126 lines
3.6 KiB
Nix
126 lines
3.6 KiB
Nix
{
|
|
flake.nixosModules.gitea-instance = {
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
cfg = config.hive.gitea-instance;
|
|
in {
|
|
options.hive.gitea-instance = {
|
|
enable = lib.mkEnableOption "Enable the Gitea instance";
|
|
|
|
instanceFQDN = lib.mkOption {
|
|
type = lib.types.singleLineStr;
|
|
example = "git.example.com";
|
|
description = "Fully qualified domain name of the Gitea instance";
|
|
};
|
|
|
|
databasePasswordFile = lib.mkOption {
|
|
type = lib.types.path;
|
|
example = "/etc/gitea-db-pass.txt";
|
|
description = "Path to the file containing the Gitea database password";
|
|
};
|
|
nativeRunner = lib.mkOption {
|
|
type = lib.types.bool;
|
|
description = "Install a gitea act_runner using the native nix store";
|
|
default = false;
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# Gitea instance
|
|
services.gitea = {
|
|
enable = true;
|
|
lfs.enable = true;
|
|
appName = "Git yourself some Tea!";
|
|
database = {
|
|
name = "gitea";
|
|
type = "postgres";
|
|
passwordFile = cfg.databasePasswordFile;
|
|
};
|
|
settings = {
|
|
server.PROTOCOL = "http+unix";
|
|
server.ROOT_URL = "https://${cfg.instanceFQDN}/";
|
|
server.DOMAIN = cfg.instanceFQDN;
|
|
service.DISABLE_REGISTRATION = true;
|
|
};
|
|
};
|
|
|
|
# Fallback server with only 403
|
|
services.nginx.virtualHosts.${config.networking.domain} = lib.mkDefault {
|
|
default = true;
|
|
locations."/".return = 403;
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
|
|
# Virtual host for gitea
|
|
services.nginx.virtualHosts."${cfg.instanceFQDN}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://unix:/run/gitea/gitea.sock";
|
|
};
|
|
};
|
|
|
|
# Database setup
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureDatabases = [config.services.gitea.user];
|
|
ensureUsers = [
|
|
{
|
|
name = config.services.gitea.database.user;
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
# act_runner
|
|
services.gitea-actions-runner = lib.mkIf cfg.nativeRunner {
|
|
instances.nixos-host = {
|
|
enable = true;
|
|
name = "nixos-host-runner";
|
|
url = "https://${cfg.instanceFQDN}";
|
|
tokenFile = "/var/lib/gitea-registration/nixos-host";
|
|
|
|
labels = ["nixos:host"];
|
|
|
|
settings = {
|
|
runner = {
|
|
capacity = 1;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
systemd.services.gitea-runner-nixos-host = lib.mkIf cfg.nativeRunner {
|
|
after = ["gitea-runner-gen-token.service"];
|
|
requires = ["gitea-runner-gen-token.service"];
|
|
serviceConfig.Environment = ''
|
|
PATH=/run/current-system/sw/bin:/usr/bin:/bin
|
|
'';
|
|
};
|
|
systemd.services.gitea-runner-gen-token = lib.mkIf cfg.nativeRunner {
|
|
wantedBy = ["multi-user.target"];
|
|
after = ["gitea.service"];
|
|
environment = {
|
|
GITEA_CUSTOM = "/var/lib/gitea/custom";
|
|
GITEA_WORK_DIR = "/var/lib/gitea";
|
|
};
|
|
script = ''
|
|
set -euo pipefail
|
|
token=$(${config.services.gitea.package}/bin/gitea actions generate-runner-token)
|
|
echo "TOKEN=$token" > /var/lib/gitea-registration/nixos-host
|
|
'';
|
|
unitConfig.ConditionPathExists = ["!/var/lib/gitea-registration/nixos-host"];
|
|
serviceConfig = {
|
|
User = "gitea";
|
|
Group = "gitea";
|
|
StateDirectory = "gitea-registration";
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|