waffentrager: add gitea

configurations/host/waffentrager/services/default.nix

@@ -5,8 +5,12 @@
       ./elements.nix
       ./postgresql.nix
       ./mount-acme.nix
+      ./gitea.nix
+      ./nginx.nix
     ];
   waffentragerService.elements.enable = true;
   waffentragerService.postgresql.enable = true;
   waffentragerService.mount-acme.enable = true;
+  waffentragerService.gitea.enable = true;
+  waffentragerService.nginx.enable = true;
 }

configurations/host/waffentrager/services/gitea.nix

@@ -0,0 +1,57 @@
+{ materusArg, config, lib, ... }:
+{
+  options.waffentragerService.gitea.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable gitea";
+
+
+  config =
+    let
+      cfg = config.waffentragerService.gitea;
+    in
+    lib.mkMerge
+      [
+        (lib.mkIf cfg.enable {
+          waffentragerService.postgresql.enable = true;
+          waffentragerService.elements.enable = true;
+
+          services.gitea.enable = true;
+          services.gitea.lfs.enable = true;
+          services.gitea.stateDir = "${config.waffentragerService.elements.path}/services/gitea";
+          services.gitea.settings.service.DISABLE_REGISTRATION = true;
+          services.gitea.domain = "baka.materus.pl";
+          services.gitea.settings.server.ROOT_URL = lib.mkForce "https://baka.materus.pl/";
+          services.gitea.settings.server.PROTOCOL = "fcgi+unix";
+          services.gitea.database.type = "postgres";
+          services.gitea.database.socket = "/var/run/postgresql/";
+
+        })
+        (lib.mkIf (cfg.enable && config.waffentragerService.nginx.enable) {
+
+          services.nginx.virtualHosts = {
+            "baka.materus.pl" = {
+              sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+              sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+              sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+              addSSL = true;
+              http2 = false;
+              locations."/" = {
+                extraConfig = ''
+                  client_max_body_size 2G;
+                  include ${config.services.nginx.package}/conf/fastcgi.conf;
+                  include ${config.services.nginx.package}/conf/fastcgi_params;
+                  proxy_http_version 1.1;
+                  proxy_set_header    Host                $host;
+                  proxy_set_header    X-Real-IP           $remote_addr;
+                  proxy_set_header    X-Forwarded-Ssl     on;
+                  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+                  proxy_set_header    X-Forwarded-Proto   $scheme;
+
+                  fastcgi_pass  unix:/var/run/gitea/gitea.sock;
+                '';
+              };
+
+            };
+          };
+        }
+        )
+      ];
+}

configurations/host/waffentrager/services/nginx.nix

@@ -0,0 +1,25 @@
+{ materusArg, config, lib, ... }:
+{
+  options.waffentragerService.nginx.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable nginx";
+
+
+  config =
+    let
+      cfg = config.waffentragerService.nginx;
+    in
+    lib.mkIf cfg.enable {
+      networking.firewall.allowedTCPPorts = [ 80 443 ];
+      services.nginx = {
+        enable = true;
+        recommendedTlsSettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+      };
+
+      systemd.services.nginx = {
+        requires = [ "var-lib-mnt_acme.mount" ];
+        after = [ "var-lib-mnt_acme.mount" ];
+      };
+    };
+
+}