2023-01-06 21:11:53 +01:00
|
|
|
{ config, lib, libS, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.services.gitea;
|
2023-03-17 01:50:30 +01:00
|
|
|
cfgl = cfg.ldap.options;
|
|
|
|
inherit (config.security) ldap;
|
2023-01-06 21:11:53 +01:00
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
2023-03-17 01:50:30 +01:00
|
|
|
services.gitea = {
|
|
|
|
# based on https://github.com/majewsky/nixos-modules/blob/master/gitea.nix
|
|
|
|
ldap = {
|
|
|
|
enable = lib.mkEnableOption (lib.mdDoc "login via ldap");
|
|
|
|
|
|
|
|
adminGroup = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
example = "gitea-admins";
|
|
|
|
description = lib.mdDoc "Name of the ldap group that grants admin access in gitea.";
|
|
|
|
};
|
|
|
|
|
|
|
|
bindPasswordFile = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
example = "/var/lib/secrets/bind-password";
|
|
|
|
description = lib.mdDoc "Path to a file containing the bind password.";
|
|
|
|
};
|
|
|
|
|
|
|
|
options = let
|
|
|
|
mkOptStr = default: lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
inherit default;
|
|
|
|
};
|
|
|
|
in {
|
|
|
|
id = lib.mkOption {
|
|
|
|
type = lib.types.ints.unsigned;
|
|
|
|
default = 1;
|
|
|
|
};
|
|
|
|
name = mkOptStr "ldap";
|
|
|
|
security-protocol = mkOptStr "LDAPS";
|
|
|
|
host = mkOptStr ldap.domainName;
|
|
|
|
port = lib.mkOption {
|
|
|
|
type = lib.types.port;
|
|
|
|
default = ldap.port;
|
|
|
|
};
|
|
|
|
bind-dn = mkOptStr ldap.bindDN;
|
|
|
|
bind-password = mkOptStr "$(cat ${cfg.ldap.bindPasswordFile})";
|
|
|
|
user-search-base = mkOptStr ldap.userBaseDN;
|
2023-03-18 01:25:23 +01:00
|
|
|
user-filter = mkOptStr (ldap.userFilter "%[1]s");
|
|
|
|
admin-filter = mkOptStr (ldap.groupFilter cfg.ldap.adminGroup);
|
2023-03-17 01:50:30 +01:00
|
|
|
username-attribute = mkOptStr ldap.userField;
|
|
|
|
firstname-attribute = mkOptStr ldap.givenNameField;
|
|
|
|
surname-attribute = mkOptStr ldap.surnameField;
|
|
|
|
email-attribute = mkOptStr ldap.mailField;
|
2023-03-18 01:24:55 +01:00
|
|
|
public-ssh-key-attribute = mkOptStr ldap.sshPublicKeyField;
|
2023-03-17 01:50:30 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
recommendedDefaults = libS.mkOpinionatedOption "set recommended, secure default settings";
|
|
|
|
};
|
2023-01-06 21:11:53 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
2023-01-11 00:53:53 +01:00
|
|
|
services.gitea = lib.mkIf cfg.recommendedDefaults (libS.modules.mkRecursiveDefault {
|
|
|
|
settings = {
|
|
|
|
cors = {
|
2023-04-27 01:43:11 +02:00
|
|
|
ALLOW_DOMAIN = cfg.settings.server.DOMAIN;
|
2023-01-11 00:53:53 +01:00
|
|
|
ENABLED = true;
|
|
|
|
SCHEME = "https";
|
|
|
|
};
|
2023-03-23 19:54:00 +01:00
|
|
|
cron.ENABLED = true;
|
|
|
|
"cron.resync_all_sshkeys".ENABLED = true;
|
|
|
|
"cron.resync_all_hooks".ENABLED = true;
|
2023-01-11 00:53:53 +01:00
|
|
|
other.SHOW_FOOTER_VERSION = false;
|
2023-04-27 01:43:11 +02:00
|
|
|
repository.ACCESS_CONTROL_ALLOW_ORIGIN = cfg.settings.server.DOMAIN;
|
2023-04-27 20:03:08 +02:00
|
|
|
"repository.signing".DEFAULT_TRUST_MODEL = "committer";
|
2023-03-23 19:54:00 +01:00
|
|
|
security.DISABLE_GIT_HOOKS = true;
|
2023-01-11 00:53:53 +01:00
|
|
|
server = {
|
|
|
|
ENABLE_GZIP = true;
|
2023-04-27 01:43:11 +02:00
|
|
|
ROOT_URL = "https://${cfg.settings.server.DOMAIN}/";
|
2023-01-11 00:53:53 +01:00
|
|
|
SSH_SERVER_CIPHERS = "chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com";
|
|
|
|
SSH_SERVER_KEY_EXCHANGES = "curve25519-sha256@libssh.org, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1";
|
|
|
|
SSH_SERVER_MACS = "hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1";
|
|
|
|
};
|
|
|
|
session = {
|
|
|
|
COOKIE_SECURE = true;
|
|
|
|
PROVIDER = "db";
|
|
|
|
SAME_SITE = "strict";
|
|
|
|
SESSION_LIFE_TIME = 604800; # 7 days
|
|
|
|
};
|
|
|
|
"ssh.minimum_key_sizes" = {
|
|
|
|
ECDSA = -1;
|
|
|
|
RSA = 4095;
|
|
|
|
};
|
|
|
|
time.DEFAULT_UI_LOCATION = config.time.timeZone;
|
|
|
|
update_checker.ENABLED = false;
|
|
|
|
};
|
2023-01-06 21:11:53 +01:00
|
|
|
});
|
2023-03-17 01:50:30 +01:00
|
|
|
|
|
|
|
systemd.services.gitea.preStart = let
|
|
|
|
exe = lib.getExe cfg.package;
|
|
|
|
# allow executing shell after the --bind-password argument to e.g. cat a password file
|
|
|
|
formatOption = key: value: "--${key} ${if key == "bind-password" then value else lib.escapeShellArg value}";
|
|
|
|
ldapOptionsStr = opt: lib.concatStringsSep " " (lib.mapAttrsToList formatOption opt);
|
|
|
|
commonArgs = "--attributes-in-bind --synchronize-users";
|
|
|
|
in lib.mkIf cfg.ldap.enable (lib.mkAfter ''
|
|
|
|
if ${exe} admin auth list | grep -q ${cfgl.name}; then
|
|
|
|
${exe} admin auth update-ldap ${commonArgs} ${ldapOptionsStr cfgl}
|
|
|
|
else
|
|
|
|
${exe} admin auth add-ldap ${commonArgs} ${ldapOptionsStr (lib.filterAttrs (name: value: name != "id") cfgl)}
|
|
|
|
fi
|
|
|
|
'');
|
2023-01-06 21:11:53 +01:00
|
|
|
};
|
|
|
|
}
|