From 2b6a8951e66ac50b3e03746c9277972acb55781f Mon Sep 17 00:00:00 2001
From: Craige McWhirter <craige@mcwhirter.io>
Date: Fri, 6 Sep 2019 16:50:59 +1000
Subject: [PATCH] Implemented secure passwords

---
 Deployments/gitea.nix | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/Deployments/gitea.nix b/Deployments/gitea.nix
index 4a3102b..26b4daf 100644
--- a/Deployments/gitea.nix
+++ b/Deployments/gitea.nix
@@ -1,20 +1,26 @@
-# NixOps configuration for the VMs running Gitea
+# NixOps configuration for the hosts running Gitea
 
 { config, pkgs, lib, ... }:
 
 {
 
   services.gitea = {
-    enable = true;                              # Enable Gitea
-    appName = "mcwhirter.io: Gitea Service";    # Give the site a name
+    enable = true;                               # Enable Gitea
+    appName = "mcwhirter.io: Gitea Service";     # Give the site a name
     database = {
-      type = "postgres";                        # Database type
-      password = "gitea";                       # Set the password
+      type = "postgres";                         # Database type
+      passwordFile = "/run/keys/gitea-dbpass";   # Where to find the password
     };
-    domain = "source.mcwhirter.io";             # Domain name
-    rootUrl = "https://source.mcwhirter.io/";   # Root web URL
-    httpPort = 3001;                            # Provided unique port
-    extraConfig = ''
+    domain = "source.mcwhirter.io";              # Domain name
+    rootUrl = "https://source.mcwhirter.io/";    # Root web URL
+    httpPort = 3001;                             # Provided unique port
+    extraConfig = let
+      docutils =
+        pkgs.python37.withPackages (ps: with ps; [
+          docutils                               # Provides rendering of ReStructured Text files
+          pygments                               # Provides syntax highlighting
+      ]);
+    in ''
       [mailer]
       ENABLED = true
       FROM = "gitea@mcwhirter.io"
@@ -23,13 +29,16 @@
       [markup.restructuredtext]
       ENABLED = true
       FILE_EXTENSIONS = .rst
-      RENDER_COMMAND = /run/current-system/sw/bin/rst2html.py
+      RENDER_COMMAND = ${docutils}/bin/rst2html.py
       IS_INPUT_FILE = false
     '';
   };
 
   services.postgresql = {
     enable = true;                # Ensure postgresql is enabled
+    authentication = ''
+      local gitea all ident map=gitea-users
+    '';
     identMap =                    # Map the gitea user to postgresql
       ''
         gitea-users gitea gitea
@@ -53,13 +62,4 @@
       "source.mcwhirter.io".email = "craige@mcwhirter.io";
   };
 
-  environment.systemPackages = with pkgs; [
-    ((
-      python37.withPackages (ps: with ps; [
-        docutils                    # Provides rendering of ReStructured Text files
-        pygments                    # Provides syntax highlighting
-      ])
-    ))
-  ];
-
 }