depot/cluster/services/forge/server.nix

{ cluster, config, depot, lib, pkgs, ... }:

let
  inherit (depot.lib.meta) domain;
  inherit (depot.lib.nginx) vhosts;
  inherit (config.age) secrets;

  patroni = cluster.config.links.patroni-pg-access;

  host = "forge.${domain}";

  link = config.links.forge;

  exe = lib.getExe config.services.gitea.package;
in

{
  age.secrets = {
    forgejoOidcSecret = {
      file = ./credentials/forgejo-oidc-secret.age;
      owner = "gitea";
    };
    forgejoDbCredentials = {
      file = ./credentials/forgejo-db-credentials.age;
      owner = "gitea";
    };
  };

  links.forge.protocol = "http";

  services.gitea = {
    enable = true;
    package = depot.packages.forgejo;
    appName = "The Forge";
    stateDir = "/srv/storage/private/forge";
    database = {
      createDatabase = false;
      type = "postgres";
      host = patroni.ipv4;
      inherit (patroni) port;
      name = "forge";
      user = "forge";
      passwordFile = secrets.forgejoDbCredentials.path;
    };
    settings = {
      server = {
        DOMAIN = host;
        ROOT_URL = "https://${host}/";
        PROTOCOL = link.protocol;
        HTTP_ADDR = link.ipv4;
        HTTP_PORT = link.port;
      };
      oauth2_client = {
        REGISTER_EMAIL_CONFIRM = false;
        ENABLE_AUTO_REGISTRATION = true;
        ACCOUNT_LINKING = "auto";
        UPDATE_AVATAR = true;
      };
      session.COOKIE_SECURE = true;
      service = {
        DISABLE_REGISTRATION = false;
        ALLOW_ONLY_INTERNAL_REGISTRATION = false;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
      };
      log.ENABLE_XORM_LOG = false;
      # enabling this will leak secrets to the log
      database.LOG_SQL = false;
    };
  };

  services.nginx.virtualHosts."${host}" = vhosts.proxy link.url;

  systemd.services.gitea.preStart = let
    providerName = "PrivateVoidAccount";
    args = lib.escapeShellArgs [
      "--name" providerName
      "--provider" "openidConnect"
      "--key" "net.privatevoid.forge1"
      "--auto-discover-url" "https://login.${domain}/auth/realms/master/.well-known/openid-configuration"
      "--group-claim-name" "groups"
      "--admin-group" "/forge_admins@${domain}"
    ];
  in lib.mkAfter /*bash*/ ''
    providerId="$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)"
    if [[ -z "$providerId" ]]; then
      FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth add-oauth ${args}
    else
      FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth update-oauth --id "$providerId" ${args}
    fi
  '';
}
treewide: massive refactor 2023-08-31 01:55:45 +03:00			`{ cluster, config, depot, lib, pkgs, ... }:`
cluster/services/forge: init 2023-07-21 02:26:26 +03:00
			`let`
treewide: massive refactor 2023-08-31 01:55:45 +03:00			`inherit (depot.lib.meta) domain;`
			`inherit (depot.lib.nginx) vhosts;`
cluster/services/forge: init 2023-07-21 02:26:26 +03:00			`inherit (config.age) secrets;`

			`patroni = cluster.config.links.patroni-pg-access;`

			`host = "forge.${domain}";`

			`link = config.links.forge;`

			`exe = lib.getExe config.services.gitea.package;`
			`in`

			`{`
			`age.secrets = {`
			`forgejoOidcSecret = {`
			`file = ./credentials/forgejo-oidc-secret.age;`
			`owner = "gitea";`
			`};`
			`forgejoDbCredentials = {`
			`file = ./credentials/forgejo-db-credentials.age;`
			`owner = "gitea";`
			`};`
			`};`

			`links.forge.protocol = "http";`

			`services.gitea = {`
			`enable = true;`
			`package = depot.packages.forgejo;`
			`appName = "The Forge";`
			`stateDir = "/srv/storage/private/forge";`
			`database = {`
			`createDatabase = false;`
			`type = "postgres";`
			`host = patroni.ipv4;`
			`inherit (patroni) port;`
			`name = "forge";`
			`user = "forge";`
			`passwordFile = secrets.forgejoDbCredentials.path;`
			`};`
			`settings = {`
			`server = {`
			`DOMAIN = host;`
			`ROOT_URL = "https://${host}/";`
			`PROTOCOL = link.protocol;`
			`HTTP_ADDR = link.ipv4;`
			`HTTP_PORT = link.port;`
			`};`
			`oauth2_client = {`
			`REGISTER_EMAIL_CONFIRM = false;`
			`ENABLE_AUTO_REGISTRATION = true;`
			`ACCOUNT_LINKING = "auto";`
			`UPDATE_AVATAR = true;`
			`};`
			`session.COOKIE_SECURE = true;`
			`service = {`
			`DISABLE_REGISTRATION = false;`
			`ALLOW_ONLY_INTERNAL_REGISTRATION = false;`
			`ALLOW_ONLY_EXTERNAL_REGISTRATION = true;`
			`};`
			`log.ENABLE_XORM_LOG = false;`
			`# enabling this will leak secrets to the log`
			`database.LOG_SQL = false;`
			`};`
			`};`

			`services.nginx.virtualHosts."${host}" = vhosts.proxy link.url;`

			`systemd.services.gitea.preStart = let`
			`providerName = "PrivateVoidAccount";`
			`args = lib.escapeShellArgs [`
			`"--name" providerName`
			`"--provider" "openidConnect"`
			`"--key" "net.privatevoid.forge1"`
			`"--auto-discover-url" "https://login.${domain}/auth/realms/master/.well-known/openid-configuration"`
			`"--group-claim-name" "groups"`
			`"--admin-group" "/forge_admins@${domain}"`
			`];`
			`in lib.mkAfter /bash/ ''`
			`providerId="$(${exe} admin auth list \| ${pkgs.gnugrep}/bin/grep -w '${providerName}' \| cut -f1)"`
			`if [[ -z "$providerId" ]]; then`
			`FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth add-oauth ${args}`
			`else`
			`FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth update-oauth --id "$providerId" ${args}`
			`fi`
			`'';`
			`}`