145 lines
4.7 KiB
Nix
145 lines
4.7 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
homelabDomain = config.networking.domain;
|
|
svcDomain = "git.${homelabDomain}";
|
|
theme = pkgs.fetchzip {
|
|
url = "https://github.com/catppuccin/gitea/releases/download/v1.0.2/catppuccin-gitea.tar.gz";
|
|
hash = "sha256-rZHLORwLUfIFcB6K9yhrzr+UwdPNQVSadsw6rg8Q7gs=";
|
|
stripRoot = false;
|
|
};
|
|
svcHttpPort = config.services.forgejo.settings.server.HTTP_PORT;
|
|
assetsDir = "${config.services.forgejo.stateDir}/custom/public/assets";
|
|
in
|
|
{
|
|
# NOTE: Periodically come update the catpuccin theme.
|
|
# `-auto` will automatically switch between latte and mocha modes.
|
|
services.forgejo.settings.ui = {
|
|
DEFAULT_THEME = "catpuccin-teal-auto";
|
|
THEMES = builtins.concatStringsSep "," (
|
|
[ "auto" ]
|
|
++ (map (name: lib.removePrefix "theme-" (lib.removeSuffix ".css" name)) (
|
|
builtins.attrNames (builtins.readDir theme)
|
|
))
|
|
);
|
|
};
|
|
|
|
# TODO: Setup a PostgreSQL Server.
|
|
# Inspiration here: https://github.com/nyawox/arcanum/blob/4629dfba1bc6d4dd2f4cf45724df81289230b61a/nixos/servers/forgejo.nix#L64
|
|
#sops-secrets.postgres-forgejo = {
|
|
#sopsFile = ../secrets/forgejo.yaml;
|
|
#};
|
|
|
|
services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
|
|
reverse_proxy :${toString svcHttpPort}
|
|
'';
|
|
|
|
services.forgejo = {
|
|
enable = true;
|
|
# database.type = "postgres";
|
|
settings = {
|
|
default.APP_NAME = "GitGarage";
|
|
server = {
|
|
DOMAIN = svcDomain;
|
|
ROOT_URL = "https://${svcDomain}";
|
|
HTTP_PORT = 3000;
|
|
};
|
|
# NOTE: Actions support is based on: https://github.com/nektos/act
|
|
#actions = {
|
|
#ENABLED = true;
|
|
#DEFAULT_ACTIONS_URL = "github";
|
|
#};
|
|
actions.ENABLED = false;
|
|
# NOTE: Registration is handled with kanidm.
|
|
# Registration button link is at /user/sign_up
|
|
service = {
|
|
REGISTER_EMAIL_CONFIRM = false;
|
|
DISABLE_REGISTRATION = false;
|
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
SHOW_REGISTRATION_BUTTON = false;
|
|
REQUIRE_SIGNIN_VIEW = false;
|
|
# TODO: Consider setting up emails.
|
|
ENABLE_NOTIFY_MAIL = false;
|
|
};
|
|
openid = {
|
|
ENABLE_OPENID_SIGNIN = true;
|
|
ENABLE_OPENID_SIGNUP = true;
|
|
WHITELISTED_URIS = "id.${homelabDomain}";
|
|
};
|
|
# TODO: Literally review all server settings, and link the forgejo documentation.
|
|
# Also perhaps include every setting here explicitly.
|
|
oauth2_client = {
|
|
REGISTER_EMAIL_CONFIRM = false;
|
|
ENABLE_AUTO_REGISTRATION = true;
|
|
ACCOUNT_LINKING = "login";
|
|
USERNAME = "nickname";
|
|
UPDATE_AVATAR = true;
|
|
OPENID_CONNECT_SCOPES = "openid email profile";
|
|
};
|
|
repository = {
|
|
DEFAULT_PRIVATE = "private";
|
|
DEFAULT_BRANCH = "main";
|
|
ENABLE_PUSH_CREATE_USER = true;
|
|
ENABLE_PUSH_CREATE_ORG = true;
|
|
};
|
|
mailer.ENABLED = false;
|
|
};
|
|
};
|
|
|
|
# TODO: Finish Configuring the kandim oauth for forgejo....
|
|
services.kanidm.provision.systems.oauth2.forgejo = {
|
|
displayName = "forgejo";
|
|
# TODO: Get this from Forgejo
|
|
# originUrl = "https://git.${homelabDomain}/user/oauth2/${homelabDomain}/callback";
|
|
originUrl = "${config.services.forgejo.settings.server.ROOT_URL}/user/oauth2/kanidm/callback";
|
|
originLanding = "https://git.${homelabDomain}/";
|
|
#basicSecretFile = "TODO!SETME";
|
|
scopeMaps."git.users" = [
|
|
"openid"
|
|
"email"
|
|
"profile"
|
|
"groups"
|
|
];
|
|
# WARNING: PKCE is currently not supported by gitea/forgejo,
|
|
# see https://github.com/go-gitea/gitea/issues/21376
|
|
allowInsecureClientDisablePkce = true;
|
|
preferShortUsername = true;
|
|
claimMaps.groups = {
|
|
joinType = "array";
|
|
valuesByGroup."git.admins" = [ "admin" ];
|
|
};
|
|
};
|
|
|
|
systemd.services.forgejo = {
|
|
preStart =
|
|
lib.mkAfter # bash
|
|
''
|
|
echo "Installing Catppuccin Assets"
|
|
rm -rf ${assetsDir}
|
|
mkdir -p ${assetsDir}
|
|
ln -sf ${theme} ${assetsDir}/css
|
|
'';
|
|
};
|
|
|
|
|
|
#sops.secrets.forgejo-runner-token = {};
|
|
#services.gitea-actions-runner = {
|
|
#package = pkgs.forgejo-runner;
|
|
#instances.default = {
|
|
#enable = true;
|
|
#name = "monolith";
|
|
#url = "https://${serviceDomain}";
|
|
#tokenFile = config.sops.secrets.forgejo-runner-token.path;
|
|
# NOTE: I don't want huge images if it can be avoided.
|
|
# https://nektosact.com/usage/runners.html
|
|
#labels = [
|
|
#"ubuntu-latest:docker://node:16-bullseye-slim"
|
|
#"ubuntu-22.04:docker://node:16-bullseye-slim"
|
|
#];
|
|
#};
|
|
#};
|
|
|
|
# TODO: Consider automatically creating admin account and password...
|
|
# https://wiki.nixos.org/wiki/Forgejo#Ensure_users
|
|
# Might be necessary to generate a token for kanidm
|
|
sops.secrets."forgejo/admin-password".owner = "forgejo";
|
|
}
|