forked from mirrors_public/oddlama_nix-config
feat: enable oauth in forgejo
This commit is contained in:
oddlama
parent
0ec4a8ebe8
commit
fba87840c2
5 changed files with 12 additions and 49 deletions
|
|
@ -10,20 +10,20 @@
|
||||||
forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}";
|
forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}";
|
||||||
in {
|
in {
|
||||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
|
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
|
||||||
config.services.gitea.settings.server.HTTP_PORT
|
config.services.forgejo.settings.server.HTTP_PORT
|
||||||
];
|
];
|
||||||
|
|
||||||
age.secrets.forgejo-mailer-password = {
|
age.secrets.forgejo-mailer-password = {
|
||||||
rekeyFile = config.node.secretsDir + "/forgejo-mailer-password.age";
|
rekeyFile = config.node.secretsDir + "/forgejo-mailer-password.age";
|
||||||
mode = "440";
|
mode = "440";
|
||||||
inherit (config.services.gitea) group;
|
inherit (config.services.forgejo) group;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Mirror the original oauth2 secret
|
# Mirror the original oauth2 secret
|
||||||
age.secrets.forgejo-oauth2-client-secret = {
|
age.secrets.forgejo-oauth2-client-secret = {
|
||||||
inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-forgejo) rekeyFile;
|
inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-forgejo) rekeyFile;
|
||||||
mode = "440";
|
mode = "440";
|
||||||
inherit (config.services.gitea) group;
|
inherit (config.services.forgejo) group;
|
||||||
};
|
};
|
||||||
|
|
||||||
nodes.sentinel = {
|
nodes.sentinel = {
|
||||||
|
|
@ -53,7 +53,7 @@ in {
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams.forgejo = {
|
upstreams.forgejo = {
|
||||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.gitea.settings.server.HTTP_PORT}" = {};
|
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" = {};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
zone forgejo 64k;
|
zone forgejo 64k;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
|
|
@ -84,18 +84,16 @@ in {
|
||||||
|
|
||||||
environment.persistence."/persist".directories = [
|
environment.persistence."/persist".directories = [
|
||||||
{
|
{
|
||||||
directory = config.services.gitea.stateDir;
|
directory = config.services.forgejo.stateDir;
|
||||||
user = "gitea";
|
user = "forgejo";
|
||||||
group = "gitea";
|
group = "forgejo";
|
||||||
mode = "0700";
|
mode = "0700";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
services.gitea = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.forgejo;
|
|
||||||
appName = "Redlew Git"; # tungsten inert gas?
|
appName = "Redlew Git"; # tungsten inert gas?
|
||||||
stateDir = "/var/lib/forgejo";
|
|
||||||
# TODO db backups
|
# TODO db backups
|
||||||
# dump.enable = true;
|
# dump.enable = true;
|
||||||
lfs.enable = true;
|
lfs.enable = true;
|
||||||
|
|
@ -112,7 +110,7 @@ in {
|
||||||
# federation.ENABLED = true;
|
# federation.ENABLED = true;
|
||||||
mailer = {
|
mailer = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
HOST = config.repo.secrets.local.forgejo.mail.host;
|
SMTP_ADDR = config.repo.secrets.local.forgejo.mail.host;
|
||||||
FROM = config.repo.secrets.local.forgejo.mail.from;
|
FROM = config.repo.secrets.local.forgejo.mail.from;
|
||||||
USER = config.repo.secrets.local.forgejo.mail.user;
|
USER = config.repo.secrets.local.forgejo.mail.user;
|
||||||
SEND_AS_PLAIN_TEXT = true;
|
SEND_AS_PLAIN_TEXT = true;
|
||||||
|
|
@ -166,10 +164,10 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.gitea = {
|
systemd.services.forgejo = {
|
||||||
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
||||||
preStart = let
|
preStart = let
|
||||||
exe = lib.getExe config.services.gitea.package;
|
exe = lib.getExe config.services.forgejo.package;
|
||||||
providerName = "kanidm";
|
providerName = "kanidm";
|
||||||
clientId = "forgejo";
|
clientId = "forgejo";
|
||||||
args = lib.escapeShellArgs [
|
args = lib.escapeShellArgs [
|
||||||
|
|
@ -185,8 +183,6 @@ in {
|
||||||
"email"
|
"email"
|
||||||
"--scopes"
|
"--scopes"
|
||||||
"profile"
|
"profile"
|
||||||
"--scopes"
|
|
||||||
"groups"
|
|
||||||
"--group-claim-name"
|
"--group-claim-name"
|
||||||
"groups"
|
"groups"
|
||||||
"--admin-group"
|
"--admin-group"
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,6 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
nodes,
|
nodes,
|
||||||
pkgs,
|
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
inherit (sentinelCfg.repo.secrets.local) personalDomain;
|
inherit (sentinelCfg.repo.secrets.local) personalDomain;
|
||||||
|
|
@ -180,6 +179,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = [pkgs.kanidm];
|
|
||||||
systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
|
systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
influxdb2 = uidGid 986;
|
influxdb2 = uidGid 986;
|
||||||
telegraf = uidGid 985;
|
telegraf = uidGid 985;
|
||||||
rtkit = uidGid 984;
|
rtkit = uidGid 984;
|
||||||
gitea = uidGid 983;
|
forgejo = uidGid 983;
|
||||||
redis-paperless = uidGid 982;
|
redis-paperless = uidGid 982;
|
||||||
nixseparatedebuginfod = uidGid 981;
|
nixseparatedebuginfod = uidGid 981;
|
||||||
msr = uidGid 980;
|
msr = uidGid 980;
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,6 @@
|
||||||
doCheck = false;
|
doCheck = false;
|
||||||
});
|
});
|
||||||
kanidm-provision = prev.callPackage ./kanidm-provision.nix {};
|
kanidm-provision = prev.callPackage ./kanidm-provision.nix {};
|
||||||
kanidm-secret-manipulator = prev.callPackage ./kanidm-secret-manipulator.nix {};
|
|
||||||
segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {};
|
segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {};
|
||||||
zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {};
|
zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {};
|
||||||
awakened-poe-trade = prev.callPackage ./awakened-poe-trade.nix {};
|
awakened-poe-trade = prev.callPackage ./awakened-poe-trade.nix {};
|
||||||
|
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
||||||
{
|
|
||||||
lib,
|
|
||||||
rustPlatform,
|
|
||||||
fetchFromGitHub,
|
|
||||||
pkg-config,
|
|
||||||
sqlite,
|
|
||||||
}:
|
|
||||||
rustPlatform.buildRustPackage rec {
|
|
||||||
pname = "kanidm-secret-manipulator";
|
|
||||||
version = "1.0.1";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "oddlama";
|
|
||||||
repo = "kanidm-secret-manipulator";
|
|
||||||
rev = "v${version}";
|
|
||||||
hash = "sha256-Vv5edTBz5MWHHCWYN5z4KnqPpLZIDTzTcWXnrLBqdgM=";
|
|
||||||
};
|
|
||||||
|
|
||||||
cargoHash = "sha256-x/oTiaI4RHdt8pndPhsYQn8PclM0q6RDqTaQ0ODCrh4=";
|
|
||||||
|
|
||||||
nativeBuildInputs = [pkg-config];
|
|
||||||
buildInputs = [sqlite];
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
description = "A helper utility that modifies the kanidm database to allow provisioning declarative secrets with NixOS";
|
|
||||||
license = licenses.mit;
|
|
||||||
maintainers = with maintainers; [oddlama];
|
|
||||||
mainProgram = "kanidm-secret-manipulator";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue