nx2site gitea and vaultwarden (working)

2024-11-20 01:24:57 +01:00
parent e95332cedb
commit f5af726382
10 changed files with 157 additions and 213 deletions
--- a/system-modules/nx2site/gitea.nix
+++ b/system-modules/nx2site/gitea.nix
@@ -1,4 +1,5 @@
-{ config, pkgs, lib, domain, ... }: 
+{ config, pkgs, secrets, user, domain, ... }: 
+let git-user = "git"; in
 {
  sops.secrets = {
    "postgres-pw" = { owner = config.services.gitea.user; };
@@ -7,36 +8,46 @@
  environment.systemPackages = with pkgs; [
    gitea
  ];
+  users = {
+    users = {
+      "${user}".extraGroups = [ git-user ];
+      "${git-user}" = {
+        isSystemUser = true;
+        group = git-user;
+        useDefaultShell = true;
+        home = config.services.gitea.stateDir;
+        openssh.authorizedKeys.keys = config.users.users."${user}".openssh.authorizedKeys.keys;
+      };
+    };
+    groups."${git-user}" = {};
+  };

  services.gitea = {
    enable = true;
    package = pkgs.gitea;
-    group = "gitea"; # default
-    user = "gitea"; # default
+    group = git-user;  
+    user = git-user; 
    appName = "NxGit";
    stateDir = "/var/lib/gitea"; # default
    useWizard = false; # default
    # camoHmacKeyFile = ;
-    customDir = "${config.services.gitea.stateDir}/custom"; # default
    database = {
      createDatabase = false; # default
      host = "127.0.0.1"; # default
      port = 5432;
      passwordFile = config.sops.secrets."postgres-pw".path;
-      # path = "${config.services.gitea.stateDir}/data/gitea.db"; # default
-      # socket = "/run/postgresql";
      socket = null;
      type = "postgres";
      name = "gitea"; # default
      user = "gitea"; # default
    };
-    # dump = {
-      # enable = true;
-    #   backupDir = "${config.services.gitea.stateDir}/dump"; # default
-    #   file = null; # default
-    #   interval = "daily";
-    #   type = "zip"; # default
-    # };
+    dump = {
+      enable = true;
+      backupDir = "/var/backup/gitea";
+      file = null; # default = chosen by gitea
+      interval = "daily";
+      type = "zip"; # default
+    };
    # extraConfig = null; # default
    # lfs = {
    #   enable = false; # default
@@ -44,25 +55,23 @@
    # };
    # mailerPasswordFile = null; # default
    # metricsTokenFile = null; # default
-    repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default
+    # repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default
    settings = {
      log = {
        LEVEL = "Info";
        # LEVEL = "Error";
-        ROOT_PATH = "${config.services.gitea.stateDir}/log"; # default
      };
-      # i18n = {
-      #   LANGS = "en-US";
-      # };
      server = {
        DISABLE_SSH = false; # default
-        SSH_PORT = 20022;
-        # DOMAIN = "pw2.${domain}";
-        # HTTP_ADDR = "${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}/";
+        START_SSH_SERVER = false; # default
+        SSH_LISTEN_HOST = "0.0.0.0";
+        SSH_PORT = secrets.ssh.port;
+        DOMAIN = "pw.${domain}";
+        SSH_DOMAIN = "ssh.${domain}";
+        # HTTP_ADDR = "${config.services.gitea.settings.server.DOMAIN}";
        # HTTP_PORT = 3000; # default
        # PROTOCOL = "http"; # default
-        # ROOT_URL = "https:pw2.${domain}/"; # default
-        STATIC_ROOT_PATH = "${config.services.gitea.stateDir}/static";
+        # ROOT_URL = "https:pw.${domain}/"; # default
      };
      session = {
        COOKIE_SECURE = true;
@@ -73,108 +82,3 @@
    };
  };
 }
-# APP_NAME = Gitea: Git with a cup of tea
-# RUN_MODE = prod
-# RUN_USER = git
-# WORK_PATH = /data/gitea
-
-# [repository]
-# ROOT = /data/git/repositories
-# ENABLE_PUSH_CREATE_ORG = true
-# ENABLE_PUSH_CREATE_USER = true
-
-# [repository.local]
-# LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
-
-# [repository.upload]
-# TEMP_PATH = /data/gitea/uploads
-
-# [server]
-# APP_DATA_PATH = /data/gitea
-# DOMAIN = git.nx2.site
-# SSH_DOMAIN = git.nx2.site
-# HTTP_PORT = 3000
-# ROOT_URL = https://git.nx2.site/
-# DISABLE_SSH = false
-# SSH_PORT = 22
-# SSH_LISTEN_PORT = 22
-# LFS_START_SERVER = true
-# LFS_JWT_SECRET = aitnnoway
-# OFFLINE_MODE = false
-
-# [database]
-# PATH = /data/gitea/gitea.db
-# DB_TYPE = postgres
-# HOST = giteadb:5432
-# NAME = gitea
-# USER = gitea
-# PASSWD = -lkjlkj
-# LOG_SQL = false
-# SCHEMA = 
-# SSL_MODE = disable
-
-# [indexer]
-# ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
-
-# [session]
-# PROVIDER_CONFIG = /data/gitea/sessions
-# PROVIDER = file
-
-# [picture]
-# AVATAR_UPLOAD_PATH = /data/gitea/avatars
-# REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
-
-# [attachment]
-# PATH = /data/gitea/attachments
-
-# [log]
-# MODE = console
-# LEVEL = info
-# ROOT_PATH = /data/gitea/log
-
-# [security]
-# INSTALL_LOCK = true
-# SECRET_KEY = 
-# REVERSE_PROXY_LIMIT = 1
-# REVERSE_PROXY_TRUSTED_PROXIES = *
-# INTERNAL_TOKEN = faaaaakeeyJuYmYiOjE3MTMxMTAzMjN9.iliwlrfZDTb8oL296gpXRYhC-6_AJdjePO7dk3NT-PE
-# PASSWORD_HASH_ALGO = pbkdf2
-
-# [service]
-# DISABLE_REGISTRATION = true
-# REQUIRE_SIGNIN_VIEW = false
-# REGISTER_EMAIL_CONFIRM = false
-# ENABLE_NOTIFY_MAIL = false
-# ALLOW_ONLY_EXTERNAL_REGISTRATION = false
-# ENABLE_CAPTCHA = false
-# DEFAULT_KEEP_EMAIL_PRIVATE = false
-# DEFAULT_ALLOW_CREATE_ORGANIZATION = true
-# DEFAULT_ENABLE_TIMETRACKING = true
-# NO_REPLY_ADDRESS = noreply.nx2.site
-
-# [lfs]
-# PATH = /data/git/lfs
-
-# [mailer]
-# ENABLED = true
-# SMTP_ADDR = smtp.gmail.com
-# SMTP_PORT = 587
-# FROM = git@nx2.site
-# USER = lennart.kurzweg.lk@gmail.com
-# PASSWD = "ihh"
-
-# [openid]
-# ENABLE_OPENID_SIGNIN = true
-# ENABLE_OPENID_SIGNUP = false
-
-# [cron.update_checker]
-# ENABLED = false
-
-# [repository.pull-request]
-# DEFAULT_MERGE_STYLE = merge
-
-# [repository.signing]
-# DEFAULT_TRUST_MODEL = committer
-
-# [oauth2]
-# JWT_SECRET = redavt