2017-10-18 05:16:46 +01:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.services.gitea;
|
2018-05-15 19:55:59 +01:00
|
|
|
gitea = cfg.package;
|
2018-03-13 18:33:59 +00:00
|
|
|
pg = config.services.postgresql;
|
2018-11-06 01:57:24 +00:00
|
|
|
useMysql = cfg.database.type == "mysql";
|
2018-03-13 18:33:59 +00:00
|
|
|
usePostgresql = cfg.database.type == "postgres";
|
2019-04-25 07:30:14 +01:00
|
|
|
useSqlite = cfg.database.type == "sqlite3";
|
2017-10-18 05:16:46 +01:00
|
|
|
configFile = pkgs.writeText "app.ini" ''
|
|
|
|
APP_NAME = ${cfg.appName}
|
|
|
|
RUN_USER = ${cfg.user}
|
|
|
|
RUN_MODE = prod
|
|
|
|
|
2020-04-23 22:53:18 +01:00
|
|
|
${generators.toINI {} cfg.settings}
|
|
|
|
|
|
|
|
${optionalString (cfg.extraConfig != null) cfg.extraConfig}
|
2017-10-18 05:16:46 +01:00
|
|
|
'';
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
services.gitea = {
|
|
|
|
enable = mkOption {
|
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
|
|
|
description = "Enable Gitea Service.";
|
|
|
|
};
|
|
|
|
|
2018-05-15 19:55:59 +01:00
|
|
|
package = mkOption {
|
|
|
|
default = pkgs.gitea;
|
|
|
|
type = types.package;
|
|
|
|
defaultText = "pkgs.gitea";
|
|
|
|
description = "gitea derivation to use";
|
|
|
|
};
|
|
|
|
|
2017-10-18 05:16:46 +01:00
|
|
|
useWizard = mkOption {
|
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
|
|
|
description = "Do not generate a configuration and use gitea' installation wizard instead. The first registered user will be administrator.";
|
|
|
|
};
|
|
|
|
|
|
|
|
stateDir = mkOption {
|
|
|
|
default = "/var/lib/gitea";
|
|
|
|
type = types.str;
|
|
|
|
description = "gitea data directory.";
|
|
|
|
};
|
|
|
|
|
2018-03-18 09:11:02 +00:00
|
|
|
log = {
|
|
|
|
rootPath = mkOption {
|
|
|
|
default = "${cfg.stateDir}/log";
|
|
|
|
type = types.str;
|
|
|
|
description = "Root path for log files.";
|
|
|
|
};
|
|
|
|
level = mkOption {
|
|
|
|
default = "Trace";
|
|
|
|
type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ];
|
|
|
|
description = "General log level.";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2017-10-18 05:16:46 +01:00
|
|
|
user = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "gitea";
|
|
|
|
description = "User account under which gitea runs.";
|
|
|
|
};
|
|
|
|
|
|
|
|
database = {
|
|
|
|
type = mkOption {
|
|
|
|
type = types.enum [ "sqlite3" "mysql" "postgres" ];
|
|
|
|
example = "mysql";
|
|
|
|
default = "sqlite3";
|
|
|
|
description = "Database engine to use.";
|
|
|
|
};
|
|
|
|
|
|
|
|
host = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "127.0.0.1";
|
|
|
|
description = "Database host address.";
|
|
|
|
};
|
|
|
|
|
|
|
|
port = mkOption {
|
2021-06-18 16:27:06 +01:00
|
|
|
type = types.port;
|
2018-03-13 18:33:59 +00:00
|
|
|
default = (if !usePostgresql then 3306 else pg.port);
|
2017-10-18 05:16:46 +01:00
|
|
|
description = "Database host port.";
|
|
|
|
};
|
|
|
|
|
|
|
|
name = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "gitea";
|
|
|
|
description = "Database name.";
|
|
|
|
};
|
|
|
|
|
|
|
|
user = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "gitea";
|
|
|
|
description = "Database user.";
|
|
|
|
};
|
|
|
|
|
|
|
|
password = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "";
|
|
|
|
description = ''
|
|
|
|
The password corresponding to <option>database.user</option>.
|
|
|
|
Warning: this is stored in cleartext in the Nix store!
|
|
|
|
Use <option>database.passwordFile</option> instead.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
passwordFile = mkOption {
|
|
|
|
type = types.nullOr types.path;
|
|
|
|
default = null;
|
|
|
|
example = "/run/keys/gitea-dbpassword";
|
|
|
|
description = ''
|
|
|
|
A file containing the password corresponding to
|
|
|
|
<option>database.user</option>.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2018-11-06 02:05:42 +00:00
|
|
|
socket = mkOption {
|
|
|
|
type = types.nullOr types.path;
|
2019-05-23 02:00:24 +01:00
|
|
|
default = if (cfg.database.createDatabase && usePostgresql) then "/run/postgresql" else if (cfg.database.createDatabase && useMysql) then "/run/mysqld/mysqld.sock" else null;
|
|
|
|
defaultText = "null";
|
2018-11-06 02:05:42 +00:00
|
|
|
example = "/run/mysqld/mysqld.sock";
|
|
|
|
description = "Path to the unix socket file to use for authentication.";
|
|
|
|
};
|
|
|
|
|
2017-10-18 05:16:46 +01:00
|
|
|
path = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "${cfg.stateDir}/data/gitea.db";
|
|
|
|
description = "Path to the sqlite3 database file.";
|
|
|
|
};
|
2018-03-13 18:33:59 +00:00
|
|
|
|
|
|
|
createDatabase = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
2019-05-23 02:00:24 +01:00
|
|
|
description = "Whether to create a local database automatically.";
|
2018-03-13 18:33:59 +00:00
|
|
|
};
|
2017-10-18 05:16:46 +01:00
|
|
|
};
|
|
|
|
|
2018-05-15 20:17:51 +01:00
|
|
|
dump = {
|
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Enable a timer that runs gitea dump to generate backup-files of the
|
|
|
|
current gitea database and repositories.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
interval = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "04:31";
|
|
|
|
example = "hourly";
|
|
|
|
description = ''
|
|
|
|
Run a gitea dump at this interval. Runs by default at 04:31 every day.
|
|
|
|
|
|
|
|
The format is described in
|
|
|
|
<citerefentry><refentrytitle>systemd.time</refentrytitle>
|
|
|
|
<manvolnum>7</manvolnum></citerefentry>.
|
|
|
|
'';
|
|
|
|
};
|
2020-07-30 22:04:23 +01:00
|
|
|
|
|
|
|
backupDir = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "${cfg.stateDir}/dump";
|
|
|
|
description = "Path to the dump files.";
|
|
|
|
};
|
2018-05-15 20:17:51 +01:00
|
|
|
};
|
|
|
|
|
2020-08-01 10:03:38 +01:00
|
|
|
ssh = {
|
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = "Enable external SSH feature.";
|
|
|
|
};
|
|
|
|
|
|
|
|
clonePort = mkOption {
|
|
|
|
type = types.int;
|
|
|
|
default = 22;
|
|
|
|
example = 2222;
|
|
|
|
description = ''
|
|
|
|
SSH port displayed in clone URL.
|
|
|
|
The option is required to configure a service when the external visible port
|
|
|
|
differs from the local listening port i.e. if port forwarding is used.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2020-08-02 18:32:17 +01:00
|
|
|
lfs = {
|
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = "Enables git-lfs support.";
|
|
|
|
};
|
|
|
|
|
|
|
|
contentDir = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "${cfg.stateDir}/data/lfs";
|
|
|
|
description = "Where to store LFS files.";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2017-10-18 05:16:46 +01:00
|
|
|
appName = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "gitea: Gitea Service";
|
|
|
|
description = "Application name.";
|
|
|
|
};
|
|
|
|
|
|
|
|
repositoryRoot = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "${cfg.stateDir}/repositories";
|
|
|
|
description = "Path to the git repositories.";
|
|
|
|
};
|
|
|
|
|
|
|
|
domain = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "localhost";
|
|
|
|
description = "Domain name of your server.";
|
|
|
|
};
|
|
|
|
|
|
|
|
rootUrl = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "http://localhost:3000/";
|
|
|
|
description = "Full public URL of gitea server.";
|
|
|
|
};
|
|
|
|
|
|
|
|
httpAddress = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "0.0.0.0";
|
|
|
|
description = "HTTP listen address.";
|
|
|
|
};
|
|
|
|
|
|
|
|
httpPort = mkOption {
|
|
|
|
type = types.int;
|
|
|
|
default = 3000;
|
|
|
|
description = "HTTP listen port.";
|
|
|
|
};
|
|
|
|
|
2020-07-30 23:16:53 +01:00
|
|
|
enableUnixSocket = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = "Configure Gitea to listen on a unix socket instead of the default TCP port.";
|
|
|
|
};
|
|
|
|
|
2017-10-18 05:16:46 +01:00
|
|
|
cookieSecure = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Marks session cookies as "secure" as a hint for browsers to only send
|
|
|
|
them via HTTPS. This option is recommend, if gitea is being served over HTTPS.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
staticRootPath = mkOption {
|
|
|
|
type = types.str;
|
2018-05-15 19:55:59 +01:00
|
|
|
default = "${gitea.data}";
|
2017-10-18 05:16:46 +01:00
|
|
|
example = "/var/lib/gitea/data";
|
|
|
|
description = "Upper level of template and static files path.";
|
|
|
|
};
|
|
|
|
|
2019-07-14 21:48:10 +01:00
|
|
|
mailerPasswordFile = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
|
|
|
example = "/var/lib/secrets/gitea/mailpw";
|
|
|
|
description = "Path to a file containing the SMTP password.";
|
|
|
|
};
|
|
|
|
|
2019-01-14 14:56:20 +00:00
|
|
|
disableRegistration = mkEnableOption "the registration lock" // {
|
|
|
|
description = ''
|
|
|
|
By default any user can create an account on this <literal>gitea</literal> instance.
|
|
|
|
This can be disabled by using this option.
|
|
|
|
|
|
|
|
<emphasis>Note:</emphasis> please keep in mind that this should be added after the initial
|
|
|
|
deploy unless <link linkend="opt-services.gitea.useWizard">services.gitea.useWizard</link>
|
|
|
|
is <literal>true</literal> as the first registered user will be the administrator if
|
|
|
|
no install wizard is used.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2020-04-23 22:53:18 +01:00
|
|
|
settings = mkOption {
|
|
|
|
type = with types; attrsOf (attrsOf (oneOf [ bool int str ]));
|
|
|
|
default = {};
|
|
|
|
description = ''
|
|
|
|
Gitea configuration. Refer to <link xlink:href="https://docs.gitea.io/en-us/config-cheat-sheet/"/>
|
|
|
|
for details on supported values.
|
|
|
|
'';
|
|
|
|
example = literalExample ''
|
|
|
|
{
|
|
|
|
"cron.sync_external_users" = {
|
|
|
|
RUN_AT_START = true;
|
|
|
|
SCHEDULE = "@every 24h";
|
|
|
|
UPDATE_EXISTING = true;
|
|
|
|
};
|
|
|
|
mailer = {
|
|
|
|
ENABLED = true;
|
|
|
|
MAILER_TYPE = "sendmail";
|
|
|
|
FROM = "do-not-reply@example.org";
|
|
|
|
SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
|
|
|
|
};
|
|
|
|
other = {
|
|
|
|
SHOW_FOOTER_VERSION = false;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2017-10-18 05:16:46 +01:00
|
|
|
extraConfig = mkOption {
|
2020-04-23 22:53:18 +01:00
|
|
|
type = with types; nullOr str;
|
|
|
|
default = null;
|
2017-10-18 05:16:46 +01:00
|
|
|
description = "Configuration lines appended to the generated gitea configuration file.";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
2019-05-23 02:00:24 +01:00
|
|
|
assertions = [
|
|
|
|
{ assertion = cfg.database.createDatabase -> cfg.database.user == cfg.user;
|
|
|
|
message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
2020-04-23 22:53:18 +01:00
|
|
|
services.gitea.settings = {
|
|
|
|
database = mkMerge [
|
|
|
|
{
|
|
|
|
DB_TYPE = cfg.database.type;
|
|
|
|
}
|
|
|
|
(mkIf (useMysql || usePostgresql) {
|
|
|
|
HOST = if cfg.database.socket != null then cfg.database.socket else cfg.database.host + ":" + toString cfg.database.port;
|
|
|
|
NAME = cfg.database.name;
|
|
|
|
USER = cfg.database.user;
|
|
|
|
PASSWD = "#dbpass#";
|
|
|
|
})
|
|
|
|
(mkIf useSqlite {
|
|
|
|
PATH = cfg.database.path;
|
|
|
|
})
|
|
|
|
(mkIf usePostgresql {
|
|
|
|
SSL_MODE = "disable";
|
|
|
|
})
|
|
|
|
];
|
|
|
|
|
|
|
|
repository = {
|
|
|
|
ROOT = cfg.repositoryRoot;
|
|
|
|
};
|
|
|
|
|
2020-07-30 23:16:53 +01:00
|
|
|
server = mkMerge [
|
|
|
|
{
|
|
|
|
DOMAIN = cfg.domain;
|
|
|
|
STATIC_ROOT_PATH = cfg.staticRootPath;
|
2021-01-15 11:54:14 +00:00
|
|
|
LFS_JWT_SECRET = "#lfsjwtsecret#";
|
2020-07-30 23:16:53 +01:00
|
|
|
ROOT_URL = cfg.rootUrl;
|
|
|
|
}
|
|
|
|
(mkIf cfg.enableUnixSocket {
|
|
|
|
PROTOCOL = "unix";
|
|
|
|
HTTP_ADDR = "/run/gitea/gitea.sock";
|
|
|
|
})
|
|
|
|
(mkIf (!cfg.enableUnixSocket) {
|
|
|
|
HTTP_ADDR = cfg.httpAddress;
|
|
|
|
HTTP_PORT = cfg.httpPort;
|
|
|
|
})
|
2020-08-01 10:03:38 +01:00
|
|
|
(mkIf cfg.ssh.enable {
|
|
|
|
DISABLE_SSH = false;
|
|
|
|
SSH_PORT = cfg.ssh.clonePort;
|
|
|
|
})
|
|
|
|
(mkIf (!cfg.ssh.enable) {
|
|
|
|
DISABLE_SSH = true;
|
|
|
|
})
|
2020-08-02 18:32:17 +01:00
|
|
|
(mkIf cfg.lfs.enable {
|
|
|
|
LFS_START_SERVER = true;
|
|
|
|
LFS_CONTENT_PATH = cfg.lfs.contentDir;
|
|
|
|
})
|
|
|
|
|
2020-07-30 23:16:53 +01:00
|
|
|
];
|
2020-04-23 22:53:18 +01:00
|
|
|
|
|
|
|
session = {
|
|
|
|
COOKIE_NAME = "session";
|
|
|
|
COOKIE_SECURE = cfg.cookieSecure;
|
|
|
|
};
|
|
|
|
|
|
|
|
security = {
|
|
|
|
SECRET_KEY = "#secretkey#";
|
2021-01-15 11:54:14 +00:00
|
|
|
INTERNAL_TOKEN = "#internaltoken#";
|
2020-04-23 22:53:18 +01:00
|
|
|
INSTALL_LOCK = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
log = {
|
|
|
|
ROOT_PATH = cfg.log.rootPath;
|
|
|
|
LEVEL = cfg.log.level;
|
|
|
|
};
|
|
|
|
|
|
|
|
service = {
|
|
|
|
DISABLE_REGISTRATION = cfg.disableRegistration;
|
|
|
|
};
|
|
|
|
|
|
|
|
mailer = mkIf (cfg.mailerPasswordFile != null) {
|
|
|
|
PASSWD = "#mailerpass#";
|
|
|
|
};
|
2021-01-15 11:54:14 +00:00
|
|
|
|
|
|
|
oauth2 = {
|
|
|
|
JWT_SECRET = "#oauth2jwtsecret#";
|
|
|
|
};
|
2020-04-23 22:53:18 +01:00
|
|
|
};
|
|
|
|
|
2019-05-23 02:00:24 +01:00
|
|
|
services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) {
|
|
|
|
enable = mkDefault true;
|
|
|
|
|
|
|
|
ensureDatabases = [ cfg.database.name ];
|
|
|
|
ensureUsers = [
|
|
|
|
{ name = cfg.database.user;
|
|
|
|
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
services.mysql = optionalAttrs (useMysql && cfg.database.createDatabase) {
|
|
|
|
enable = mkDefault true;
|
|
|
|
package = mkDefault pkgs.mariadb;
|
|
|
|
|
|
|
|
ensureDatabases = [ cfg.database.name ];
|
|
|
|
ensureUsers = [
|
|
|
|
{ name = cfg.database.user;
|
|
|
|
ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
2017-10-18 05:16:46 +01:00
|
|
|
|
2019-05-23 02:07:08 +01:00
|
|
|
systemd.tmpfiles.rules = [
|
2020-07-30 22:04:23 +01:00
|
|
|
"d '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -"
|
|
|
|
"z '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -"
|
|
|
|
"Z '${cfg.dump.backupDir}' - ${cfg.user} gitea - -"
|
2020-08-02 18:32:17 +01:00
|
|
|
"d '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -"
|
|
|
|
"z '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -"
|
|
|
|
"Z '${cfg.lfs.contentDir}' - ${cfg.user} gitea - -"
|
2020-07-30 21:44:43 +01:00
|
|
|
"d '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -"
|
|
|
|
"z '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -"
|
|
|
|
"Z '${cfg.repositoryRoot}' - ${cfg.user} gitea - -"
|
|
|
|
"d '${cfg.stateDir}' 0750 ${cfg.user} gitea - -"
|
|
|
|
"d '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -"
|
|
|
|
"d '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -"
|
|
|
|
"d '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -"
|
|
|
|
"d '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -"
|
|
|
|
"z '${cfg.stateDir}' 0750 ${cfg.user} gitea - -"
|
|
|
|
"z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} gitea - -"
|
|
|
|
"z '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -"
|
|
|
|
"z '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -"
|
|
|
|
"z '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -"
|
|
|
|
"z '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -"
|
2019-05-23 02:07:08 +01:00
|
|
|
"Z '${cfg.stateDir}' - ${cfg.user} gitea - -"
|
2019-05-23 02:17:59 +01:00
|
|
|
|
|
|
|
# If we have a folder or symlink with gitea locales, remove it
|
|
|
|
# And symlink the current gitea locales in place
|
|
|
|
"L+ '${cfg.stateDir}/conf/locale' - - - - ${gitea.out}/locale"
|
2019-05-23 02:07:08 +01:00
|
|
|
];
|
|
|
|
|
2017-10-18 05:16:46 +01:00
|
|
|
systemd.services.gitea = {
|
|
|
|
description = "gitea";
|
2018-11-06 01:57:24 +00:00
|
|
|
after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service";
|
2017-10-18 05:16:46 +01:00
|
|
|
wantedBy = [ "multi-user.target" ];
|
gitAndTools: move everything to the top level
The comment at the top of git-and-tools/default.nix said:
/* All git-relates tools live here, in a separate attribute set so that users
* can get a fast overview over what's available.
but unfortunately that hasn't actually held up in practice.
Git-related packages have continued to be added to the top level, or
into gitAndTools, or sometimes both, basically at random, so having
gitAndTools is just confusing. In fact, until I looked as part of
working on getting rid of gitAndTools, one program (ydiff) was
packaged twice independently, once in gitAndTools and once at the top
level (I fixed this in 98c34901969).
So I think it's for the best if we move away from gitAndTools, and
just put all the packages it previously contained at the top level.
I've implemented this here by just making gitAndTools an alias for the
top level -- this saves having loads of lines in aliases.nix. This
means that people can keep referring to gitAndTools in their
configuration, but it won't be allowed to be used within Nixpkgs, and
it won't be presented to new users by e.g. nix search.
The only other change here that I'm aware of is that
appendToName "minimal" is not longer called on the default git
package, because doing that would have necessitated having a private
gitBase variable like before. I think it makes more sense not to do
that anyway, and reserve the "minimal" suffix only for gitMinimal.
2021-01-14 17:49:32 +00:00
|
|
|
path = [ gitea pkgs.git ];
|
2017-10-18 05:16:46 +01:00
|
|
|
|
2021-01-15 11:54:14 +00:00
|
|
|
# In older versions the secret naming for JWT was kind of confusing.
|
|
|
|
# The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET
|
|
|
|
# wasn't persistant at all.
|
|
|
|
# To fix that, there is now the file oauth2_jwt_secret containing the
|
|
|
|
# values for JWT_SECRET and the file jwt_secret gets renamed to
|
|
|
|
# lfs_jwt_secret.
|
|
|
|
# We have to consider this to stay compatible with older installations.
|
2017-10-18 05:16:46 +01:00
|
|
|
preStart = let
|
|
|
|
runConfig = "${cfg.stateDir}/custom/conf/app.ini";
|
|
|
|
secretKey = "${cfg.stateDir}/custom/conf/secret_key";
|
2021-01-15 11:54:14 +00:00
|
|
|
oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret";
|
|
|
|
oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET
|
|
|
|
lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
|
|
|
|
internalToken = "${cfg.stateDir}/custom/conf/internal_token";
|
2017-10-18 05:16:46 +01:00
|
|
|
in ''
|
|
|
|
# copy custom configuration and generate a random secret key if needed
|
|
|
|
${optionalString (cfg.useWizard == false) ''
|
2021-04-30 18:47:38 +01:00
|
|
|
function gitea_setup {
|
|
|
|
cp -f ${configFile} ${runConfig}
|
|
|
|
|
|
|
|
if [ ! -e ${secretKey} ]; then
|
|
|
|
${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Migrate LFS_JWT_SECRET filename
|
|
|
|
if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
|
|
|
|
mv ${oldLfsJwtSecret} ${lfsJwtSecret}
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ! -e ${oauth2JwtSecret} ]; then
|
|
|
|
${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret}
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ! -e ${lfsJwtSecret} ]; then
|
|
|
|
${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret}
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ! -e ${internalToken} ]; then
|
|
|
|
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
|
|
|
|
fi
|
|
|
|
|
|
|
|
SECRETKEY="$(head -n1 ${secretKey})"
|
|
|
|
DBPASS="$(head -n1 ${cfg.database.passwordFile})"
|
|
|
|
OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
|
|
|
|
LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
|
|
|
|
INTERNALTOKEN="$(head -n1 ${internalToken})"
|
|
|
|
${if (cfg.mailerPasswordFile == null) then ''
|
|
|
|
MAILERPASSWORD="#mailerpass#"
|
|
|
|
'' else ''
|
|
|
|
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
|
|
|
|
''}
|
|
|
|
sed -e "s,#secretkey#,$SECRETKEY,g" \
|
|
|
|
-e "s,#dbpass#,$DBPASS,g" \
|
|
|
|
-e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
|
|
|
|
-e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
|
|
|
|
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
|
|
|
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
|
|
|
-i ${runConfig}
|
|
|
|
}
|
|
|
|
(umask 027; gitea_setup)
|
2017-10-18 05:16:46 +01:00
|
|
|
''}
|
|
|
|
|
|
|
|
# update all hooks' binary paths
|
2018-08-31 15:39:58 +01:00
|
|
|
HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 6 -type f -wholename "*git/hooks/*")
|
2017-10-18 05:16:46 +01:00
|
|
|
if [ "$HOOKS" ]
|
|
|
|
then
|
2020-04-28 02:50:34 +01:00
|
|
|
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea}/bin/gitea,g' $HOOKS
|
2017-10-18 05:16:46 +01:00
|
|
|
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/env,${pkgs.coreutils}/bin/env,g' $HOOKS
|
|
|
|
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS
|
|
|
|
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS
|
|
|
|
fi
|
2019-05-23 02:17:59 +01:00
|
|
|
|
2018-05-29 18:53:12 +01:00
|
|
|
# update command option in authorized_keys
|
|
|
|
if [ -r ${cfg.stateDir}/.ssh/authorized_keys ]
|
|
|
|
then
|
2020-04-28 02:50:34 +01:00
|
|
|
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea}/bin/gitea,g' ${cfg.stateDir}/.ssh/authorized_keys
|
2018-05-29 18:53:12 +01:00
|
|
|
fi
|
2017-10-18 05:16:46 +01:00
|
|
|
'';
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "simple";
|
|
|
|
User = cfg.user;
|
2019-05-23 02:07:08 +01:00
|
|
|
Group = "gitea";
|
2017-10-18 05:16:46 +01:00
|
|
|
WorkingDirectory = cfg.stateDir;
|
2020-07-30 22:20:27 +01:00
|
|
|
ExecStart = "${gitea}/bin/gitea web --pid /run/gitea/gitea.pid";
|
2017-10-18 05:16:46 +01:00
|
|
|
Restart = "always";
|
2020-07-30 22:20:27 +01:00
|
|
|
# Runtime directory and mode
|
|
|
|
RuntimeDirectory = "gitea";
|
|
|
|
RuntimeDirectoryMode = "0755";
|
2020-07-31 13:53:48 +01:00
|
|
|
# Access write directories
|
2020-08-02 18:32:17 +01:00
|
|
|
ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ];
|
2020-07-31 13:53:48 +01:00
|
|
|
UMask = "0027";
|
|
|
|
# Capabilities
|
|
|
|
CapabilityBoundingSet = "";
|
|
|
|
# Security
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
# Sandboxing
|
|
|
|
ProtectSystem = "strict";
|
2019-06-27 02:23:53 +01:00
|
|
|
ProtectHome = true;
|
2020-07-31 13:53:48 +01:00
|
|
|
PrivateTmp = true;
|
2019-06-27 02:23:53 +01:00
|
|
|
PrivateDevices = true;
|
2020-07-31 13:53:48 +01:00
|
|
|
PrivateUsers = true;
|
|
|
|
ProtectHostname = true;
|
|
|
|
ProtectClock = true;
|
2019-06-27 02:23:53 +01:00
|
|
|
ProtectKernelTunables = true;
|
|
|
|
ProtectKernelModules = true;
|
2020-07-31 13:53:48 +01:00
|
|
|
ProtectKernelLogs = true;
|
2019-06-27 02:23:53 +01:00
|
|
|
ProtectControlGroups = true;
|
2020-07-31 13:53:48 +01:00
|
|
|
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
2019-06-27 02:23:53 +01:00
|
|
|
LockPersonality = true;
|
2020-07-31 13:53:48 +01:00
|
|
|
MemoryDenyWriteExecute = true;
|
2019-06-27 02:23:53 +01:00
|
|
|
RestrictRealtime = true;
|
2020-07-31 13:53:48 +01:00
|
|
|
RestrictSUIDSGID = true;
|
2019-06-27 02:23:53 +01:00
|
|
|
PrivateMounts = true;
|
2020-07-31 13:53:48 +01:00
|
|
|
# System Call Filtering
|
2019-06-27 02:23:53 +01:00
|
|
|
SystemCallArchitectures = "native";
|
2020-07-31 13:53:48 +01:00
|
|
|
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap";
|
2017-10-18 05:16:46 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
environment = {
|
|
|
|
USER = cfg.user;
|
|
|
|
HOME = cfg.stateDir;
|
|
|
|
GITEA_WORK_DIR = cfg.stateDir;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2019-05-23 02:07:08 +01:00
|
|
|
users.users = mkIf (cfg.user == "gitea") {
|
|
|
|
gitea = {
|
2017-10-18 05:16:46 +01:00
|
|
|
description = "Gitea Service";
|
|
|
|
home = cfg.stateDir;
|
2018-03-18 09:11:02 +00:00
|
|
|
useDefaultShell = true;
|
2019-05-23 02:07:08 +01:00
|
|
|
group = "gitea";
|
2019-10-12 21:25:28 +01:00
|
|
|
isSystemUser = true;
|
2017-10-18 05:16:46 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2019-05-23 02:07:08 +01:00
|
|
|
users.groups.gitea = {};
|
|
|
|
|
2020-04-23 22:53:18 +01:00
|
|
|
warnings =
|
2021-01-24 09:19:10 +00:00
|
|
|
optional (cfg.database.password != "") "config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead." ++
|
2020-04-23 22:53:18 +01:00
|
|
|
optional (cfg.extraConfig != null) ''
|
|
|
|
services.gitea.`extraConfig` is deprecated, please use services.gitea.`settings`.
|
|
|
|
'';
|
2017-10-18 05:16:46 +01:00
|
|
|
|
|
|
|
# Create database passwordFile default when password is configured.
|
|
|
|
services.gitea.database.passwordFile =
|
|
|
|
(mkDefault (toString (pkgs.writeTextFile {
|
|
|
|
name = "gitea-database-password";
|
|
|
|
text = cfg.database.password;
|
|
|
|
})));
|
2018-05-15 20:17:51 +01:00
|
|
|
|
2018-06-04 07:41:20 +01:00
|
|
|
systemd.services.gitea-dump = mkIf cfg.dump.enable {
|
2018-05-15 20:17:51 +01:00
|
|
|
description = "gitea dump";
|
|
|
|
after = [ "gitea.service" ];
|
|
|
|
wantedBy = [ "default.target" ];
|
2020-04-28 02:50:34 +01:00
|
|
|
path = [ gitea ];
|
2018-05-15 20:17:51 +01:00
|
|
|
|
|
|
|
environment = {
|
|
|
|
USER = cfg.user;
|
|
|
|
HOME = cfg.stateDir;
|
|
|
|
GITEA_WORK_DIR = cfg.stateDir;
|
|
|
|
};
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
User = cfg.user;
|
2020-04-28 02:50:34 +01:00
|
|
|
ExecStart = "${gitea}/bin/gitea dump";
|
2020-07-30 22:04:23 +01:00
|
|
|
WorkingDirectory = cfg.dump.backupDir;
|
2018-05-15 20:17:51 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2018-06-04 07:41:20 +01:00
|
|
|
systemd.timers.gitea-dump = mkIf cfg.dump.enable {
|
2018-05-15 20:17:51 +01:00
|
|
|
description = "Update timer for gitea-dump";
|
|
|
|
partOf = [ "gitea-dump.service" ];
|
|
|
|
wantedBy = [ "timers.target" ];
|
|
|
|
timerConfig.OnCalendar = cfg.dump.interval;
|
|
|
|
};
|
2017-10-18 05:16:46 +01:00
|
|
|
};
|
2021-01-10 13:05:38 +00:00
|
|
|
meta.maintainers = with lib.maintainers; [ srhb ma27 ];
|
2017-10-18 05:16:46 +01:00
|
|
|
}
|