nixos-config/mastus/gogs.nix

{ config, pkgs, ... }:
let
  gitHome = "/srv/git.gebner.org";

  gogs = pkgs.callPackage ../pkgs/gogs.nix { };

  gogsPort = 8001;
  gogsConfig = pkgs.writeText "gogs.ini" ''
APP_NAME = Gogs: Go Git Service
RUN_USER = git
RUN_MODE = prod

[database]
DB_TYPE = sqlite3
HOST = 127.0.0.1:3306
NAME = gogs
USER = root
PASSWD = 
SSL_MODE = disable
PATH = ${gitHome}/data/gogs.db

[repository]
ROOT = ${gitHome}/gogs-repositories

[server]
DOMAIN = git.gebner.org
HTTP_PORT = ${toString gogsPort}
ROOT_URL = https://git.gebner.org/
DISABLE_SSH = false
SSH_PORT = 22
OFFLINE_MODE = true

[mailer]
ENABLED = false

[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false

[picture]
DISABLE_GRAVATAR = false
AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars

[session]
PROVIDER = file

[log]
ROOT_PATH = ${gitHome}/logs
MODE = file
LEVEL = Info

[security]
INSTALL_LOCK = true
'';
in
{
  users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; };
  users.extraGroups.git = { };

  systemd.services.gogs = {
    path = with pkgs; [ git openssh bash ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "simple";
      Restart = "always";
      User = "git";
      Group = "git";
      ExecStart = "${gogs}/gogs web -c ${gogsConfig}";
      WorkingDirectory = gitHome;
    };
  };

  services.nginx.httpConfig = ''
    server {
      listen [::]:80;
      listen 80;
      server_name git.gebner.org;

      location /.well-known/acme-challenge {
        default_type text/plain;
        alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;
      }

      rewrite ^(.*) https://$host$1 permanent;
    }

    server {
      listen [::]:443;
      listen 443;
      server_name git.gebner.org;

      ssl on;
      ssl_certificate_key /etc/sslcerts/mastus.key;
      ssl_certificate /etc/sslcerts/git.cert;
      ssl_dhparam /etc/nginx/dhparam.pem;
      ssl_protocols TLSv1.1 TLSv1.2;
      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
      ssl_prefer_server_ciphers on;
      add_header Strict-Transport-Security max-age=15768000;
      ssl_stapling on;
      ssl_stapling_verify on;

      location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_buffering off;
        proxy_pass http://gogs;
        client_max_body_size 30M;
        break;
      }
    }

    upstream gogs {
      server 127.0.0.1:${toString gogsPort};
    }
  '';
}
mastus: mail & git 2015-10-18 14:25:54 +02:00			`{ config, pkgs, ... }:`
			`let`
			`gitHome = "/srv/git.gebner.org";`

			`gogs = pkgs.callPackage ../pkgs/gogs.nix { };`

			`gogsPort = 8001;`
			`gogsConfig = pkgs.writeText "gogs.ini" ''`
			`APP_NAME = Gogs: Go Git Service`
			`RUN_USER = git`
			`RUN_MODE = prod`

			`[database]`
			`DB_TYPE = sqlite3`
			`HOST = 127.0.0.1:3306`
			`NAME = gogs`
			`USER = root`
			`PASSWD =`
			`SSL_MODE = disable`
			`PATH = ${gitHome}/data/gogs.db`

			`[repository]`
			`ROOT = ${gitHome}/gogs-repositories`

			`[server]`
			`DOMAIN = git.gebner.org`
			`HTTP_PORT = ${toString gogsPort}`
			`ROOT_URL = https://git.gebner.org/`
			`DISABLE_SSH = false`
			`SSH_PORT = 22`
			`OFFLINE_MODE = true`

			`[mailer]`
			`ENABLED = false`

			`[service]`
			`REGISTER_EMAIL_CONFIRM = false`
			`ENABLE_NOTIFY_MAIL = false`
			`DISABLE_REGISTRATION = true`
			`REQUIRE_SIGNIN_VIEW = false`

			`[picture]`
			`DISABLE_GRAVATAR = false`
mastus: gogs: make pushing work 2015-10-18 15:30:59 +02:00			`AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars`
mastus: mail & git 2015-10-18 14:25:54 +02:00
			`[session]`
			`PROVIDER = file`

			`[log]`
			`ROOT_PATH = ${gitHome}/logs`
			`MODE = file`
			`LEVEL = Info`

			`[security]`
			`INSTALL_LOCK = true`
			`'';`
			`in`
			`{`
			`users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; };`
			`users.extraGroups.git = { };`

			`systemd.services.gogs = {`
mastus: gogs: make pushing work 2015-10-18 15:30:59 +02:00			`path = with pkgs; [ git openssh bash ];`
mastus: mail & git 2015-10-18 14:25:54 +02:00			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
			`Type = "simple";`
			`Restart = "always";`
			`User = "git";`
			`Group = "git";`
			`ExecStart = "${gogs}/gogs web -c ${gogsConfig}";`
			`WorkingDirectory = gitHome;`
			`};`
			`};`

mastus: harden SSL config. 2015-10-25 09:29:49 +01:00			`services.nginx.httpConfig = ''`
mastus: mail & git 2015-10-18 14:25:54 +02:00			`server {`
			`listen [::]:80;`
			`listen 80;`
			`server_name git.gebner.org;`

letsencrypt 2015-12-05 13:41:20 +01:00			`location /.well-known/acme-challenge {`
			`default_type text/plain;`
			`alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;`
			`}`

mastus: mail & git 2015-10-18 14:25:54 +02:00			`rewrite ^(.*) https://$host$1 permanent;`
			`}`

			`server {`
			`listen [::]:443;`
			`listen 443;`
			`server_name git.gebner.org;`

			`ssl on;`
			`ssl_certificate_key /etc/sslcerts/mastus.key;`
			`ssl_certificate /etc/sslcerts/git.cert;`
mastus: harden SSL config. 2015-10-25 09:29:49 +01:00			`ssl_dhparam /etc/nginx/dhparam.pem;`
			`ssl_protocols TLSv1.1 TLSv1.2;`
			ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
			`ssl_prefer_server_ciphers on;`
			`add_header Strict-Transport-Security max-age=15768000;`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
mastus: mail & git 2015-10-18 14:25:54 +02:00
			`location / {`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-Host $host;`
			`proxy_set_header X-Forwarded-Server $host;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header Host $http_host;`
			`proxy_redirect off;`
			`proxy_buffering off;`
			`proxy_pass http://gogs;`
			`client_max_body_size 30M;`
			`break;`
			`}`
			`}`

			`upstream gogs {`
			`server 127.0.0.1:${toString gogsPort};`
			`}`
			`'';`
			`}`