{ config, ... }: let domain = "git.cloonar.com"; ip = "10.42.97.3"; in { users.users.gitea = { isSystemUser = true; uid = 990; group = "gitea"; home = "/var/lib/gitea"; createHome = true; }; users.groups.gitea = { gid = 989; }; # services.nginx.virtualHosts."${domain}" = { # enableACME = true; # forceSSL = true; # locations."/" = { # proxyPass = "https://${ip}:443/"; # extraConfig = '' # proxy_set_header=Host ${domain} # ''; # }; # }; # # environment.etc."gitea/app.ini".text = '' # APP_NAME = Cloonar Gitea server # RUN_MODE = prod # # [cron.update_checker] # ENABLED=false # # [database] # DB_TYPE=sqlite3 # PATH=/bitnami/gitea/data/gitea.db # # [openid] # ENABLE_OPENID_SIGNIN=false # ENABLE_OPENID_SIGNUP=true # WHITELISTED_URIS=auth.cloonar.com # # [server] # DISABLE_SSH=false # DOMAIN=git.cloonar.com # HTTP_ADDR=0.0.0.0 # HTTP_PORT=443 # PROTOCOL=https # ROOT_URL=https://git.cloonar.com/ # SSH_PORT=22 # CERT_FILE=/ssl/fullchain.pem # KEY_FILE=/ssl/key.pem # # [service] # ALLOW_ONLY_EXTERNAL_REGISTRATION=true # DISABLE_REGISTRATION=false # SHOW_REGISTRATION_BUTTON=false # # [webhook] # ALLOWED_HOST_LIST=drone.cloonar.com # ''; # # virtualisation = { # oci-containers.containers = { # gitea = { # image = "gitea/gitea:1"; # volumes = [ # "/var/lib/gitea:/data" # "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro" # "/var/lib/acme/git.cloonar.com:/ssl:ro" # ]; # environment = { # USER_UID = builtins.toString config.users.users.gitea.uid; # USER_GID = builtins.toString config.users.groups.gitea.gid; # }; # extraOptions = [ # "--ip=${ip}" # ]; # }; # gitea = { # image = "gitea/gitea:1"; # volumes = [ # "/var/lib/gitea:/data" # "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro" # "/var/lib/acme/git.cloonar.com:/ssl:ro" # ]; # environment = { # USER_UID = builtins.toString config.users.users.gitea.uid; # USER_GID = builtins.toString config.users.groups.gitea.gid; # }; # extraOptions = [ # "--ip=${ip}" # ]; # }; # }; # }; containers.gitea = { autoStart = true; ephemeral = true; # macvlans = [ "vserver" ]; privateNetwork = true; hostBridge = "server"; localAddress = "10.42.97.2"; bindMounts = { "/var/lib/gitea" = { hostPath = "/var/lib/gitea/"; isReadOnly = false; }; }; # bindMounts = { # "/var/lib/acme/gitea/" = { # hostPath = "${security.acme.certs.${domain}.directory}"; # isReadOnly = true; # }; # }; config = { lib, config, pkgs, ... }: { networking = { hostName = "gitea"; interfaces.eth0 = { useDHCP = true; # ipv4.addresses = [ { address = "10.42.97.2"; prefixLength = 24; } ]; }; # firewall = { # enable = true; # allowedTCPPorts = [ 22 80 443 ]; # }; # Use systemd-resolved inside the container useHostResolvConf = false; }; services.resolved.enable = true; services.nginx.enable = true; services.nginx.virtualHosts."${domain}" = { sslCertificate = "/var/lib/acme/gitea/fullchain.pem"; sslCertificateKey = "/var/lib/acme/gitea/key.pem"; sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:3001/"; }; }; nixpkgs.config.permittedInsecurePackages = [ "gitea-1.19.4" ]; services.gitea = { enable = true; appName = "Cloonar Gitea server"; # Give the site a name settings = { server = { ROOT_URL = "https://${domain}/"; HTTP_PORT = 3001; DOMAIN = domain; }; openid = { ENABLE_OPENID_SIGNIN = false; ENABLE_OPENID_SIGNUP = true; WHITELISTED_URIS = "auth.example.com"; }; service = { DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; }; webhook.ALLOWED_HOST_LIST = "drone.cloonar.com"; }; }; system.stateVersion = "23.05"; }; }; }