stuebinm
72ca5b2888
in theory this might be ready to deploy. Potential hazards & things to
know when actually doing so:
1. the mysql version used by mattermost was updated (the old uses an
openssl which is marked insecure). Might have to migrate a database
2. lots of settings now use RFC 42-style settings, which might contain
new typos
3. this updates uffd (& changes the patches we apply). Since version
dependencies of uffd are basically "whatever debian has" we have
never bothered to match them, but afaik have also never updated uffd
since the initial deploy some years ago. No guarantee it still
works.
4. tracktrain depends on haskellPackages.conferer-warp, which is
currently marked broken. There is no reason for this (it builds
fine). Until fixed upstream, build with NIXPKGS_ALLOW_BROKEN=1.
cf. https://github.com/NixOS/nixpkgs/pull/234784; waiting for a
merge of haskell-updates into 23.05
106 lines
3 KiB
Nix
106 lines
3 KiB
Nix
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
|
|
|
{
|
|
containers.gitea = {
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.100.1";
|
|
localAddress = "192.168.100.10";
|
|
autoStart = true;
|
|
bindMounts = {
|
|
"/persist" = {
|
|
hostPath = "/persist/containers/gitea";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
|
system.stateVersion = "21.11";
|
|
|
|
imports = [ profiles.nopersist profiles.container ];
|
|
|
|
environment.systemPackages = [ pkgs.gitea ];
|
|
|
|
hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea";
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
services.gitea = {
|
|
enable = true;
|
|
appName = "0x0: git for all creatures";
|
|
lfs.enable = true;
|
|
database.type = "postgres";
|
|
settings = {
|
|
repository = {
|
|
DEFAULT_PRIVATE = "public";
|
|
PREFERRED_LICENSES = "Unlicense";
|
|
DEFAULT_BRANCH = "main";
|
|
};
|
|
oauth2_client = {
|
|
ACCOUNT_LINKING = "auto";
|
|
ENABLE_AUTO_REGISTRATION = true;
|
|
};
|
|
"repository.pull-requests" = {
|
|
DEFAULT_MERGE_STYLE = "merge";
|
|
DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true;
|
|
};
|
|
"repository.upload".FILE_MAX_SIZE = 1024;
|
|
server = {
|
|
LANDING_PAGE = "explore";
|
|
OFFLINE_MODE = true;
|
|
ROOT_URL = "https://git.infra4future.de";
|
|
HTTP_PORT = 3000;
|
|
HTTP_ADDR = "0.0.0.0";
|
|
};
|
|
security = { INSTALL_LOCK = true; };
|
|
other = {
|
|
SHOW_FOOTER_VERSION = false;
|
|
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
|
|
};
|
|
cron = {
|
|
ENABLED = true;
|
|
NOTICE_ON_SUCCESS = true;
|
|
};
|
|
"cron.update_mirrors" = {
|
|
SCHEDULE = "@every 12h";
|
|
PULL_LIMIT = "-1";
|
|
PUSH_LIMIT = "-1";
|
|
};
|
|
"cron.git_gc_repos".ENABLED = true;
|
|
"cron.delete_old_actions".ENABLED = true;
|
|
log.LEVEL = "Info";
|
|
service.DISABLE_REGISTRATION = true;
|
|
session.COOKIE_SECURE = true;
|
|
};
|
|
};
|
|
services.postgresqlBackup = {
|
|
enable = true;
|
|
databases = [ "gitea" ];
|
|
startAt = "*-*-* 23:45:00";
|
|
location = "/persist/backups/postgres";
|
|
};
|
|
services.openssh = {
|
|
enable = true;
|
|
listenAddresses = [ {
|
|
addr = "192.168.100.10";
|
|
port = 22;
|
|
} ];
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
AcceptEnv = "GIT_PROTOCOL";
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
services.nginx.virtualHosts."git.infra4future.de" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://${config.containers.gitea.localAddress}:3000";
|
|
};
|
|
};
|
|
hexchen.nftables.nat.forwardPorts = [{
|
|
ports = [ 22 ];
|
|
destination = "${config.containers.gitea.localAddress}:22";
|
|
proto = "tcp";
|
|
}];
|
|
}
|