120 lines
4.3 KiB
Nix
120 lines
4.3 KiB
Nix
|
{ config, lib, options, pkgs, ... }:
|
||
|
|
||
|
with lib;
|
||
|
|
||
|
let
|
||
|
cfg = config.services.gitea;
|
||
|
gitea = cfg.package;
|
||
|
configFile = pkgs.writeText "app.ini" ''
|
||
|
APP_NAME = ${cfg.appName}
|
||
|
RUN_USER = ${cfg.user}
|
||
|
RUN_MODE = prod
|
||
|
|
||
|
${generators.toINI {} cfg.settings}
|
||
|
|
||
|
${optionalString (cfg.extraConfig != null) cfg.extraConfig}
|
||
|
'';
|
||
|
in
|
||
|
|
||
|
{
|
||
|
options = {
|
||
|
services.gitea = {
|
||
|
storageSecretFile = mkOption {
|
||
|
type = with types; str;
|
||
|
default = "";
|
||
|
description = ''
|
||
|
Storage secret to be inserted into the config at #STORAGE_SECRET#
|
||
|
'';
|
||
|
example = literalExpression ''"/run/secrets/gitea/storage-secret"'';
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
systemd.services.gitea = {
|
||
|
# In older versions the secret naming for JWT was kind of confusing.
|
||
|
# The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET
|
||
|
# wasn't persistant at all.
|
||
|
# To fix that, there is now the file oauth2_jwt_secret containing the
|
||
|
# values for JWT_SECRET and the file jwt_secret gets renamed to
|
||
|
# lfs_jwt_secret.
|
||
|
# We have to consider this to stay compatible with older installations.
|
||
|
preStart =
|
||
|
let
|
||
|
runConfig = "${cfg.stateDir}/custom/conf/app.ini";
|
||
|
secretKey = "${cfg.stateDir}/custom/conf/secret_key";
|
||
|
oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret";
|
||
|
oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET
|
||
|
lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
|
||
|
internalToken = "${cfg.stateDir}/custom/conf/internal_token";
|
||
|
in
|
||
|
''
|
||
|
# copy custom configuration and generate a random secret key if needed
|
||
|
${optionalString (cfg.useWizard == false) ''
|
||
|
function gitea_setup {
|
||
|
cp -f ${configFile} ${runConfig}
|
||
|
|
||
|
if [ ! -e ${secretKey} ]; then
|
||
|
${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
|
||
|
fi
|
||
|
|
||
|
# Migrate LFS_JWT_SECRET filename
|
||
|
if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
|
||
|
mv ${oldLfsJwtSecret} ${lfsJwtSecret}
|
||
|
fi
|
||
|
|
||
|
if [ ! -e ${oauth2JwtSecret} ]; then
|
||
|
${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret}
|
||
|
fi
|
||
|
|
||
|
if [ ! -e ${lfsJwtSecret} ]; then
|
||
|
${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret}
|
||
|
fi
|
||
|
|
||
|
if [ ! -e ${internalToken} ]; then
|
||
|
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
|
||
|
fi
|
||
|
|
||
|
SECRETKEY="$(head -n1 ${secretKey})"
|
||
|
DBPASS="$(head -n1 ${cfg.database.passwordFile})"
|
||
|
OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
|
||
|
LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
|
||
|
INTERNALTOKEN="$(head -n1 ${internalToken})"
|
||
|
${if (cfg.mailerPasswordFile == null) then ''
|
||
|
MAILERPASSWORD="#mailerpass#"
|
||
|
'' else ''
|
||
|
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
|
||
|
''}
|
||
|
${if (cfg.storageSecretFile == "") then ''
|
||
|
STORAGESECRET="#storageSecret#"
|
||
|
'' else ''
|
||
|
STORAGESECRET="$(head -n1 ${cfg.storageSecretFile} || :)"
|
||
|
''}
|
||
|
sed -e "s,#secretkey#,$SECRETKEY,g" \
|
||
|
-e "s,#dbpass#,$DBPASS,g" \
|
||
|
-e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
|
||
|
-e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
|
||
|
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
||
|
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
||
|
-e "s,#storageSecret#,$STORAGESECRET,g" \
|
||
|
-i ${runConfig}
|
||
|
}
|
||
|
(umask 027; gitea_setup)
|
||
|
''}
|
||
|
|
||
|
# run migrations/init the database
|
||
|
${gitea}/bin/gitea migrate
|
||
|
|
||
|
# update all hooks' binary paths
|
||
|
${gitea}/bin/gitea admin regenerate hooks
|
||
|
|
||
|
# update command option in authorized_keys
|
||
|
if [ -r ${cfg.stateDir}/.ssh/authorized_keys ]
|
||
|
then
|
||
|
${gitea}/bin/gitea admin regenerate keys
|
||
|
fi
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
}
|