infra/nixos/hosts/silver/services/gitea.nix

69 lines
1.8 KiB
Nix

{config, ...}: let
sshExposeIp = "0.0.0.0"; # TODO: change this to the public-facing IP for prod
sshIntPort = 14022;
httpIntPort = 14020;
dom = "git.min.rip";
in {
services.nginx = {
virtualHosts.${dom} = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString httpIntPort}";
};
forceSSL = true;
enableACME = true;
};
streamConfig = ''
upstream gitea {
server 127.0.0.1:${toString sshIntPort};
}
server {
listen ${sshExposeIp}:22;
proxy_timeout 20s;
proxy_pass gitea;
}
''; # May not support IPv6, i'm unsure..
};
# Auto-create directories we need
systemd.tmpfiles.rules = [
"d /srv/gitea 0750 1000 1000 - -"
"d /srv/gitea/gitea 0750 1000 1000 - -"
"d /srv/gitea/runner 0750 1000 1000 - -"
];
virtualisation.oci-containers.containers.gitea = {
image = "docker.io/gitea/gitea:1.21.4";
environment = {
USER_UID = "1000";
USER_GID = "1000";
GITEA_WORK_DIR = "/data/gitea";
GITEA_CUSTOM = "/data/gitea";
GITEA_APP_INI = "/data/gitea/conf/app.ini";
};
volumes = [
"/srv/gitea/gitea:/data"
"/etc/localtime:/etc/localtime:ro"
];
ports = [
"${toString httpIntPort}:3000/tcp"
"${toString sshIntPort}:22/tcp"
];
};
sops.secrets."svc-gitea-runner-env" = {};
virtualisation.oci-containers.containers.gitea-runner = {
image = "docker.io/gitea/act_runner:0.2.6-dind-rootless";
environment = {
GITEA_INSTANCE_URL = "https://${dom}/";
DOCKER_HOST = "unix:///var/run/user/1000/docker.sock";
};
environmentFiles = [config.sops.secrets."svc-gitea-runner-env".path];
volumes = [
"/srv/gitea/runner:/data"
];
extraOptions = ["--privileged"];
};
}