mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-10 23:00:39 +02:00
feat: enable oauth in forgejo
This commit is contained in:
oddlama
parent
0ec4a8ebe8
commit
fba87840c2
5 changed files with 12 additions and 49 deletions
|
|
@ -10,20 +10,20 @@
|
|||
forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}";
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
|
||||
config.services.gitea.settings.server.HTTP_PORT
|
||||
config.services.forgejo.settings.server.HTTP_PORT
|
||||
];
|
||||
|
||||
age.secrets.forgejo-mailer-password = {
|
||||
rekeyFile = config.node.secretsDir + "/forgejo-mailer-password.age";
|
||||
mode = "440";
|
||||
inherit (config.services.gitea) group;
|
||||
inherit (config.services.forgejo) group;
|
||||
};
|
||||
|
||||
# Mirror the original oauth2 secret
|
||||
age.secrets.forgejo-oauth2-client-secret = {
|
||||
inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-forgejo) rekeyFile;
|
||||
mode = "440";
|
||||
inherit (config.services.gitea) group;
|
||||
inherit (config.services.forgejo) group;
|
||||
};
|
||||
|
||||
nodes.sentinel = {
|
||||
|
|
@ -53,7 +53,7 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
upstreams.forgejo = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.gitea.settings.server.HTTP_PORT}" = {};
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" = {};
|
||||
extraConfig = ''
|
||||
zone forgejo 64k;
|
||||
keepalive 2;
|
||||
|
|
@ -84,18 +84,16 @@ in {
|
|||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = config.services.gitea.stateDir;
|
||||
user = "gitea";
|
||||
group = "gitea";
|
||||
directory = config.services.forgejo.stateDir;
|
||||
user = "forgejo";
|
||||
group = "forgejo";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
|
||||
services.gitea = {
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
package = pkgs.forgejo;
|
||||
appName = "Redlew Git"; # tungsten inert gas?
|
||||
stateDir = "/var/lib/forgejo";
|
||||
# TODO db backups
|
||||
# dump.enable = true;
|
||||
lfs.enable = true;
|
||||
|
|
@ -112,7 +110,7 @@ in {
|
|||
# federation.ENABLED = true;
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
HOST = config.repo.secrets.local.forgejo.mail.host;
|
||||
SMTP_ADDR = config.repo.secrets.local.forgejo.mail.host;
|
||||
FROM = config.repo.secrets.local.forgejo.mail.from;
|
||||
USER = config.repo.secrets.local.forgejo.mail.user;
|
||||
SEND_AS_PLAIN_TEXT = true;
|
||||
|
|
@ -166,10 +164,10 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.gitea = {
|
||||
systemd.services.forgejo = {
|
||||
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
||||
preStart = let
|
||||
exe = lib.getExe config.services.gitea.package;
|
||||
exe = lib.getExe config.services.forgejo.package;
|
||||
providerName = "kanidm";
|
||||
clientId = "forgejo";
|
||||
args = lib.escapeShellArgs [
|
||||
|
|
@ -185,8 +183,6 @@ in {
|
|||
"email"
|
||||
"--scopes"
|
||||
"profile"
|
||||
"--scopes"
|
||||
"groups"
|
||||
"--group-claim-name"
|
||||
"groups"
|
||||
"--admin-group"
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
nodes,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit (sentinelCfg.repo.secrets.local) personalDomain;
|
||||
|
|
@ -180,6 +179,5 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [pkgs.kanidm];
|
||||
systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
influxdb2 = uidGid 986;
|
||||
telegraf = uidGid 985;
|
||||
rtkit = uidGid 984;
|
||||
gitea = uidGid 983;
|
||||
forgejo = uidGid 983;
|
||||
redis-paperless = uidGid 982;
|
||||
nixseparatedebuginfod = uidGid 981;
|
||||
msr = uidGid 980;
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@
|
|||
doCheck = false;
|
||||
});
|
||||
kanidm-provision = prev.callPackage ./kanidm-provision.nix {};
|
||||
kanidm-secret-manipulator = prev.callPackage ./kanidm-secret-manipulator.nix {};
|
||||
segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {};
|
||||
zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {};
|
||||
awakened-poe-trade = prev.callPackage ./awakened-poe-trade.nix {};
|
||||
|
|
|
|||
|
|
@ -1,30 +0,0 @@
|
|||
{
|
||||
lib,
|
||||
rustPlatform,
|
||||
fetchFromGitHub,
|
||||
pkg-config,
|
||||
sqlite,
|
||||
}:
|
||||
rustPlatform.buildRustPackage rec {
|
||||
pname = "kanidm-secret-manipulator";
|
||||
version = "1.0.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "oddlama";
|
||||
repo = "kanidm-secret-manipulator";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-Vv5edTBz5MWHHCWYN5z4KnqPpLZIDTzTcWXnrLBqdgM=";
|
||||
};
|
||||
|
||||
cargoHash = "sha256-x/oTiaI4RHdt8pndPhsYQn8PclM0q6RDqTaQ0ODCrh4=";
|
||||
|
||||
nativeBuildInputs = [pkg-config];
|
||||
buildInputs = [sqlite];
|
||||
|
||||
meta = with lib; {
|
||||
description = "A helper utility that modifies the kanidm database to allow provisioning declarative secrets with NixOS";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [oddlama];
|
||||
mainProgram = "kanidm-secret-manipulator";
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue