mirror of
https://github.com/CHN-beta/nixos.git
synced 2026-01-12 01:55:22 +08:00
93 lines
3.1 KiB
Nix
93 lines
3.1 KiB
Nix
inputs:
|
|
{
|
|
options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in mkOption
|
|
{
|
|
type = types.nullOr (types.submodule { options =
|
|
{
|
|
hostname = mkOption { type = types.str; default = "git.chn.moe"; };
|
|
ssh =
|
|
{
|
|
hostname = mkOption { type = types.str; default = "ssh.${inputs.config.nixos.services.gitea.hostname}"; };
|
|
port = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
|
|
};
|
|
};});
|
|
default = null;
|
|
};
|
|
config = let inherit (inputs.config.nixos.services) gitea; in inputs.lib.mkIf (gitea != null)
|
|
{
|
|
services =
|
|
{
|
|
gitea =
|
|
{
|
|
enable = true;
|
|
lfs.enable = true;
|
|
mailerPasswordFile = inputs.config.nixos.system.sops.secrets."gitea/mail".path;
|
|
database =
|
|
{
|
|
createDatabase = false;
|
|
type = "postgres";
|
|
passwordFile = inputs.config.nixos.system.sops.secrets."gitea/db".path;
|
|
};
|
|
settings =
|
|
{
|
|
session.COOKIE_SECURE = true;
|
|
server =
|
|
{
|
|
ROOT_URL = "https://${gitea.hostname}";
|
|
DOMAIN = gitea.hostname;
|
|
HTTP_PORT = 3002;
|
|
SSH_DOMAIN = gitea.ssh.hostname;
|
|
SSH_PORT = inputs.lib.mkIf (gitea.ssh.port != null) gitea.ssh.port;
|
|
LFS_ALLOW_PURE_SSH = true;
|
|
};
|
|
mailer =
|
|
{
|
|
ENABLED = true;
|
|
FROM = "bot@chn.moe";
|
|
PROTOCOL = "smtps";
|
|
SMTP_ADDR = "mail.chn.moe";
|
|
SMTP_PORT = 465;
|
|
USER = "bot@chn.moe";
|
|
};
|
|
service.DISABLE_REGISTRATION = true;
|
|
security.LOGIN_REMEMBER_DAYS = 365;
|
|
"git.timeout" = builtins.listToAttrs (builtins.map (n: { name = n; value = 3600 * 8; })
|
|
[ "DEFAULT" "MIGRATE" "MIRROR" "CLONE" "PULL" "GC" ]);
|
|
"cron.git_gc_repos" = { ENABLED = true; SCHEDULE = "@monthly"; TIMEOUT = "2h"; };
|
|
"cron.gc_lfs" = { ENABLED = true; SCHEDULE = "@monthly"; NUMBER_TO_CHECK_PER_REPO = 0; };
|
|
};
|
|
};
|
|
# prevent AI web crawlers
|
|
# https://her.esy.fun/posts/0031-how-i-protect-my-forgejo-instance-from-ai-web-crawlers/index.html
|
|
nginx.virtualHosts."https:${gitea.hostname}".locations."/".extraConfigPre =
|
|
''
|
|
if ($http_user_agent ~* "git/|git-lfs/") {
|
|
set $bypass_cookie 1;
|
|
}
|
|
if ($cookie_Yogsototh_opens_the_door = "1") {
|
|
set $bypass_cookie 1;
|
|
}
|
|
if ($bypass_cookie != 1) {
|
|
add_header Content-Type text/html always;
|
|
return 418 '<script>document.cookie = "Yogsototh_opens_the_door=1; Path=/;"; window.location.reload();</script>';
|
|
}
|
|
'';
|
|
};
|
|
nixos =
|
|
{
|
|
system.sops.secrets =
|
|
{
|
|
"gitea/mail" = { owner = "gitea"; key = "mail/bot"; };
|
|
"gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; };
|
|
"mail/bot" = {};
|
|
};
|
|
services =
|
|
{
|
|
nginx.https.${gitea.hostname}.location."/".proxy.upstream = "http://127.0.0.1:3002";
|
|
postgresql.instances.gitea = {};
|
|
};
|
|
};
|
|
systemd.services.gitea.path = [ inputs.pkgs.git-lfs-transfer ];
|
|
};
|
|
}
|