gitea: expand recommended settings

2024-06-14 03:46:57 +02:00 · 2023-01-11 00:53:53 +01:00 · 2023-01-11 00:53:53 +01:00 · e2683a4fcb
commit e2683a4fcb
parent aafa533bd1
1 changed files with 29 additions and 5 deletions
--- a/modules/gitea.nix
+++ b/modules/gitea.nix
@ -9,11 +9,35 @@ in
  };

  config = lib.mkIf cfg.enable {
-    services.gitea.settings = lib.mkIf cfg.recommendedDefaults (libS.modules.mkRecursiveDefault {
-      "update_checker".ENABLED = false;
-      other.SHOW_FOOTER_VERSION = false;
-      session.COOKIE_SECURE = lib.mkForce true;
-      time.DEFAULT_UI_LOCATION = config.time.timeZone;
+    services.gitea = lib.mkIf cfg.recommendedDefaults (libS.modules.mkRecursiveDefault {
+      rootUrl = "https://${config.services.gitea.domain}/";
+      settings = {
+        cors = {
+          ALLOW_DOMAIN = config.services.gitea.domain;
+          ENABLED = true;
+          SCHEME = "https";
+        };
+        other.SHOW_FOOTER_VERSION = false;
+        repository.ACCESS_CONTROL_ALLOW_ORIGIN = config.services.gitea.domain;
+        server = {
+          ENABLE_GZIP = true;
+          SSH_SERVER_CIPHERS = "chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com";
+          SSH_SERVER_KEY_EXCHANGES = "curve25519-sha256@libssh.org, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1";
+          SSH_SERVER_MACS = "hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1";
+        };
+        session = {
+          COOKIE_SECURE = true;
+          PROVIDER = "db";
+          SAME_SITE = "strict";
+          SESSION_LIFE_TIME = 604800; # 7 days
+        };
+        "ssh.minimum_key_sizes" = {
+          ECDSA = -1;
+          RSA = 4095;
+        };
+        time.DEFAULT_UI_LOCATION = config.time.timeZone;
+        update_checker.ENABLED = false;
+      };
    });
  };
 }