nixos-config/mastus/gogs.nix

126 lines
3.2 KiB
Nix

{ config, pkgs, ... }:
let
gitHome = "/srv/git.gebner.org";
gogs = pkgs.callPackage ../pkgs/gogs.nix { };
gogsPort = 8001;
gogsConfig = pkgs.writeText "gogs.ini" ''
APP_NAME = Gogs: Go Git Service
RUN_USER = git
RUN_MODE = prod
[database]
DB_TYPE = sqlite3
HOST = 127.0.0.1:3306
NAME = gogs
USER = root
PASSWD =
SSL_MODE = disable
PATH = ${gitHome}/data/gogs.db
[repository]
ROOT = ${gitHome}/gogs-repositories
[server]
DOMAIN = git.gebner.org
HTTP_PORT = ${toString gogsPort}
ROOT_URL = https://git.gebner.org/
DISABLE_SSH = false
SSH_PORT = 22
OFFLINE_MODE = true
[mailer]
ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
[picture]
DISABLE_GRAVATAR = false
AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars
[session]
PROVIDER = file
[log]
ROOT_PATH = ${gitHome}/logs
MODE = file
LEVEL = Info
[security]
INSTALL_LOCK = true
'';
in
{
users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; };
users.extraGroups.git = { };
systemd.services.gogs = {
path = with pkgs; [ git openssh bash ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
Restart = "always";
User = "git";
Group = "git";
ExecStart = "${gogs}/gogs web -c ${gogsConfig}";
WorkingDirectory = gitHome;
};
};
services.nginx.httpConfig = ''
server {
listen [::]:80;
listen 80;
server_name git.gebner.org;
location /.well-known/acme-challenge {
default_type text/plain;
alias /var/lib/acme/www/.well-known/acme-challenge;
}
location / {
rewrite ^(.*) https://$host$1 permanent;
}
}
server {
listen [::]:443;
listen 443;
server_name git.gebner.org;
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://gogs;
client_max_body_size 30M;
break;
}
}
upstream gogs {
server 127.0.0.1:${toString gogsPort};
}
'';
}