From 33c59719298cac4a9243f3591c3866b5fd5775d5 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Sat, 2 Dec 2023 00:02:37 +0100
Subject: [PATCH] add gitea

---
 hosts/fw.cloonar.com/configuration.nix |  2 +-
 hosts/fw.cloonar.com/modules/gitea.nix | 82 +++++++++++++++++++-------
 2 files changed, 63 insertions(+), 21 deletions(-)

diff --git a/hosts/fw.cloonar.com/configuration.nix b/hosts/fw.cloonar.com/configuration.nix
index 08a9136..31493e5 100644
--- a/hosts/fw.cloonar.com/configuration.nix
+++ b/hosts/fw.cloonar.com/configuration.nix
@@ -23,7 +23,7 @@
     ./modules/omada.nix
 
     # git
-    # ./modules/gitea.nix
+    ./modules/gitea.nix
     # ./modules/drone/server.nix
     # ./modules/drone/runner.nix
     ./modules/fwmetrics.nix
diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw.cloonar.com/modules/gitea.nix
index 357f40a..5b057f1 100644
--- a/hosts/fw.cloonar.com/modules/gitea.nix
+++ b/hosts/fw.cloonar.com/modules/gitea.nix
@@ -1,36 +1,78 @@
 { config, ... }:
 let
   domain = "git.cloonar.com";
+  ip = "10.42.97.3";
 in
 {
+  security.acme.certs."${domain}" = {
+    domain = "${domain}";
+    group = "gitea";
+  };
   services.nginx.virtualHosts."${domain}" = {
     enableACME = true;
     forceSSL = true;
     locations."/" = {
-      proxyPass = "http://localhost:3001/";
+      proxyPass = "https://${ip}/";
     };
   };
 
-  services.gitea = {
-    enable = true;
-    appName = "Cloonar Gitea server"; # Give the site a name
-    settings = {
-      server = {
-        ROOT_URL = "https://${domain}/";
-        HTTP_PORT = 3001;
-        DOMAIN = domain;
+  users.users.gitea = {
+    isSystemUser = true;
+    group = "gitea";
+    home = "/var/lib/gitea";
+    createHome = true;
+  };
+  users.groups.gitea = { };
+  users.groups.docker.members = [ "gitea" ];
+
+
+  environment.etc."gitea/app.ini".source = ''
+    APP_NAME = Cloonar Gitea server
+    RUN_USER = gitea
+    RUN_MODE = prod
+
+    [cron.update_checker]
+    ENABLED=false
+
+    [openid]
+    ENABLE_OPENID_SIGNIN=false
+    ENABLE_OPENID_SIGNUP=true
+    WHITELISTED_URIS=auth.cloonar.com
+
+    [server]
+    DISABLE_SSH=false
+    DOMAIN=git.cloonar.com
+    HTTP_ADDR=0.0.0.0
+    HTTP_PORT=443
+    PROTOCOL=https
+    ROOT_URL=https://git.cloonar.com/
+    SSH_PORT=22
+    CERT_FILE=/bitnami/gitea/ssl/fullchain.pem
+    KEY_FILE=/bitnami/gitea/ssl/key.pem
+
+    [service]
+    ALLOW_ONLY_EXTERNAL_REGISTRATION=true
+    DISABLE_REGISTRATION=false
+    SHOW_REGISTRATION_BUTTON=false
+
+    [webhook]
+    ALLOWED_HOST_LIST=drone.cloonar.com
+  '';
+
+  # TODO: check if we can run docker service as other user than root
+  virtualisation = {
+    oci-containers.containers = {
+      omada = {
+        image = "bitnami/gitea:1";
+        volumes = [
+          "/var/lib/gitea:/bitnami/gitea"
+          "/etc/gitea/app.ini:/bitnami/gitea/custom/conf/app.ini:ro"
+          "/var/lib/acme/git.cloonar.com:/bitnami/gitea/ssl:ro"
+        ];
+        extraOptions = [
+          "--ip=${ip}"
+        ];
       };
-      openid = {
-        ENABLE_OPENID_SIGNIN = false;
-        ENABLE_OPENID_SIGNUP = true;
-        WHITELISTED_URIS     = "auth.example.com";
-      };
-      service = {
-        DISABLE_REGISTRATION                          = false;
-        ALLOW_ONLY_EXTERNAL_REGISTRATION              = true;
-        SHOW_REGISTRATION_BUTTON                      = false;
-      };
-      webhook.ALLOWED_HOST_LIST = "drone.cloonar.com";
     };
   };
 }