gitea: format, enable declarative ldap

2023-03-18 01:35:27 +01:00 · 2023-03-18 01:35:27 +01:00 · 76883a973b
parent e39aed92b4
commit 76883a973b
1 changed files with 18 additions and 10 deletions
--- a/hosts/gitea/default.nix
+++ b/hosts/gitea/default.nix
@ -1,10 +1,12 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, libS, ... }:

 {
  c3d2.deployment.server = "server10";

  microvm.mem = 4 * 1024;

+  environment.systemPackages = with pkgs; [ postgresql unzip ]; # used to restore database dumps
+
  networking = {
    hostName = "gitea";
    firewall.allowedTCPPorts = [ 2222 ];
@ -14,20 +16,23 @@
    gitea = rec {
      enable = true;
      appName = "Gitea: with a cup of Kolle Mate";
-      domain = "gitea.c3d2.de";
-      rootUrl = "https://${domain}/";
-
      database.type = "postgres";
-
-      repositoryRoot = "/var/lib/gitea/repositories";
-
+      domain = "gitea.c3d2.de";
      lfs.enable = true;
+      repositoryRoot = "/var/lib/gitea/repositories";
+      rootUrl = "https://${domain}/";

      dump = {
        # Is a nice feature once we have a dedicated backup storage.
        # For now it is disabled, since it delays `nixos-rebuild switch`.
        enable = false;
-        backupDir = "/var/lib/gitea/dump";
+        backupDir = "/var/backup/gitea/";
+      };
+
+      ldap = {
+        enable = true;
+        adminGroup = "gitea-admins";
+        bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
      };

      settings = {
@ -124,6 +129,11 @@
    };
  };

+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets."gitea/ldapSearchUserPassword" = libS.sops.permissionForUser "gitea";
+  };
+
  programs.msmtp = {
    enable = true;
    accounts.default = {
@ -137,7 +147,5 @@
    };
  };

-  environment.systemPackages = with pkgs; [ postgresql unzip ]; # used to restore database dumps
-
  system.stateVersion = "21.11";
 }