depot/cluster/services/forge/server.nix
2023-07-24 00:52:14 +02:00

91 lines
2.5 KiB
Nix

{ cluster, config, depot, lib, pkgs, tools, ... }:
let
inherit (tools.meta) domain;
inherit (tools.nginx) vhosts;
inherit (config.age) secrets;
patroni = cluster.config.links.patroni-pg-access;
host = "forge.${domain}";
link = config.links.forge;
exe = lib.getExe config.services.gitea.package;
in
{
age.secrets = {
forgejoOidcSecret = {
file = ./credentials/forgejo-oidc-secret.age;
owner = "gitea";
};
forgejoDbCredentials = {
file = ./credentials/forgejo-db-credentials.age;
owner = "gitea";
};
};
links.forge.protocol = "http";
services.gitea = {
enable = true;
package = depot.packages.forgejo;
appName = "The Forge";
stateDir = "/srv/storage/private/forge";
database = {
createDatabase = false;
type = "postgres";
host = patroni.ipv4;
inherit (patroni) port;
name = "forge";
user = "forge";
passwordFile = secrets.forgejoDbCredentials.path;
};
settings = {
server = {
DOMAIN = host;
ROOT_URL = "https://${host}/";
PROTOCOL = link.protocol;
HTTP_ADDR = link.ipv4;
HTTP_PORT = link.port;
};
oauth2_client = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto";
UPDATE_AVATAR = true;
};
session.COOKIE_SECURE = true;
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_INTERNAL_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
};
log.ENABLE_XORM_LOG = false;
# enabling this will leak secrets to the log
database.LOG_SQL = false;
};
};
services.nginx.virtualHosts."${host}" = vhosts.proxy link.url;
systemd.services.gitea.preStart = let
providerName = "PrivateVoidAccount";
args = lib.escapeShellArgs [
"--name" providerName
"--provider" "openidConnect"
"--key" "net.privatevoid.forge1"
"--auto-discover-url" "https://login.${domain}/auth/realms/master/.well-known/openid-configuration"
"--group-claim-name" "groups"
"--admin-group" "/forge_admins@${domain}"
];
in lib.mkAfter /*bash*/ ''
providerId="$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)"
if [[ -z "$providerId" ]]; then
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth add-oauth ${args}
else
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth update-oauth --id "$providerId" ${args}
fi
'';
}