nixos-modules/modules/gitea.nix

{ config, lib, libS, ... }:

let
  cfg = config.services.gitea;
  cfgl = cfg.ldap;
  inherit (config.security) ldap;
in
{
  options = {
    services.gitea = {
      # based on https://github.com/majewsky/nixos-modules/blob/master/gitea.nix
      ldap = {
        enable = lib.mkEnableOption (lib.mdDoc "login via ldap");

        adminGroup = lib.mkOption {
          type = with lib.types; nullOr str;
          default = null;
          example = "gitea-admins";
          description = lib.mdDoc "Name of the ldap group that grants admin access in gitea.";
        };

        searchUserPasswordFile = lib.mkOption {
          type = with lib.types; nullOr str;
          default = null;
          example = "/var/lib/secrets/search-user-password";
          description = lib.mdDoc "Path to a file containing the password for the search/bind user.";
        };

        userGroup = libS.ldap.mkUserGroupOption;

        options =
          let
            mkOptStr = lib.mkOption {
              type = with lib.types; nullOr str;
              default = null;
            };
          in
          {
            id = lib.mkOption {
              type = lib.types.ints.unsigned;
              default = 1;
            };
            name = mkOptStr;
            security-protocol = mkOptStr;
            host = mkOptStr;
            port = lib.mkOption {
              type = with lib.types; nullOr port;
              default = null;
            };
            bind-dn = mkOptStr;
            bind-password = mkOptStr;
            user-search-base = mkOptStr;
            user-filter = mkOptStr;
            admin-filter = mkOptStr;
            username-attribute = mkOptStr;
            firstname-attribute = mkOptStr;
            surname-attribute = mkOptStr;
            email-attribute = mkOptStr;
            public-ssh-key-attribute = mkOptStr;
          };
      };
      recommendedDefaults = libS.mkOpinionatedOption "set recommended, secure default settings";
    };
  };

  imports = [
    (lib.mkRenamedOptionModule [ "services" "gitea" "ldap" "bindPasswordFile" ] [ "services" "gitea" "ldap" "searchUserPasswordFile" ])
  ];

  config.services.gitea = lib.mkIf (cfg.enable && cfgl.enable) {
    ldap.options = {
      name = "ldap";
      security-protocol = "LDAPS";
      host = ldap.domainName;
      inherit (ldap) port;
      bind-dn = ldap.bindDN;
      bind-password = "$(cat ${cfgl.searchUserPasswordFile})";
      user-search-base = ldap.userBaseDN;
      user-filter = ldap.searchFilterWithGroupFilter cfgl.userGroup (ldap.userFilter "%[1]s");
      admin-filter = ldap.groupFilter cfgl.adminGroup;
      username-attribute = ldap.userField;
      firstname-attribute = ldap.givenNameField;
      surname-attribute = ldap.surnameField;
      email-attribute = ldap.mailField;
      public-ssh-key-attribute = ldap.sshPublicKeyField;
    };
    settings = lib.mkIf cfg.recommendedDefaults (libS.modules.mkRecursiveDefault {
      cors = {
        ALLOW_DOMAIN = cfg.settings.server.DOMAIN;
        ENABLED = true;
        # TODO: remove with gitea 1.21.4
        SCHEME = "https";
      };
      cron.ENABLED = true;
      "cron.delete_old_actions".ENABLED = true;
      "cron.delete_old_system_notices".ENABLED = true;
      other.SHOW_FOOTER_VERSION = false;
      repository.ACCESS_CONTROL_ALLOW_ORIGIN = cfg.settings.server.DOMAIN;
      "repository.signing".DEFAULT_TRUST_MODEL = "committer";
      security.DISABLE_GIT_HOOKS = true;
      server = {
        ENABLE_GZIP = true;
        ROOT_URL = "https://${cfg.settings.server.DOMAIN}/";
        SSH_SERVER_CIPHERS = "chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com";
        SSH_SERVER_KEY_EXCHANGES = "curve25519-sha256@libssh.org, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1";
        SSH_SERVER_MACS = "hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1";
      };
      session = {
        COOKIE_SECURE = true;
        PROVIDER = "db";
        SAME_SITE = "strict";
        SESSION_LIFE_TIME = 28 * 86400; # 28 days
      };
      "ssh.minimum_key_sizes" = {
        ECDSA = -1;
        RSA = 4095;
      };
      time.DEFAULT_UI_LOCATION = config.time.timeZone;
    });
  };

  config.services.portunus.seedSettings.groups = [
    (lib.mkIf (cfgl.adminGroup != null) {
      long_name = "Gitea Administrators";
      name = cfgl.adminGroup;
      permissions = { };
    })
    (lib.mkIf (cfgl.userGroup != null) {
      long_name = "Gitea Users";
      name = cfgl.userGroup;
      permissions = { };
    })
  ];

  config.systemd.services = lib.mkIf (cfg.enable && cfgl.enable) {
    gitea.preStart =
      let
        exe = lib.getExe cfg.package;
        # allow executing shell after the --bind-password argument to e.g. cat a password file
        formatOption = key: value: "--${key} ${if key == "bind-password" then value else lib.escapeShellArg value}";
        ldapOptionsStr = opt: lib.concatStringsSep " " (lib.mapAttrsToList formatOption opt);
        commonArgs = "--attributes-in-bind --synchronize-users";
      in
      lib.mkAfter ''
        if ${exe} admin auth list | grep -q ${cfgl.options.name}; then
          ${exe} admin auth update-ldap ${commonArgs} ${ldapOptionsStr cfgl.options}
        else
          ${exe} admin auth add-ldap ${commonArgs} ${ldapOptionsStr (lib.filterAttrs (name: _: name != "id") cfgl.options)}
        fi
      '';
  };
}
Add gitea opinionated defaults 2023-01-06 21:11:53 +01:00			`{ config, lib, libS, ... }:`

			`let`
			`cfg = config.services.gitea;`
gitea: add userGroup option 2023-07-02 00:02:27 +02:00			`cfgl = cfg.ldap;`
gitea: add ldap option 2023-03-17 01:50:30 +01:00			`inherit (config.security) ldap;`
Add gitea opinionated defaults 2023-01-06 21:11:53 +01:00			`in`
			`{`
			`options = {`
gitea: add ldap option 2023-03-17 01:50:30 +01:00			`services.gitea = {`
			`# based on https://github.com/majewsky/nixos-modules/blob/master/gitea.nix`
			`ldap = {`
			`enable = lib.mkEnableOption (lib.mdDoc "login via ldap");`

			`adminGroup = lib.mkOption {`
gitea: add userGroup option 2023-07-02 00:02:27 +02:00			`type = with lib.types; nullOr str;`
			`default = null;`
gitea: add ldap option 2023-03-17 01:50:30 +01:00			`example = "gitea-admins";`
			`description = lib.mdDoc "Name of the ldap group that grants admin access in gitea.";`
			`};`

gitea: remove duplicated ldap on option name, remove usage of deprecated option 2023-12-27 00:04:01 +01:00			`searchUserPasswordFile = lib.mkOption {`
gitea: add userGroup option 2023-07-02 00:02:27 +02:00			`type = with lib.types; nullOr str;`
			`default = null;`
gitea: rename bindPasswordFile option 2023-12-26 00:06:47 +01:00			`example = "/var/lib/secrets/search-user-password";`
			`description = lib.mdDoc "Path to a file containing the password for the search/bind user.";`
gitea: add ldap option 2023-03-17 01:50:30 +01:00			`};`

gitea: add userGroup option 2023-07-02 00:02:27 +02:00			`userGroup = libS.ldap.mkUserGroupOption;`

			`options =`
			`let`
			`mkOptStr = lib.mkOption {`
			`type = with lib.types; nullOr str;`
			`default = null;`
			`};`
			`in`
			`{`
			`id = lib.mkOption {`
			`type = lib.types.ints.unsigned;`
			`default = 1;`
			`};`
			`name = mkOptStr;`
			`security-protocol = mkOptStr;`
			`host = mkOptStr;`
			`port = lib.mkOption {`
			`type = with lib.types; nullOr port;`
			`default = null;`
			`};`
			`bind-dn = mkOptStr;`
			`bind-password = mkOptStr;`
			`user-search-base = mkOptStr;`
			`user-filter = mkOptStr;`
			`admin-filter = mkOptStr;`
			`username-attribute = mkOptStr;`
			`firstname-attribute = mkOptStr;`
			`surname-attribute = mkOptStr;`
			`email-attribute = mkOptStr;`
			`public-ssh-key-attribute = mkOptStr;`
gitea: add ldap option 2023-03-17 01:50:30 +01:00			`};`
			`};`
			`recommendedDefaults = libS.mkOpinionatedOption "set recommended, secure default settings";`
			`};`
Add gitea opinionated defaults 2023-01-06 21:11:53 +01:00			`};`

gitea: rename bindPasswordFile option 2023-12-26 00:06:47 +01:00			`imports = [`
gitea: remove duplicated ldap on option name, remove usage of deprecated option 2023-12-27 00:04:01 +01:00			`(lib.mkRenamedOptionModule [ "services" "gitea" "ldap" "bindPasswordFile" ] [ "services" "gitea" "ldap" "searchUserPasswordFile" ])`
gitea: rename bindPasswordFile option 2023-12-26 00:06:47 +01:00			`];`

gitea: fix conditions 2023-07-02 19:30:10 +02:00			`config.services.gitea = lib.mkIf (cfg.enable && cfgl.enable) {`
gitea: add userGroup option 2023-07-02 00:02:27 +02:00			`ldap.options = {`
			`name = "ldap";`
			`security-protocol = "LDAPS";`
			`host = ldap.domainName;`
			`inherit (ldap) port;`
			`bind-dn = ldap.bindDN;`
gitea: remove duplicated ldap on option name, remove usage of deprecated option 2023-12-27 00:04:01 +01:00			`bind-password = "$(cat ${cfgl.searchUserPasswordFile})";`
gitea: add userGroup option 2023-07-02 00:02:27 +02:00			`user-search-base = ldap.userBaseDN;`
			`user-filter = ldap.searchFilterWithGroupFilter cfgl.userGroup (ldap.userFilter "%[1]s");`
			`admin-filter = ldap.groupFilter cfgl.adminGroup;`
			`username-attribute = ldap.userField;`
			`firstname-attribute = ldap.givenNameField;`
			`surname-attribute = ldap.surnameField;`
			`email-attribute = ldap.mailField;`
			`public-ssh-key-attribute = ldap.sshPublicKeyField;`
			`};`
			`settings = lib.mkIf cfg.recommendedDefaults (libS.modules.mkRecursiveDefault {`
gitea: format 2023-04-28 00:08:19 +02:00			`cors = {`
			`ALLOW_DOMAIN = cfg.settings.server.DOMAIN;`
			`ENABLED = true;`
gitea: add todo 2023-12-30 00:21:38 +01:00			`# TODO: remove with gitea 1.21.4`
gitea: format 2023-04-28 00:08:19 +02:00			`SCHEME = "https";`
			`};`
			`cron.ENABLED = true;`
gitea: update enabled crons 2023-12-25 00:32:35 +01:00			`"cron.delete_old_actions".ENABLED = true;`
			`"cron.delete_old_system_notices".ENABLED = true;`
gitea: format 2023-04-28 00:08:19 +02:00			`other.SHOW_FOOTER_VERSION = false;`
			`repository.ACCESS_CONTROL_ALLOW_ORIGIN = cfg.settings.server.DOMAIN;`
			`"repository.signing".DEFAULT_TRUST_MODEL = "committer";`
			`security.DISABLE_GIT_HOOKS = true;`
			`server = {`
			`ENABLE_GZIP = true;`
			`ROOT_URL = "https://${cfg.settings.server.DOMAIN}/";`
			`SSH_SERVER_CIPHERS = "chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com";`
			`SSH_SERVER_KEY_EXCHANGES = "curve25519-sha256@libssh.org, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1";`
			`SSH_SERVER_MACS = "hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1";`
			`};`
			`session = {`
			`COOKIE_SECURE = true;`
			`PROVIDER = "db";`
			`SAME_SITE = "strict";`
gitea: bump default session time 2023-11-26 22:16:37 +01:00			`SESSION_LIFE_TIME = 28 * 86400; # 28 days`
gitea: format 2023-04-28 00:08:19 +02:00			`};`
			`"ssh.minimum_key_sizes" = {`
			`ECDSA = -1;`
			`RSA = 4095;`
gitea: expand recommended settings 2023-01-11 00:53:53 +01:00			`};`
gitea: format 2023-04-28 00:08:19 +02:00			`time.DEFAULT_UI_LOCATION = config.time.timeZone;`
Add gitea opinionated defaults 2023-01-06 21:11:53 +01:00			`});`
gitea: add userGroup option 2023-07-02 00:02:27 +02:00			`};`
gitea: add ldap option 2023-03-17 01:50:30 +01:00
Sort, cleanup, add color highlighting 2023-12-23 00:30:47 +01:00			`config.services.portunus.seedSettings.groups = [`
			`(lib.mkIf (cfgl.adminGroup != null) {`
			`long_name = "Gitea Administrators";`
			`name = cfgl.adminGroup;`
			`permissions = { };`
			`})`
			`(lib.mkIf (cfgl.userGroup != null) {`
			`long_name = "Gitea Users";`
			`name = cfgl.userGroup;`
			`permissions = { };`
			`})`
			`];`

gitea: don't create empty systemd unit 2023-07-05 23:32:51 +02:00			`config.systemd.services = lib.mkIf (cfg.enable && cfgl.enable) {`
			`gitea.preStart =`
			`let`
			`exe = lib.getExe cfg.package;`
			`# allow executing shell after the --bind-password argument to e.g. cat a password file`
			`formatOption = key: value: "--${key} ${if key == "bind-password" then value else lib.escapeShellArg value}";`
			`ldapOptionsStr = opt: lib.concatStringsSep " " (lib.mapAttrsToList formatOption opt);`
			`commonArgs = "--attributes-in-bind --synchronize-users";`
			`in`
			`lib.mkAfter ''`
			`if ${exe} admin auth list \| grep -q ${cfgl.options.name}; then`
			`${exe} admin auth update-ldap ${commonArgs} ${ldapOptionsStr cfgl.options}`
			`else`
			`${exe} admin auth add-ldap ${commonArgs} ${ldapOptionsStr (lib.filterAttrs (name: _: name != "id") cfgl.options)}`
			`fi`
			`'';`
			`};`
Add gitea opinionated defaults 2023-01-06 21:11:53 +01:00			`}`