259 lines
7.9 KiB
Nix
259 lines
7.9 KiB
Nix
{ ... }: {
|
|
|
|
flake.nixosModules.gitea = { config, lib, ... }: {
|
|
|
|
config = {
|
|
|
|
networking = {
|
|
nat.internalInterfaces = [ "ve-gitea" ];
|
|
};
|
|
|
|
sops.secrets = {
|
|
"gitea/dbpass" = {};
|
|
};
|
|
|
|
containers.gitea = {
|
|
|
|
autoStart = true;
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.100.10";
|
|
localAddress = "192.168.100.20";
|
|
|
|
bindMounts = {
|
|
"/etc/gitea/data" = {
|
|
hostPath = "/ssd1/Gitea/data";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
extraFlags = [
|
|
"--load-credential=dbpass:${config.sops.secrets."gitea/dbpass".path}"
|
|
];
|
|
|
|
config = {
|
|
|
|
systemd.services.secrets_setup = {
|
|
wantedBy = [ "gitea.service" ];
|
|
|
|
serviceConfig = {
|
|
LoadCredential = [
|
|
"dbpass"
|
|
];
|
|
};
|
|
|
|
script = ''
|
|
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitea/dbpass
|
|
chown gitea:gitea /etc/gitea/*
|
|
'';
|
|
};
|
|
|
|
services.gitea = {
|
|
enable = true;
|
|
|
|
stateDir = "/etc/gitea/data";
|
|
|
|
dump.enable = false;
|
|
|
|
appName = "Gitea";
|
|
|
|
settings = {
|
|
server = {
|
|
DOMAIN = "gitea.esotericbytes.com";
|
|
HTTP_PORT = 3000;
|
|
ROOT_URL = "https://gitea.esotericbytes.com/";
|
|
};
|
|
service = {
|
|
DISABLE_REGISTRATION = false;
|
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
REQUIRE_SIGNIN_VIEW = false;
|
|
};
|
|
oauth2_client = {
|
|
ENABLE_AUTO_REGISTRATION = true;
|
|
};
|
|
session.COOKIE_SECURE = true;
|
|
|
|
cron = {
|
|
ENABLED = true;
|
|
RUN_AT_START = true;
|
|
};
|
|
|
|
repository = {
|
|
DEFAULT_BRANCH = "master";
|
|
};
|
|
};
|
|
|
|
database = {
|
|
passwordFile = "/etc/gitea/dbpass";
|
|
type = "postgres";
|
|
};
|
|
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
settings = {
|
|
PermitRootLogin = lib.mkForce "no";
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
};
|
|
ports = [ 2222 ];
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 3000 ];
|
|
|
|
system.stateVersion = "24.11";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
flake.nixosModules.gitea-docker = { config, lib, pkgs, ... }: let
|
|
|
|
subdomain = "gitea";
|
|
|
|
name = "gitea";
|
|
|
|
in {
|
|
|
|
config = {
|
|
|
|
|
|
virtualisation.oci-containers.containers."${name}" = {
|
|
image = "docker.gitea.com/gitea:1.25.4";
|
|
|
|
# unstable, waiting for 26.05
|
|
#pull = "newer";
|
|
|
|
hostname = "${subdomain}.esotericbytes.com";
|
|
|
|
networks = [
|
|
"docker-main"
|
|
];
|
|
|
|
labels = {
|
|
"traefik.enable" = "true";
|
|
"traefik.http.routers.${name}.entrypoints" = "localsecure";
|
|
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
|
|
"traefik.http.routers.${name}.service" = "${name}";
|
|
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
|
|
|
|
"traefik.http.services.${name}.loadbalancer.server.port" = "3000";
|
|
|
|
|
|
"traefik.tcp.routers.${name}-ssh.entrypoints" = "gitea-ssh";
|
|
"traefik.tcp.routers.${name}-ssh.rule" = "HostSNI(`*`)";
|
|
"traefik.tcp.routers.${name}-ssh.service" = "${name}-ssh";
|
|
|
|
"traefik.tcp.services.${name}-ssh.loadbalancer.server.port" = "22";
|
|
};
|
|
|
|
ports = [
|
|
];
|
|
|
|
extraOptions = [
|
|
"--ip=192.168.101.20"
|
|
];
|
|
|
|
volumes = [
|
|
"vol_gitea:/data"
|
|
];
|
|
|
|
environment = {
|
|
};
|
|
};
|
|
|
|
virtualisation.oci-containers.containers."${name}-db" = {
|
|
image = "docker.io/library/postgres:14";
|
|
|
|
# unstable, waiting for 26.05
|
|
#pull = "newer";
|
|
|
|
hostname = "${name}-db";
|
|
|
|
networks = [
|
|
"docker-main"
|
|
];
|
|
|
|
labels = {
|
|
};
|
|
|
|
ports = [
|
|
];
|
|
|
|
extraOptions = [
|
|
"--ip=192.168.101.21"
|
|
];
|
|
|
|
volumes = [
|
|
"/etc/gitea/db:/var/lib/postgresql/data"
|
|
];
|
|
|
|
environment = {
|
|
};
|
|
};
|
|
|
|
systemd.services."docker-gitea" = {
|
|
serviceConfig = {
|
|
Restart = lib.mkOverride 90 "always";
|
|
RestartMaxDelaySec = lib.mkOverride 90 "1m";
|
|
RestartSec = lib.mkOverride 90 "100ms";
|
|
RestartSteps = lib.mkOverride 90 9;
|
|
};
|
|
after = [
|
|
"docker-network-setup.service"
|
|
"docker-volume-gitea.service"
|
|
"docker-gitea-db.service"
|
|
];
|
|
requires = [
|
|
"docker-network-setup.service"
|
|
"docker-volume-gitea.service"
|
|
"docker-gitea-db.service"
|
|
];
|
|
partOf = [
|
|
"docker-compose-gitea-root.target"
|
|
];
|
|
wantedBy = [
|
|
"docker-compose-gitea-root.target"
|
|
];
|
|
};
|
|
|
|
systemd.services."docker-gitea-db" = {
|
|
serviceConfig = {
|
|
Restart = lib.mkOverride 90 "always";
|
|
RestartMaxDelaySec = lib.mkOverride 90 "1m";
|
|
RestartSec = lib.mkOverride 90 "100ms";
|
|
RestartSteps = lib.mkOverride 90 9;
|
|
};
|
|
after = [
|
|
"docker-network-setup.service"
|
|
];
|
|
requires = [
|
|
"docker-network-setup.service"
|
|
];
|
|
partOf = [
|
|
"docker-compose-gitea-root.target"
|
|
];
|
|
wantedBy = [
|
|
"docker-compose-gitea-root.target"
|
|
];
|
|
};
|
|
|
|
systemd.services."docker-volume-gitea" = {
|
|
path = [ pkgs.docker ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
};
|
|
script = ''
|
|
docker volume inspect vol_gitea || docker volume create vol_gitea --driver=local
|
|
'';
|
|
partOf = [ "docker-compose-gitea-root.target" ];
|
|
wantedBy = [ "docker-compose-gitea-root.target" ];
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
}
|