{ config, ... }: let domain = "git.cloonar.com"; ip = "10.42.97.3"; in { users.users.gitea = { isSystemUser = true; uid = 990; group = "gitea"; home = "/var/lib/gitea"; createHome = true; }; users.groups.gitea = { gid = 989; }; # services.nginx.virtualHosts."${domain}" = { # enableACME = true; # forceSSL = true; # locations."/" = { # proxyPass = "https://${ip}:443/"; # extraConfig = '' # proxy_set_header=Host ${domain} # ''; # }; # }; # # environment.etc."gitea/app.ini".text = '' # APP_NAME = Cloonar Gitea server # RUN_MODE = prod # # [cron.update_checker] # ENABLED=false # # [database] # DB_TYPE=sqlite3 # PATH=/bitnami/gitea/data/gitea.db # # [openid] # ENABLE_OPENID_SIGNIN=false # ENABLE_OPENID_SIGNUP=true # WHITELISTED_URIS=auth.cloonar.com # # [server] # DISABLE_SSH=false # DOMAIN=git.cloonar.com # HTTP_ADDR=0.0.0.0 # HTTP_PORT=443 # PROTOCOL=https # ROOT_URL=https://git.cloonar.com/ # SSH_PORT=22 # CERT_FILE=/ssl/fullchain.pem # KEY_FILE=/ssl/key.pem # # [service] # ALLOW_ONLY_EXTERNAL_REGISTRATION=true # DISABLE_REGISTRATION=false # SHOW_REGISTRATION_BUTTON=false # # [webhook] # ALLOWED_HOST_LIST=drone.cloonar.com # ''; # # virtualisation = { # oci-containers.containers = { # gitea = { # image = "gitea/gitea:1"; # volumes = [ # "/var/lib/gitea:/data" # "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro" # "/var/lib/acme/git.cloonar.com:/ssl:ro" # ]; # environment = { # USER_UID = builtins.toString config.users.users.gitea.uid; # USER_GID = builtins.toString config.users.groups.gitea.gid; # }; # extraOptions = [ # "--ip=${ip}" # ]; # }; # gitea = { # image = "gitea/gitea:1"; # volumes = [ # "/var/lib/gitea:/data" # "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro" # "/var/lib/acme/git.cloonar.com:/ssl:ro" # ]; # environment = { # USER_UID = builtins.toString config.users.users.gitea.uid; # USER_GID = builtins.toString config.users.groups.gitea.gid; # }; # extraOptions = [ # "--ip=${ip}" # ]; # }; # }; # }; containers.gitea = { extraFlags = [ "-U" ]; autoStart = true; ephemeral = true; privateNetwork = true; hostBridge = "server"; localAddress = "10.42.97.2/24"; bindMounts = { "/var/lib/gitea" = { hostPath = "/var/lib/gitea/"; isReadOnly = false; }; }; bindMounts = { "${security.acme.certs.${domain}.directory}" = { hostPath = "/var/lib/acme/gitea/"; isReadOnly = true; }; }; config = { lib, config, pkgs, ... }: { networking.hostName = "fw"; services.nginx.enable = true; services.nginx.virtualHosts."${domain}" = { sslCertificate = "/var/lib/acme/gitea/fullchain.pem"; sslCertificateKey = "/var/lib/acme/gitea/key.pem"; sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:3001/"; }; }; services.gitea = { enable = true; appName = "Cloonar Gitea server"; # Give the site a name settings = { server = { ROOT_URL = "https://${domain}/"; HTTP_PORT = 3001; DOMAIN = domain; }; openid = { ENABLE_OPENID_SIGNIN = false; ENABLE_OPENID_SIGNUP = true; WHITELISTED_URIS = "auth.example.com"; }; service = { DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; }; webhook.ALLOWED_HOST_LIST = "drone.cloonar.com"; }; }; system.stateVersion = "23.05"; networking = { interfaces."eth0".useDHCP = true; firewall = { enable = true; allowedTCPPorts = [ 22 80 443 ]; }; # Use systemd-resolved inside the container useHostResolvConf = false; }; services.resolved.enable = true; }; }; }