{ config, pkgs, lib, inputs, ... }: let hostname = "git.pleshevski.ru"; giteaCfg = config.services.gitea; robotsTxt = pkgs.writeText "robots.txt" '' User-agent: * Disallow: /github Disallow: /external ''; in { services.postgresql.package = pkgs.postgresql_14; services.gitea = { enable = true; httpPort = 9901; package = inputs.nixpkgs_unstable.legacyPackages.${pkgs.system}.gitea; domain = hostname; rootUrl = "https://${hostname}"; appName = "Pleshevskiy's Gitea"; mailerPasswordFile = config.age.secrets.gitea-smtp-passfile.path; database = { type = "postgres"; host = "/run/postgresql"; port = config.services.postgresql.port; }; lfs.enable = true; settings = { log = { LEVEL = "Info"; ENABLE_SSH_LOG = true; }; database = { CHARSET = "utf8"; LOG_SQL = false; }; server = { LANDING_PAGE = "explore"; }; service = { ALLOW_ONLY_EXTERNAL_REGISTRATION = false; DEFAULT_KEEP_EMAIL_PRIVATE = false; DEFAULT_ALLOW_CREATE_ORGANIZATION = true; DEFAULT_ENABLE_TIMETRACKING = true; DEFAULT_ENABLE_DEPENDENCIES = false; DISABLE_REGISTRATION = true; ENABLE_NOTIFY_MAIL = false; ENABLE_CAPTCHA = false; ENABLE_TIMETRACKING = false; REQUIRE_SIGNIN_VIEW = false; REGISTER_EMAIL_CONFIRM = false; NO_REPLY_ADDRESS = "noreply.pleshevski.ru"; }; repository = { DISABLE_MIGRATIONS = false; DISABLE_HTTP_GIT = false; DISABLE_STARS = false; DEFAULT_BRANCH = "main"; DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false; }; "repository.local" = { LOCAL_COPY_PATH = "${giteaCfg.stateDir}/tmp/local-repo"; }; "repository.upload" = { TEMP_PATH = "${giteaCfg.stateDir}/uploads"; ALLOWED_TYPES = "image/*"; }; "repository.pull-request" = { WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:"; DEFAULT_MERGE_STYLE = "rebase"; POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES = true; }; indexer = { ISSUE_INDEXER_PATH = "${giteaCfg.stateDir}/indexers/issues.bleve"; }; sessions = { PROVIDER = "file"; PROVIDER_CONFIG = "${giteaCfg.stateDir}/sessions"; }; picture = { AVATAR_UPLOAD_PATH = "${giteaCfg.stateDir}/avatars"; REPOSITORY_AVATAR_UPLOAD_PATH = "${giteaCfg.stateDir}/repo-avatars"; DISABLE_GRAVATAR = false; ENABLE_FEDERATED_AVATAR = true; }; attachment = { PATH = "${giteaCfg.stateDir}/attachments"; }; mailer = { ENABLED = true; MAILER_TYPE = "smtp"; SMTP_ADDR = "mail.pleshevski.ru"; SMTP_PORT = 465; USER = "gitea@pleshevski.ru"; FROM = "\"${giteaCfg.appName}\" "; }; openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = false; }; # Don't check for new Gitea versions "cron.update_checker".ENABLED = false; }; }; systemd.services.gitea.preStart = lib.mkAfter '' cp -f ${robotsTxt} ${giteaCfg.stateDir}/custom/robots.txt ''; services.traefik.dynamicConfigOptions.http = { routers.to_gitea = { rule = "Host(`${hostname}`)"; entryPoints = [ "https" ]; tls.certResolver = "le"; service = "gitea"; }; services.gitea = { loadBalancer.servers = [ { url = "http://host.docker.internal:${toString giteaCfg.httpPort}"; } ]; }; }; age.secrets.gitea-smtp-passfile = { file = ../../../../secrets/gitea-smtp-passfile.age; owner = giteaCfg.user; group = "gitea"; }; services.fail2ban.jails.gitea = '' enabled = true filter = gitea findtime = 3600 bantime = 900 action = iptables-allports ''; environment.etc."fail2ban/filter.d/gitea.conf".text = '' [Definition] failregex = .*Failed authentication attempt for .* from ignoreregex = journalmatch = _SYSTEMD_UNIT=gitea.service ''; }