diff --git a/configurations/host/waffentrager/services/default.nix b/configurations/host/waffentrager/services/default.nix index 0c760bc..6018916 100644 --- a/configurations/host/waffentrager/services/default.nix +++ b/configurations/host/waffentrager/services/default.nix @@ -5,8 +5,12 @@ ./elements.nix ./postgresql.nix ./mount-acme.nix + ./gitea.nix + ./nginx.nix ]; waffentragerService.elements.enable = true; waffentragerService.postgresql.enable = true; waffentragerService.mount-acme.enable = true; + waffentragerService.gitea.enable = true; + waffentragerService.nginx.enable = true; } \ No newline at end of file diff --git a/configurations/host/waffentrager/services/gitea.nix b/configurations/host/waffentrager/services/gitea.nix new file mode 100644 index 0000000..c465caf --- /dev/null +++ b/configurations/host/waffentrager/services/gitea.nix @@ -0,0 +1,57 @@ +{ materusArg, config, lib, ... }: +{ + options.waffentragerService.gitea.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable gitea"; + + + config = + let + cfg = config.waffentragerService.gitea; + in + lib.mkMerge + [ + (lib.mkIf cfg.enable { + waffentragerService.postgresql.enable = true; + waffentragerService.elements.enable = true; + + services.gitea.enable = true; + services.gitea.lfs.enable = true; + services.gitea.stateDir = "${config.waffentragerService.elements.path}/services/gitea"; + services.gitea.settings.service.DISABLE_REGISTRATION = true; + services.gitea.domain = "baka.materus.pl"; + services.gitea.settings.server.ROOT_URL = lib.mkForce "https://baka.materus.pl/"; + services.gitea.settings.server.PROTOCOL = "fcgi+unix"; + services.gitea.database.type = "postgres"; + services.gitea.database.socket = "/var/run/postgresql/"; + + }) + (lib.mkIf (cfg.enable && config.waffentragerService.nginx.enable) { + + services.nginx.virtualHosts = { + "baka.materus.pl" = { + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + addSSL = true; + http2 = false; + locations."/" = { + extraConfig = '' + client_max_body_size 2G; + include ${config.services.nginx.package}/conf/fastcgi.conf; + include ${config.services.nginx.package}/conf/fastcgi_params; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + fastcgi_pass unix:/var/run/gitea/gitea.sock; + ''; + }; + + }; + }; + } + ) + ]; +} diff --git a/configurations/host/waffentrager/services/nginx.nix b/configurations/host/waffentrager/services/nginx.nix new file mode 100644 index 0000000..c1a4e15 --- /dev/null +++ b/configurations/host/waffentrager/services/nginx.nix @@ -0,0 +1,25 @@ +{ materusArg, config, lib, ... }: +{ + options.waffentragerService.nginx.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable nginx"; + + + config = + let + cfg = config.waffentragerService.nginx; + in + lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + }; + + systemd.services.nginx = { + requires = [ "var-lib-mnt_acme.mount" ]; + after = [ "var-lib-mnt_acme.mount" ]; + }; + }; + +}