fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
server-configs/machines/gerd/services/forgejo.nix
eyjhb d459fa895e
configure domain in a central file
2024-08-11 14:50:32 +02:00

91 lines
3.3 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
svc_domain = "git.${config.mine.settings.domain}";
scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
#!/usr/bin/env sh
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
FORGEJO_AUTH_LDAP_NAME="lldap"
# get lldap id if any
FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_LDAP_NAME" | cut -d$'\t' -f1)
ACTION=""
EXTRA_ARG=""
if [ -n "''${FORGEJO_AUTH_ID}" ]; then
echo "PRERUN-LDAP: Authentication source exists, updating..."
ACTION="update-ldap"
EXTRA_ARG="--id $FORGEJO_AUTH_ID"
else
echo "PRERUN-LDAP: Authentication source does not exists, adding..."
ACTION="add-ldap"
fi
BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)"
gitea \
--work-path /srv/forgejo/ \
admin auth "$ACTION" $EXTRA_ARG \
--name "$FORGEJO_AUTH_LDAP_NAME" \
--active \
--security-protocol unencrypted \
--skip-tls-verify \
--host ${config.mine.settings.ldap.host} \
--port ${builtins.toString config.mine.settings.ldap.port} \
--bind-dn "${config.mine.settings.ldap.bind_dn}" \
--bind-password "$BIND_USERPASS" \
--user-filter '(&${config.mine.settings.ldap.user_filter}(|(${config.mine.settings.ldap.attr.uid}=%[1]s)(${config.mine.settings.ldap.attr.email}=%[1]s)))' \
--admin-filter '${config.mine.settings.ldap.admin_filter}' \
--username-attribute ${config.mine.settings.ldap.attr.uid} \
--firstname-attribute ${config.mine.settings.ldap.attr.firstname} \
--surname-attribute ${config.mine.settings.ldap.attr.lastname} \
--email-attribute ${config.mine.settings.ldap.attr.email} \
--avatar-attribute ${config.mine.settings.ldap.attr.avatar} \
--synchronize-users \
--user-search-base '${config.mine.settings.ldap.search_base}' \
echo "PRERUN-LDAP: Finished adding/updating..."
'';
in {
services.forgejo = {
enable = true;
stateDir = config.mine.zfsMounts."rpool/safe/svcs/forgejo";
settings = {
server = {
DOMAIN = svc_domain;
ROOT_URL = "https://${svc_domain}";
HTTPPORT = 3000;
};
# sync ldap and forgejo
"cron.sync_external_users" = {
RUN_AT_START = true;
SCHEDULE = "@every 15m";
UPDATE_EXISTING = true;
};
service.DISABLE_REGISTRATION = true;
};
};
# add script to add/update ldap source (+ place credential into the service)
systemd.services.forgejo.preStart = lib.mkAfter (builtins.toString scriptAddLDAPAuth);
systemd.services.forgejo.serviceConfig.LoadCredential = "lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}";
# TODO(eyJhb): remove after our ban expires (and nginx config)
# already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z
security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ];
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTPPORT}";
};
}
Reference in a new issue View git blame Copy permalink