.COOKIE_SECURE = true; cron = { ENABLED = true; RUN_AT_START = true; }; repository = { DEFAULT_BRANCH = "master"; }; }; database = { passwordFile = "/etc/gitea/dbpass"; type = "postgres"; }; }; services.openssh = { enable = true; openFirewall = true; settings = { PermitRootLogin = lib.mkForce "no"; PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; ports = [ 2222 ]; }; networking.firewall.allowedTCPPorts = [ 3000 ]; system.stateVersion = "24.11"; }; }; }; }; flake.nixosModules.gitea-docker = { config, lib, pkgs, ... }: let subdomain = "gitea"; name = "gitea"; in { options.sysconfig.docker."${name}".enable = with lib; mkOption { type = with types; bool; default = false; }; config = lib.mkIf (config.sysconfig.docker."${name}".enable && config.sysconfig.docker.enable) { virtualisation.oci-containers.containers."${name}" = { image = "docker.gitea.com/gitea:1.25.4"; # unstable, waiting for 26.05 #pull = "newer"; hostname = "${subdomain}.esotericbytes.com"; networks = [ "docker-main" ]; labels = { "traefik.enable" = "true"; "traefik.http.routers.${name}.entrypoints" = "localsecure"; "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; "traefik.http.routers.${name}.service" = "${name}"; "traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; "traefik.http.services.${name}.loadbalancer.server.port" = "3000"; "traefik.tcp.routers.${name}-ssh.entrypoints" = "gitea-ssh"; "traefik.tcp.routers.${name}-ssh.rule" = "HostSNI(`*`)"; "traefik.tcp.routers.${name}-ssh.service" = "${name}-ssh"; "traefik.tcp.services.${name}-ssh.loadbalancer.server.port" = "22"; }; ports = [ ]; extraOptions = [ "--ip=192.168.101.20" ]; volumes = [ "vol_gitea:/data" ]; environment = { }; }; virtualisation.oci-containers.containers."${name}-db" = { image = "docker.io/library/postgres:14"; # unstable, waiting for 26.05 #pull = "newer"; hostname = "${name}-db"; networks = [ "docker-main" ]; labels = { }; ports = [ ]; extraOptions = [ "--ip=192.168.101.21" ]; volumes = [ "/etc/gitea/db:/var/lib/postgresql/data" ]; environment = { }; }; systemd.services."docker-gitea" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; RestartMaxDelaySec = lib.mkOverride 90 "1m"; RestartSec = lib.mkOverride 90 "100ms"; RestartSteps = lib.mkOverride 90 9; }; after = [ "docker-network-setup.service" "docker-volume-gitea.service" "docker-gitea-db.service" ]; requires = [ "docker-network-setup.service" "docker-volume-gitea.service" "docker-gitea-db.service" ]; partOf = [ "docker-compose-gitea-root.target" ]; wantedBy = [ "docker-compose-gitea-root.target" ]; }; systemd.services."docker-gitea-db" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; RestartMaxDelaySec = lib.mkOverride 90 "1m"; RestartSec = lib.mkOverride 90 "100ms"; RestartSteps = lib.mkOverride 90 9; }; after = [ "docker-network-setup.service" ]; requires = [ "docker-network-setup.service" ]; partOf = [ "docker-compose-gitea-root.target" ]; wantedBy = [ "docker-compose-gitea-root.target" ]; }; systemd.services."docker-volume-gitea" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' docker volume inspect vol_gitea || docker volume create vol_gitea --driver=local ''; partOf = [ "docker-compose-gitea-root.target" ]; wantedBy = [ "docker-compose-gitea-root.target" ]; }; }; }; }