Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
9fd574468a64a240af1a3ff8e93413d8f2fa4b2f
nixos/hosts/fw.cloonar.com/modules/gitea.nix

181 lines
4.4 KiB
Nix
Raw Blame History

{ config, ... }:
let
cids = import ../modules/staticids.nix;
domain = "git.cloonar.com";
ip = "10.42.97.3";
user = {
isSystemUser = true;
uid = cids.uids.gitea;
group = "gitea";
home = "/var/lib/gitea";
createHome = true;
};
group = {
gid = cids.gids.gitea;
};
runner-user = {
isSystemUser = true;
uid = cids.uids.gitea-runner;
group = "gitea-runner";
home = "/var/lib/gitea-runner";
createHome = true;
extraGroups = [ "docker" "podman" ];
};
runner-group = {
gid = cids.gids.gitea-runner;
};
in
{
nixpkgs.config.permittedInsecurePackages = [
"gitea-1.19.4"
];
users.users.gitea = user;
users.groups.gitea = group;
security.acme.certs."${domain}" = {
group = "nginx";
};
containers.git = {
autoStart = true;
ephemeral = false; # because of ssh key
macvlans = [ "vserver" ];
bindMounts = {
"/var/lib/gitea" = {
hostPath = "/var/lib/gitea/";
isReadOnly = false;
};
"/var/lib/acme/gitea/" = {
hostPath = "${config.security.acme.certs.${domain}.directory}";
isReadOnly = true;
};
};
config = { lib, config, pkgs, ... }: {
networking = {
hostName = "git";
nameservers = [ "10.42.97.10" ];
interfaces.mv-vserver = {
useDHCP = true;
};
firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."${domain}" = {
sslCertificate = "/var/lib/acme/gitea/fullchain.pem";
sslCertificateKey = "/var/lib/acme/gitea/key.pem";
sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001/";
};
};
nixpkgs.config.permittedInsecurePackages = [
"gitea-1.19.4"
];
services.gitea = {
enable = true;
appName = "Cloonar Gitea server"; # Give the site a name
settings = {
server = {
ROOT_URL = "https://${domain}/";
HTTP_PORT = 3001;
DOMAIN = domain;
};
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.cloonar.com";
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
actions.ENABLED=true;
webhook.ALLOWED_HOST_LIST = "drone.cloonar.com";
};
};
services.openssh.enable = true;
users.users.gitea = user;
users.groups.gitea = group;
system.stateVersion = "23.05";
};
};
users.users.gitea-runner = runner-user;
users.groups.gitea-runner = runner-group;
sops.secrets.gitea-runner-token = {
owner = "gitea-runner";
};
services.gitea-actions-runner.instances.main = {
enable = true;
url = "https://git.cloonar.com";
name = "main";
tokenFile = "/run/secrets/gitea-runner-token";
labels = [
"ubuntu-latest:docker://node:18-bullseye"
];
settings = {
container = {
options = [
"--add-host=git.cloonar.com:10.42.97.50"
"--dns=10.42.97.10"
];
};
};
};
# containers.git-runner = {
# autoStart = true;
# ephemeral = false; # because of ssh key
# macvlans = [ "vserver" ];
# bindMounts = {
# "/run/secrets/gitea-runner-token" = {
# hostPath = config.sops.secrets.gitea-runner-token.path;
# isReadOnly = true;
# };
# "/run/podman/podman.sock" = {
# hostPath = "/run/podman/podman.sock";
# isReadOnly = false;
# };
# };
# config = { lib, config, pkgs, ... }: {
# networking = {
# hostName = "git-runner";
# nameservers = [ "10.42.97.10" ];
# interfaces.mv-vserver = {
# useDHCP = true;
# };
# firewall = {
# enable = true;
# };
# };
#
# virtualisation.podman.enable = true;
#
#
# users.groups.podman.gid = cids.gids.podman;
# users.users.gitea-runner = runner-user;
# users.groups.gitea-runner = runner-group;
#
# system.stateVersion = "23.05";
# };
# };
}
Reference in New Issue View Git Blame Copy Permalink