titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0901f5edf04e33c1ba1f5b0ef8f915cad24f2f70
nixos/services/gitea/gitea.nix
Simon Gardling fdd5c5fba0
All checks were successful
Build and Deploy / mreow (push) Successful in 56s
Details
Build and Deploy / yarn (push) Successful in 52s
Details
Build and Deploy / muffin (push) Successful in 1m1s
Details
gitea: hide actions when not logged in
2026-04-22 21:23:47 -04:00

92 lines
2.8 KiB
Nix
Raw Blame History

{
pkgs,
lib,
config,
service_configs,
...
}:
{
imports = [
(lib.serviceMountWithZpool "gitea" service_configs.zpool_ssds [ config.services.gitea.stateDir ])
(lib.serviceFilePerms "gitea" [
"Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}"
])
(lib.mkCaddyReverseProxy {
domain = service_configs.gitea.domain;
port = service_configs.ports.private.gitea.port;
})
(lib.mkFail2banJail {
name = "gitea";
failregex = "^.*Failed authentication attempt for .* from <HOST>:.*$";
})
];
services.gitea = {
enable = true;
appName = "Simon Gardling's Gitea instance";
stateDir = service_configs.gitea.dir;
database = {
type = "postgres";
socket = service_configs.postgres.socket;
};
settings = {
server = {
SSH_USER = "gitea";
DOMAIN = service_configs.gitea.domain;
ROOT_URL = "https://" + config.services.gitea.settings.server.DOMAIN;
HTTP_PORT = service_configs.ports.private.gitea.port;
LANDING_PAGE = "/explore/repos";
DISABLE_HTTP_GIT = true;
};
session = {
# https cookies or smth
COOKIE_SECURE = true;
};
# only I shall use gitea
service.DISABLE_REGISTRATION = true;
actions.ENABLED = true;
};
};
# Hide repo Actions/workflow details from anonymous visitors. Gitea's own
# REQUIRE_SIGNIN_VIEW=expensive mode does not cover /{user}/{repo}/actions,
# so we gate the path at Caddy: forward_auth probes Gitea's /api/v1/user
# with the incoming request's Cookie/Authorization headers. A logged-in
# session answers 200 and the original request falls through to the
# reverse_proxy from mkCaddyReverseProxy; a 401 is turned into a redirect
# to the login page so the browser shows the login form instead of the
# workflow list. Workflow status badges stay public so README links keep
# rendering.
services.caddy.virtualHosts.${service_configs.gitea.domain}.extraConfig = ''
@repoActionsNotBadge {
path_regexp ^/[^/]+/[^/]+/actions(/.*)?$
not path_regexp ^/[^/]+/[^/]+/actions/workflows/[^/]+/badge\.svg$
}
handle @repoActionsNotBadge {
forward_auth :${toString service_configs.ports.private.gitea.port} {
uri /api/v1/user
@unauthorized status 401
handle_response @unauthorized {
redir * /user/login?redirect_to={uri} 302
}
}
}
'';
services.postgresql = {
ensureDatabases = [ config.services.gitea.user ];
ensureUsers = [
{
name = config.services.gitea.database.user;
ensureDBOwnership = true;
ensureClauses.login = true;
}
];
};
services.openssh.settings.AllowUsers = [ config.services.gitea.user ];
}
Reference in New Issue View Git Blame Copy Permalink