{ config, pkgs, ... }: let gitHome = "/srv/git.gebner.org"; gogs = pkgs.callPackage ../pkgs/gogs.nix { }; gogsPort = 8001; gogsConfig = pkgs.writeText "gogs.ini" '' APP_NAME = Gogs: Go Git Service RUN_USER = git RUN_MODE = prod [database] DB_TYPE = sqlite3 HOST = 127.0.0.1:3306 NAME = gogs USER = root PASSWD = SSL_MODE = disable PATH = ${gitHome}/data/gogs.db [repository] ROOT = ${gitHome}/gogs-repositories [server] DOMAIN = git.gebner.org HTTP_PORT = ${toString gogsPort} ROOT_URL = https://git.gebner.org/ DISABLE_SSH = false SSH_PORT = 22 OFFLINE_MODE = true [mailer] ENABLED = false [service] REGISTER_EMAIL_CONFIRM = false ENABLE_NOTIFY_MAIL = false DISABLE_REGISTRATION = true REQUIRE_SIGNIN_VIEW = false [picture] DISABLE_GRAVATAR = false AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars [session] PROVIDER = file [log] ROOT_PATH = ${gitHome}/logs MODE = file LEVEL = Info [security] INSTALL_LOCK = true ''; in { users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; }; users.extraGroups.git = { }; systemd.services.gogs = { path = with pkgs; [ git openssh bash ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; Restart = "always"; User = "git"; Group = "git"; ExecStart = "${gogs}/gogs web -c ${gogsConfig}"; WorkingDirectory = gitHome; }; }; services.nginx.httpConfig = '' server { listen [::]:80; listen 80; server_name git.gebner.org; location /.well-known/acme-challenge { default_type text/plain; alias /etc/sslcerts/acmeroot/.well-known/acme-challenge; } location / { rewrite ^(.*) https://$host$1 permanent; } } server { listen [::]:443; listen 443; server_name git.gebner.org; ssl on; ssl_certificate_key /etc/sslcerts/mastus.key; ssl_certificate /etc/sslcerts/git.cert; ssl_dhparam /etc/nginx/dhparam.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; ssl_stapling_verify on; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_buffering off; proxy_pass http://gogs; client_max_body_size 30M; break; } } upstream gogs { server 127.0.0.1:${toString gogsPort}; } ''; }