pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / misc / gitea.nix
at 24.11-pre 26 kB view raw
1{ config, lib, options, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.services.gitea; 7 opt = options.services.gitea; 8 exe = lib.getExe cfg.package; 9 pg = config.services.postgresql; 10 useMysql = cfg.database.type == "mysql"; 11 usePostgresql = cfg.database.type == "postgres"; 12 useSqlite = cfg.database.type == "sqlite3"; 13 format = pkgs.formats.ini { }; 14 configFile = pkgs.writeText "app.ini" '' 15 APP_NAME = ${cfg.appName} 16 RUN_USER = ${cfg.user} 17 RUN_MODE = prod 18 WORK_PATH = ${cfg.stateDir} 19 20 ${generators.toINI {} cfg.settings} 21 22 ${optionalString (cfg.extraConfig != null) cfg.extraConfig} 23 ''; 24in 25 26{ 27 imports = [ 28 (mkRenamedOptionModule [ "services" "gitea" "cookieSecure" ] [ "services" "gitea" "settings" "session" "COOKIE_SECURE" ]) 29 (mkRenamedOptionModule [ "services" "gitea" "disableRegistration" ] [ "services" "gitea" "settings" "service" "DISABLE_REGISTRATION" ]) 30 (mkRenamedOptionModule [ "services" "gitea" "domain" ] [ "services" "gitea" "settings" "server" "DOMAIN" ]) 31 (mkRenamedOptionModule [ "services" "gitea" "httpAddress" ] [ "services" "gitea" "settings" "server" "HTTP_ADDR" ]) 32 (mkRenamedOptionModule [ "services" "gitea" "httpPort" ] [ "services" "gitea" "settings" "server" "HTTP_PORT" ]) 33 (mkRenamedOptionModule [ "services" "gitea" "log" "level" ] [ "services" "gitea" "settings" "log" "LEVEL" ]) 34 (mkRenamedOptionModule [ "services" "gitea" "log" "rootPath" ] [ "services" "gitea" "settings" "log" "ROOT_PATH" ]) 35 (mkRenamedOptionModule [ "services" "gitea" "rootUrl" ] [ "services" "gitea" "settings" "server" "ROOT_URL" ]) 36 (mkRenamedOptionModule [ "services" "gitea" "ssh" "clonePort" ] [ "services" "gitea" "settings" "server" "SSH_PORT" ]) 37 (mkRenamedOptionModule [ "services" "gitea" "staticRootPath" ] [ "services" "gitea" "settings" "server" "STATIC_ROOT_PATH" ]) 38 39 (mkChangedOptionModule [ "services" "gitea" "enableUnixSocket" ] [ "services" "gitea" "settings" "server" "PROTOCOL" ] ( 40 config: if config.services.gitea.enableUnixSocket then "http+unix" else "http" 41 )) 42 43 (mkRemovedOptionModule [ "services" "gitea" "ssh" "enable" ] "services.gitea.ssh.enable has been migrated into freeform setting services.gitea.settings.server.DISABLE_SSH. Keep in mind that the setting is inverted") 44 ]; 45 46 options = { 47 services.gitea = { 48 enable = mkOption { 49 default = false; 50 type = types.bool; 51 description = "Enable Gitea Service."; 52 }; 53 54 package = mkPackageOption pkgs "gitea" { }; 55 56 useWizard = mkOption { 57 default = false; 58 type = types.bool; 59 description = "Do not generate a configuration and use gitea' installation wizard instead. The first registered user will be administrator."; 60 }; 61 62 stateDir = mkOption { 63 default = "/var/lib/gitea"; 64 type = types.str; 65 description = "Gitea data directory."; 66 }; 67 68 customDir = mkOption { 69 default = "${cfg.stateDir}/custom"; 70 defaultText = literalExpression ''"''${config.${opt.stateDir}}/custom"''; 71 type = types.str; 72 description = "Gitea custom directory. Used for config, custom templates and other options."; 73 }; 74 75 user = mkOption { 76 type = types.str; 77 default = "gitea"; 78 description = "User account under which gitea runs."; 79 }; 80 81 group = mkOption { 82 type = types.str; 83 default = "gitea"; 84 description = "Group under which gitea runs."; 85 }; 86 87 database = { 88 type = mkOption { 89 type = types.enum [ "sqlite3" "mysql" "postgres" ]; 90 example = "mysql"; 91 default = "sqlite3"; 92 description = "Database engine to use."; 93 }; 94 95 host = mkOption { 96 type = types.str; 97 default = "127.0.0.1"; 98 description = "Database host address."; 99 }; 100 101 port = mkOption { 102 type = types.port; 103 default = if usePostgresql then pg.settings.port else 3306; 104 defaultText = literalExpression '' 105 if config.${opt.database.type} != "postgresql" 106 then 3306 107 else 5432 108 ''; 109 description = "Database host port."; 110 }; 111 112 name = mkOption { 113 type = types.str; 114 default = "gitea"; 115 description = "Database name."; 116 }; 117 118 user = mkOption { 119 type = types.str; 120 default = "gitea"; 121 description = "Database user."; 122 }; 123 124 password = mkOption { 125 type = types.str; 126 default = ""; 127 description = '' 128 The password corresponding to {option}`database.user`. 129 Warning: this is stored in cleartext in the Nix store! 130 Use {option}`database.passwordFile` instead. 131 ''; 132 }; 133 134 passwordFile = mkOption { 135 type = types.nullOr types.path; 136 default = null; 137 example = "/run/keys/gitea-dbpassword"; 138 description = '' 139 A file containing the password corresponding to 140 {option}`database.user`. 141 ''; 142 }; 143 144 socket = mkOption { 145 type = types.nullOr types.path; 146 default = if (cfg.database.createDatabase && usePostgresql) then "/run/postgresql" else if (cfg.database.createDatabase && useMysql) then "/run/mysqld/mysqld.sock" else null; 147 defaultText = literalExpression "null"; 148 example = "/run/mysqld/mysqld.sock"; 149 description = "Path to the unix socket file to use for authentication."; 150 }; 151 152 path = mkOption { 153 type = types.str; 154 default = "${cfg.stateDir}/data/gitea.db"; 155 defaultText = literalExpression ''"''${config.${opt.stateDir}}/data/gitea.db"''; 156 description = "Path to the sqlite3 database file."; 157 }; 158 159 createDatabase = mkOption { 160 type = types.bool; 161 default = true; 162 description = "Whether to create a local database automatically."; 163 }; 164 }; 165 166 dump = { 167 enable = mkOption { 168 type = types.bool; 169 default = false; 170 description = '' 171 Enable a timer that runs gitea dump to generate backup-files of the 172 current gitea database and repositories. 173 ''; 174 }; 175 176 interval = mkOption { 177 type = types.str; 178 default = "04:31"; 179 example = "hourly"; 180 description = '' 181 Run a gitea dump at this interval. Runs by default at 04:31 every day. 182 183 The format is described in 184 {manpage}`systemd.time(7)`. 185 ''; 186 }; 187 188 backupDir = mkOption { 189 type = types.str; 190 default = "${cfg.stateDir}/dump"; 191 defaultText = literalExpression ''"''${config.${opt.stateDir}}/dump"''; 192 description = "Path to the dump files."; 193 }; 194 195 type = mkOption { 196 type = types.enum [ "zip" "rar" "tar" "sz" "tar.gz" "tar.xz" "tar.bz2" "tar.br" "tar.lz4" "tar.zst" ]; 197 default = "zip"; 198 description = "Archive format used to store the dump file."; 199 }; 200 201 file = mkOption { 202 type = types.nullOr types.str; 203 default = null; 204 description = "Filename to be used for the dump. If `null` a default name is chosen by gitea."; 205 example = "gitea-dump"; 206 }; 207 }; 208 209 lfs = { 210 enable = mkOption { 211 type = types.bool; 212 default = false; 213 description = "Enables git-lfs support."; 214 }; 215 216 contentDir = mkOption { 217 type = types.str; 218 default = "${cfg.stateDir}/data/lfs"; 219 defaultText = literalExpression ''"''${config.${opt.stateDir}}/data/lfs"''; 220 description = "Where to store LFS files."; 221 }; 222 }; 223 224 appName = mkOption { 225 type = types.str; 226 default = "gitea: Gitea Service"; 227 description = "Application name."; 228 }; 229 230 repositoryRoot = mkOption { 231 type = types.str; 232 default = "${cfg.stateDir}/repositories"; 233 defaultText = literalExpression ''"''${config.${opt.stateDir}}/repositories"''; 234 description = "Path to the git repositories."; 235 }; 236 237 camoHmacKeyFile = mkOption { 238 type = types.nullOr types.str; 239 default = null; 240 example = "/var/lib/secrets/gitea/camoHmacKey"; 241 description = "Path to a file containing the camo HMAC key."; 242 }; 243 244 mailerPasswordFile = mkOption { 245 type = types.nullOr types.str; 246 default = null; 247 example = "/var/lib/secrets/gitea/mailpw"; 248 description = "Path to a file containing the SMTP password."; 249 }; 250 251 metricsTokenFile = mkOption { 252 type = types.nullOr types.str; 253 default = null; 254 example = "/var/lib/secrets/gitea/metrics_token"; 255 description = "Path to a file containing the metrics authentication token."; 256 }; 257 258 settings = mkOption { 259 default = {}; 260 description = '' 261 Gitea configuration. Refer to <https://docs.gitea.io/en-us/config-cheat-sheet/> 262 for details on supported values. 263 ''; 264 example = literalExpression '' 265 { 266 "cron.sync_external_users" = { 267 RUN_AT_START = true; 268 SCHEDULE = "@every 24h"; 269 UPDATE_EXISTING = true; 270 }; 271 mailer = { 272 ENABLED = true; 273 MAILER_TYPE = "sendmail"; 274 FROM = "do-not-reply@example.org"; 275 SENDMAIL_PATH = "''${pkgs.system-sendmail}/bin/sendmail"; 276 }; 277 other = { 278 SHOW_FOOTER_VERSION = false; 279 }; 280 } 281 ''; 282 type = types.submodule { 283 freeformType = format.type; 284 options = { 285 log = { 286 ROOT_PATH = mkOption { 287 default = "${cfg.stateDir}/log"; 288 defaultText = literalExpression ''"''${config.${opt.stateDir}}/log"''; 289 type = types.str; 290 description = "Root path for log files."; 291 }; 292 LEVEL = mkOption { 293 default = "Info"; 294 type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ]; 295 description = "General log level."; 296 }; 297 }; 298 299 server = { 300 PROTOCOL = mkOption { 301 type = types.enum [ "http" "https" "fcgi" "http+unix" "fcgi+unix" ]; 302 default = "http"; 303 description = ''Listen protocol. `+unix` means "over unix", not "in addition to."''; 304 }; 305 306 HTTP_ADDR = mkOption { 307 type = types.either types.str types.path; 308 default = if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"; 309 defaultText = literalExpression ''if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"''; 310 description = "Listen address. Must be a path when using a unix socket."; 311 }; 312 313 HTTP_PORT = mkOption { 314 type = types.port; 315 default = 3000; 316 description = "Listen port. Ignored when using a unix socket."; 317 }; 318 319 DOMAIN = mkOption { 320 type = types.str; 321 default = "localhost"; 322 description = "Domain name of your server."; 323 }; 324 325 ROOT_URL = mkOption { 326 type = types.str; 327 default = "http://${cfg.settings.server.DOMAIN}:${toString cfg.settings.server.HTTP_PORT}/"; 328 defaultText = literalExpression ''"http://''${config.services.gitea.settings.server.DOMAIN}:''${toString config.services.gitea.settings.server.HTTP_PORT}/"''; 329 description = "Full public URL of gitea server."; 330 }; 331 332 STATIC_ROOT_PATH = mkOption { 333 type = types.either types.str types.path; 334 default = cfg.package.data; 335 defaultText = literalExpression "config.${opt.package}.data"; 336 example = "/var/lib/gitea/data"; 337 description = "Upper level of template and static files path."; 338 }; 339 340 DISABLE_SSH = mkOption { 341 type = types.bool; 342 default = false; 343 description = "Disable external SSH feature."; 344 }; 345 346 SSH_PORT = mkOption { 347 type = types.port; 348 default = 22; 349 example = 2222; 350 description = '' 351 SSH port displayed in clone URL. 352 The option is required to configure a service when the external visible port 353 differs from the local listening port i.e. if port forwarding is used. 354 ''; 355 }; 356 }; 357 358 service = { 359 DISABLE_REGISTRATION = mkEnableOption "the registration lock" // { 360 description = '' 361 By default any user can create an account on this `gitea` instance. 362 This can be disabled by using this option. 363 364 *Note:* please keep in mind that this should be added after the initial 365 deploy unless [](#opt-services.gitea.useWizard) 366 is `true` as the first registered user will be the administrator if 367 no install wizard is used. 368 ''; 369 }; 370 }; 371 372 session = { 373 COOKIE_SECURE = mkOption { 374 type = types.bool; 375 default = false; 376 description = '' 377 Marks session cookies as "secure" as a hint for browsers to only send 378 them via HTTPS. This option is recommend, if gitea is being served over HTTPS. 379 ''; 380 }; 381 }; 382 }; 383 }; 384 }; 385 386 extraConfig = mkOption { 387 type = with types; nullOr str; 388 default = null; 389 description = "Configuration lines appended to the generated gitea configuration file."; 390 }; 391 }; 392 }; 393 394 config = mkIf cfg.enable { 395 assertions = [ 396 { assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user; 397 message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned"; 398 } 399 { assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name; 400 message = '' 401 When creating a database via NixOS, the db user and db name must be equal! 402 If you already have an existing DB+user and this assertion is new, you can safely set 403 `services.gitea.createDatabase` to `false` because removal of `ensureUsers` 404 and `ensureDatabases` doesn't have any effect. 405 ''; 406 } 407 ]; 408 409 services.gitea.settings = { 410 "cron.update_checker".ENABLED = lib.mkDefault false; 411 412 database = mkMerge [ 413 { 414 DB_TYPE = cfg.database.type; 415 } 416 (mkIf (useMysql || usePostgresql) { 417 HOST = if cfg.database.socket != null then cfg.database.socket else cfg.database.host + ":" + toString cfg.database.port; 418 NAME = cfg.database.name; 419 USER = cfg.database.user; 420 PASSWD = "#dbpass#"; 421 }) 422 (mkIf useSqlite { 423 PATH = cfg.database.path; 424 }) 425 (mkIf usePostgresql { 426 SSL_MODE = "disable"; 427 }) 428 ]; 429 430 repository = { 431 ROOT = cfg.repositoryRoot; 432 }; 433 434 server = mkIf cfg.lfs.enable { 435 LFS_START_SERVER = true; 436 LFS_JWT_SECRET = "#lfsjwtsecret#"; 437 }; 438 439 camo = mkIf (cfg.camoHmacKeyFile != null) { 440 HMAC_KEY = "#hmackey#"; 441 }; 442 443 session = { 444 COOKIE_NAME = lib.mkDefault "session"; 445 }; 446 447 security = { 448 SECRET_KEY = "#secretkey#"; 449 INTERNAL_TOKEN = "#internaltoken#"; 450 INSTALL_LOCK = true; 451 }; 452 453 mailer = mkIf (cfg.mailerPasswordFile != null) { 454 PASSWD = "#mailerpass#"; 455 }; 456 457 metrics = mkIf (cfg.metricsTokenFile != null) { 458 TOKEN = "#metricstoken#"; 459 }; 460 461 oauth2 = { 462 JWT_SECRET = "#oauth2jwtsecret#"; 463 }; 464 465 lfs = mkIf cfg.lfs.enable { 466 PATH = cfg.lfs.contentDir; 467 }; 468 469 packages.CHUNKED_UPLOAD_PATH = "${cfg.stateDir}/tmp/package-upload"; 470 }; 471 472 services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { 473 enable = mkDefault true; 474 475 ensureDatabases = [ cfg.database.name ]; 476 ensureUsers = [ 477 { name = cfg.database.user; 478 ensureDBOwnership = true; 479 } 480 ]; 481 }; 482 483 services.mysql = optionalAttrs (useMysql && cfg.database.createDatabase) { 484 enable = mkDefault true; 485 package = mkDefault pkgs.mariadb; 486 487 ensureDatabases = [ cfg.database.name ]; 488 ensureUsers = [ 489 { name = cfg.database.user; 490 ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; 491 } 492 ]; 493 }; 494 495 systemd.tmpfiles.rules = [ 496 "d '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" 497 "z '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" 498 "d '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" 499 "z '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" 500 "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" 501 "d '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" 502 "d '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -" 503 "d '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" 504 "d '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -" 505 "d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" 506 "z '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" 507 "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} ${cfg.group} - -" 508 "z '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" 509 "z '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -" 510 "z '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" 511 "z '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -" 512 "z '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" 513 514 # If we have a folder or symlink with gitea locales, remove it 515 # And symlink the current gitea locales in place 516 "L+ '${cfg.stateDir}/conf/locale' - - - - ${cfg.package.out}/locale" 517 518 ] ++ lib.optionals cfg.lfs.enable [ 519 "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" 520 "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" 521 ]; 522 523 systemd.services.gitea = { 524 description = "gitea"; 525 after = [ "network.target" ] ++ optional usePostgresql "postgresql.service" ++ optional useMysql "mysql.service"; 526 requires = optional (cfg.database.createDatabase && usePostgresql) "postgresql.service" ++ optional (cfg.database.createDatabase && useMysql) "mysql.service"; 527 wantedBy = [ "multi-user.target" ]; 528 path = [ cfg.package pkgs.git pkgs.gnupg ]; 529 530 # In older versions the secret naming for JWT was kind of confusing. 531 # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET 532 # wasn't persistent at all. 533 # To fix that, there is now the file oauth2_jwt_secret containing the 534 # values for JWT_SECRET and the file jwt_secret gets renamed to 535 # lfs_jwt_secret. 536 # We have to consider this to stay compatible with older installations. 537 preStart = let 538 runConfig = "${cfg.customDir}/conf/app.ini"; 539 secretKey = "${cfg.customDir}/conf/secret_key"; 540 oauth2JwtSecret = "${cfg.customDir}/conf/oauth2_jwt_secret"; 541 oldLfsJwtSecret = "${cfg.customDir}/conf/jwt_secret"; # old file for LFS_JWT_SECRET 542 lfsJwtSecret = "${cfg.customDir}/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET 543 internalToken = "${cfg.customDir}/conf/internal_token"; 544 replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; 545 in '' 546 # copy custom configuration and generate random secrets if needed 547 ${optionalString (!cfg.useWizard) '' 548 function gitea_setup { 549 cp -f '${configFile}' '${runConfig}' 550 551 if [ ! -s '${secretKey}' ]; then 552 ${exe} generate secret SECRET_KEY > '${secretKey}' 553 fi 554 555 # Migrate LFS_JWT_SECRET filename 556 if [[ -s '${oldLfsJwtSecret}' && ! -s '${lfsJwtSecret}' ]]; then 557 mv '${oldLfsJwtSecret}' '${lfsJwtSecret}' 558 fi 559 560 if [ ! -s '${oauth2JwtSecret}' ]; then 561 ${exe} generate secret JWT_SECRET > '${oauth2JwtSecret}' 562 fi 563 564 ${lib.optionalString cfg.lfs.enable '' 565 if [ ! -s '${lfsJwtSecret}' ]; then 566 ${exe} generate secret LFS_JWT_SECRET > '${lfsJwtSecret}' 567 fi 568 ''} 569 570 if [ ! -s '${internalToken}' ]; then 571 ${exe} generate secret INTERNAL_TOKEN > '${internalToken}' 572 fi 573 574 chmod u+w '${runConfig}' 575 ${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}' 576 ${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}' 577 ${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}' 578 ${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}' 579 580 ${lib.optionalString cfg.lfs.enable '' 581 ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}' 582 ''} 583 584 ${lib.optionalString (cfg.camoHmacKeyFile != null) '' 585 ${replaceSecretBin} '#hmackey#' '${cfg.camoHmacKeyFile}' '${runConfig}' 586 ''} 587 588 ${lib.optionalString (cfg.mailerPasswordFile != null) '' 589 ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}' 590 ''} 591 592 ${lib.optionalString (cfg.metricsTokenFile != null) '' 593 ${replaceSecretBin} '#metricstoken#' '${cfg.metricsTokenFile}' '${runConfig}' 594 ''} 595 chmod u-w '${runConfig}' 596 } 597 (umask 027; gitea_setup) 598 ''} 599 600 # run migrations/init the database 601 ${exe} migrate 602 603 # update all hooks' binary paths 604 ${exe} admin regenerate hooks 605 606 # update command option in authorized_keys 607 if [ -r ${cfg.stateDir}/.ssh/authorized_keys ] 608 then 609 ${exe} admin regenerate keys 610 fi 611 ''; 612 613 serviceConfig = { 614 Type = "simple"; 615 User = cfg.user; 616 Group = cfg.group; 617 WorkingDirectory = cfg.stateDir; 618 ExecStart = "${exe} web --pid /run/gitea/gitea.pid"; 619 Restart = "always"; 620 # Runtime directory and mode 621 RuntimeDirectory = "gitea"; 622 RuntimeDirectoryMode = "0755"; 623 # Proc filesystem 624 ProcSubset = "pid"; 625 ProtectProc = "invisible"; 626 # Access write directories 627 ReadWritePaths = [ cfg.customDir cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ]; 628 UMask = "0027"; 629 # Capabilities 630 CapabilityBoundingSet = ""; 631 # Security 632 NoNewPrivileges = true; 633 # Sandboxing 634 ProtectSystem = "strict"; 635 ProtectHome = true; 636 PrivateTmp = true; 637 PrivateDevices = true; 638 PrivateUsers = true; 639 ProtectHostname = true; 640 ProtectClock = true; 641 ProtectKernelTunables = true; 642 ProtectKernelModules = true; 643 ProtectKernelLogs = true; 644 ProtectControlGroups = true; 645 RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; 646 RestrictNamespaces = true; 647 LockPersonality = true; 648 MemoryDenyWriteExecute = true; 649 RestrictRealtime = true; 650 RestrictSUIDSGID = true; 651 RemoveIPC = true; 652 PrivateMounts = true; 653 # System Call Filtering 654 SystemCallArchitectures = "native"; 655 SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" "setrlimit" ]; 656 }; 657 658 environment = { 659 USER = cfg.user; 660 HOME = cfg.stateDir; 661 GITEA_WORK_DIR = cfg.stateDir; 662 GITEA_CUSTOM = cfg.customDir; 663 }; 664 }; 665 666 users.users = mkIf (cfg.user == "gitea") { 667 gitea = { 668 description = "Gitea Service"; 669 home = cfg.stateDir; 670 useDefaultShell = true; 671 group = cfg.group; 672 isSystemUser = true; 673 }; 674 }; 675 676 users.groups = mkIf (cfg.group == "gitea") { 677 gitea = {}; 678 }; 679 680 warnings = 681 optional (cfg.database.password != "") "config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead." ++ 682 optional (cfg.extraConfig != null) '' 683 services.gitea.`extraConfig` is deprecated, please use services.gitea.`settings`. 684 '' ++ 685 optional (lib.getName cfg.package == "forgejo") '' 686 Running forgejo via services.gitea.package is no longer supported. 687 Please use services.forgejo instead. 688 See https://nixos.org/manual/nixos/unstable/#module-forgejo for migration instructions. 689 ''; 690 691 # Create database passwordFile default when password is configured. 692 services.gitea.database.passwordFile = 693 mkDefault (toString (pkgs.writeTextFile { 694 name = "gitea-database-password"; 695 text = cfg.database.password; 696 })); 697 698 systemd.services.gitea-dump = mkIf cfg.dump.enable { 699 description = "gitea dump"; 700 after = [ "gitea.service" ]; 701 path = [ cfg.package ]; 702 703 environment = { 704 USER = cfg.user; 705 HOME = cfg.stateDir; 706 GITEA_WORK_DIR = cfg.stateDir; 707 GITEA_CUSTOM = cfg.customDir; 708 }; 709 710 serviceConfig = { 711 Type = "oneshot"; 712 User = cfg.user; 713 ExecStart = "${exe} dump --type ${cfg.dump.type}" + optionalString (cfg.dump.file != null) " --file ${cfg.dump.file}"; 714 WorkingDirectory = cfg.dump.backupDir; 715 }; 716 }; 717 718 systemd.timers.gitea-dump = mkIf cfg.dump.enable { 719 description = "Update timer for gitea-dump"; 720 partOf = [ "gitea-dump.service" ]; 721 wantedBy = [ "timers.target" ]; 722 timerConfig.OnCalendar = cfg.dump.interval; 723 }; 724 }; 725 meta.maintainers = with lib.maintainers; [ srhb ma27 pyrox0 ]; 726}