{ config, lib, pkgs, ... }: let scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" '' #!/usr/bin/env sh FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}" FORGEJO_AUTH_LDAP_NAME="lldap" # get lldap id if any FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_LDAP_NAME" | cut -d$'\t' -f1) ACTION="" EXTRA_ARG="" if [ -n "''${FORGEJO_AUTH_ID}" ]; then echo "PRERUN-LDAP: Authentication source exists, updating..." ACTION="update-ldap" EXTRA_ARG="--id $FORGEJO_AUTH_ID" else echo "PRERUN-LDAP: Authentication source does not exists, adding..." ACTION="add-ldap" fi BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)" gitea \ --work-path /srv/forgejo/ \ admin auth "$ACTION" $EXTRA_ARG \ --name "$FORGEJO_AUTH_LDAP_NAME" \ --active \ --security-protocol unencrypted \ --skip-tls-verify \ --host localhost \ --port 3890 \ --bind-dn "uid=bind_user,ou=people,dc=fricloud,dc=dk" \ --bind-password "$BIND_USERPASS" \ --user-filter '(&(memberof=cn=user,ou=groups,dc=fricloud,dc=dk)(|(uid=%[1]s)(mail=%[1]s)))' \ --admin-filter '(memberof=cn=lldap_admin,ou=groups,dc=fricloud,dc=dk)' \ --username-attribute uid \ --firstname-attribute givenName \ --surname-attribute sn \ --email-attribute mail \ --avatar-attribute jpegPhoto \ --synchronize-users \ --user-search-base 'ou=people,dc=fricloud,dc=dk' \ echo "PRERUN-LDAP: Finished adding/updating..." ''; in { services.forgejo = { enable = true; stateDir = config.mine.zfsMounts."rpool/safe/svcs/forgejo"; settings = { server = { DOMAIN = "git.fricloud.dk"; ROOT_URL = "https://git.fricloud.dk"; HTTPPORT = 3000; }; # sync ldap and forgejo "cron.sync_external_users" = { RUN_AT_START = true; SCHEDULE = "@every 15m"; UPDATE_EXISTING = true; }; service.DISABLE_REGISTRATION = true; }; }; # add script to add/update ldap source (+ place credential into the service) systemd.services.forgejo.preStart = lib.mkAfter (builtins.toString scriptAddLDAPAuth); systemd.services.forgejo.serviceConfig.LoadCredential = "lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}"; # TODO(eyJhb): remove after our ban expires (and nginx config) # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ]; services.nginx.virtualHosts."git.fricloud.dk" = { forceSSL = true; enableACME = true; extraConfig = '' client_max_body_size 512M; ''; locations."/".proxyPass = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTPPORT}"; }; }