mio-ops/roles/gitea.nix

# NixOps configuration for the hosts running Gitea

{ config, pkgs, lib, ... }:

{

  services.gitea = {
    enable = true;                               # Enable Gitea
    appName = "mcwhirter.io: Gitea Service";     # Give the site a name
    database = {
      type = "postgres";                         # Database type
      passwordFile = "/run/keys/gitea-dbpass";   # Where to find the password
    };
    domain = "source.mcwhirter.io";              # Domain name
    rootUrl = "https://source.mcwhirter.io/";    # Root web URL
    httpPort = 3002;                             # Provided unique port
    extraConfig = let
      docutils =
        pkgs.python37.withPackages (ps: with ps; [
          docutils                               # Provides rendering of ReStructured Text files
          pygments                               # Provides syntax highlighting
      ]);
    in ''
      [mailer]
      ENABLED = true
      FROM = "gitea@mcwhirter.io"
      [service]
      REGISTER_EMAIL_CONFIRM = true
      [markup.restructuredtext]
      ENABLED = true
      FILE_EXTENSIONS = .rst
      RENDER_COMMAND = ${docutils}/bin/rst2html.py
      IS_INPUT_FILE = false
    '';
  };

  services.postgresql = {
    enable = true;                # Ensure postgresql is enabled
    authentication = ''
      local gitea all ident map=gitea-users
    '';
    identMap =                    # Map the gitea user to postgresql
      ''
        gitea-users gitea gitea
      '';
    ensureDatabases = [ "gitea" ];    # Ensure the database persists
    ensureUsers = [
      {
        name = "gitea";               # Ensure the database user persists
        ensurePermissions = {         # Ensure the database permissions persist
          "DATABASE gitea" = "ALL PRIVILEGES";
          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
        };
      }
    ];
  };

  services.nginx = {
    enable = true;                                          # Enable Nginx
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."source.mcwhirter.io" = {                  # Gitea hostname
      enableACME = true;                                    # Use ACME certs
      forceSSL = true;                                      # Force SSL
      locations."/".proxyPass = "http://localhost:3002/";   # Proxy Gitea
    };
    virtualHosts."git.mcwhirter.io" = {                     # Hostname to be redirected
      globalRedirect = "source.mcwhirter.io";               # Redirect permanently to the host
    };
    virtualHosts."code.mcwhirter.io" = {                    # Hostname to be redirected
      globalRedirect = "source.mcwhirter.io";               # Redirect permanently to the host
    };
  };

  security.acme.certs = {
      "source.mcwhirter.io".email = "craige@mcwhirter.io";
  };

  users.groups.keys.members = [ "gitea" ];   # Required due to NixOps issue #1204

}