{ config, ... }: let cids = import ../modules/staticids.nix; domain = "git.cloonar.com"; ip = "10.42.97.3"; user = { isSystemUser = true; uid = cids.uids.gitea; group = "gitea"; home = "/var/lib/gitea"; createHome = true; }; group = { gid = cids.gids.gitea; }; in { users.users.gitea = user; users.groups.gitea = group; security.acme.certs."${domain}" = { group = "nginx"; }; containers.git = { autoStart = true; ephemeral = true; macvlans = [ "vserver" ]; bindMounts = { "/var/lib/gitea" = { hostPath = "/var/lib/gitea/"; isReadOnly = false; }; }; bindMounts = { "/var/lib/acme/gitea/" = { hostPath = "${config.security.acme.certs.${domain}.directory}"; isReadOnly = true; }; }; config = { lib, config, pkgs, ... }: { networking = { hostName = "git"; nameservers = [ "10.42.97.10" ]; interfaces.mv-vserver = { useDHCP = true; }; firewall = { enable = true; allowedTCPPorts = [ 22 80 443 ]; }; }; services.nginx.enable = true; services.nginx.virtualHosts."${domain}" = { sslCertificate = "/var/lib/acme/gitea/fullchain.pem"; sslCertificateKey = "/var/lib/acme/gitea/key.pem"; sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:3001/"; }; }; nixpkgs.config.permittedInsecurePackages = [ "gitea-1.19.4" ]; services.gitea = { enable = true; appName = "Cloonar Gitea server"; # Give the site a name settings = { server = { ROOT_URL = "https://${domain}/"; HTTP_PORT = 3001; DOMAIN = domain; }; openid = { ENABLE_OPENID_SIGNIN = false; ENABLE_OPENID_SIGNUP = true; WHITELISTED_URIS = "auth.cloonar.com"; }; service = { DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; }; webhook.ALLOWED_HOST_LIST = "drone.cloonar.com"; }; }; users.users.gitea = user; users.groups.gitea = group; system.stateVersion = "23.05"; }; }; }