{ lib, config, ... }: let rootDomain = "dylanblades.net"; hostDomain = rootDomain; adminUsername = "Bladesy"; adminEmail = "gitea@dylanblades.net"; in { imports = with lib.nixosModules; [secrets]; sops.secrets.gitea-admin-password = { sopsFile = lib.secrets.gitea; owner = config.users.users.gitea.name; group = config.users.users.gitea.group; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; security.acme = { acceptTerms = true; defaults.email = "acme.evict519@simplelogin.com"; certs.${hostDomain}.extraDomainNames = ["gitea.${rootDomain}"]; }; # Workaround for useWizard. systemd.services.gitea.postStart = let exe = lib.getExe config.services.gitea.package; adminPasswordFile = config.sops.secrets.gitea-admin-password.path; in '' [ "$(${exe} admin user list --admin | wc -l)" -eq 1 ] \ && ${exe} admin user create \ --admin \ --username Bladesy \ --email gitea@dylanblades.net \ --password "$(cat ${adminPasswordFile})" \ && echo "admin created" \ || echo "admin already present" ''; services = { gitea = { enable = true; /* Option useWizard does not work. useWizard = true; */ appName = "Gitea"; settings = { service.DISABLE_REGISTRATION = true; server = { DOMAIN = "gitea.${rootDomain}"; ROOT_URL = "https://gitea.${rootDomain}/"; }; ui.DEFAULT_THEME = "gitea-dark"; }; }; nginx = { enable = true; virtualHosts = { ${hostDomain}.enableACME = true; "gitea.${rootDomain}" = { forceSSL = true; useACMEHost = hostDomain; locations."/" = { proxyPass = "http://localhost:3000"; extraConfig = '' client_max_body_size 512M; proxy_set_header Connection $http_connection; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ''; }; }; }; }; }; /* Required for an ephemeral system. environment.persistence."/persist" = { hideMounts = true; directories = [ { directory = "/var/lib/gitea"; user = "gitea"; group = "gitea"; mode = "u=rwx,g=rx,o="; } ]; }; */ }