mio-ops/roles/gitea.nix
2021-01-21 11:35:44 +10:00

98 lines
3.5 KiB
Nix

# NixOps configuration for the hosts running Gitea
{ config, pkgs, lib, ... }:
{
services.gitea = {
enable = true; # Enable Gitea
appName = "mcwhirter.io: Gitea Service"; # Give the site a name
database = {
type = "postgres"; # Database type
passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
};
domain = "source.mcwhirter.io"; # Domain name
rootUrl = "https://source.mcwhirter.io/"; # Root web URL
httpPort = 3002; # Provided unique port
settings = let
docutils =
pkgs.python37.withPackages (ps: with ps; [
docutils # Provides rendering of ReStructured Text files
pygments # Provides syntax highlighting
]);
in {
mailer = {
ENABLED = true;
FROM = "gitea@mcwhirter.io";
};
service = {
REGISTER_EMAIL_CONFIRM = true;
};
"markup.restructuredtext" = {
ENABLED = true;
FILE_EXTENSIONS = ".rst";
RENDER_COMMAND = "${docutils}/bin/rst2html.py";
IS_INPUT_FILE = false;
};
};
};
services.postgresql = {
enable = true; # Ensure postgresql is enabled
authentication = ''
local gitea all ident map=gitea-users
'';
identMap = # Map the gitea user to postgresql
''
gitea-users gitea gitea
'';
ensureDatabases = [ "gitea" ]; # Ensure the database persists
ensureUsers = [
{
name = "gitea"; # Ensure the database user persists
ensurePermissions = { # Ensure the database permissions persist
"DATABASE gitea" = "ALL PRIVILEGES";
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
};
}
];
};
services.nginx = {
enable = true; # Enable Nginx
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."source.mcwhirter.io" = { # Gitea hostname
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
locations."/".proxyPass = "http://localhost:3002/"; # Proxy Gitea
};
virtualHosts."git.mcwhirter.io" = { # Hostname to be redirected
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
locations."/".proxyPass = "http://localhost:3002/"; # Proxy Gitea
globalRedirect = "source.mcwhirter.io"; # Redirect permanently to the host
};
virtualHosts."code.mcwhirter.io" = { # Hostname to be redirected
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
locations."/".proxyPass = "http://localhost:3002/"; # Proxy Gitea
globalRedirect = "source.mcwhirter.io"; # Redirect permanently to the host
};
};
security.acme = {
acceptTerms = true;
certs = {
"code.mcwhirter.io".email = "craige@mcwhirter.io";
"git.mcwhirter.io".email = "craige@mcwhirter.io";
"source.mcwhirter.io".email = "craige@mcwhirter.io";
};
};
users.groups.keys.members = [ "gitea" ]; # Required due to NixOps issue #1204
}