Unverified Commit 73d2aeac authored by Robert Hensing's avatar Robert Hensing Committed by GitHub
Browse files

Merge pull request #206179 from ThinkChaos/refactor/gitea-settings 

gitea: new options and settings refactor
parents 6132a700 70cf0292

nixos/doc/manual/release-notes/rl-2305.section.md

+2 −0
Original line number Diff line number Diff line
@@ -429,6 +429,8 @@ In addition to numerous new and upgraded packages, this release has the followin 


- `k3s` can now be configured with an EnvironmentFile for its systemd service, allowing secrets to be provided without ending up in the Nix Store.



- `gitea` module options have been changed to be RFC042 conforming (i.e. some options were moved to be located under `services.gitea.settings`)



- `boot.initrd.luks.device.<name>` has a new `tryEmptyPassphrase` option, this is useful for OEM's who need to install an encrypted disk with a future settable passphrase



- Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.

nixos/modules/services/misc/gitea.nix

+126 −108
Original line number Diff line number Diff line
@@ -26,9 +26,18 @@ in 
  imports = [

    (mkRenamedOptionModule [ "services" "gitea" "cookieSecure" ] [ "services" "gitea" "settings" "session" "COOKIE_SECURE" ])

    (mkRenamedOptionModule [ "services" "gitea" "disableRegistration" ] [ "services" "gitea" "settings" "service" "DISABLE_REGISTRATION" ])

    (mkRenamedOptionModule [ "services" "gitea" "domain" ] [ "services" "gitea" "settings" "server" "DOMAIN" ])

    (mkRenamedOptionModule [ "services" "gitea" "httpAddress" ] [ "services" "gitea" "settings" "server" "HTTP_ADDR" ])

    (mkRenamedOptionModule [ "services" "gitea" "httpPort" ] [ "services" "gitea" "settings" "server" "HTTP_PORT" ])

    (mkRenamedOptionModule [ "services" "gitea" "log" "level" ] [ "services" "gitea" "settings" "log" "LEVEL" ])

    (mkRenamedOptionModule [ "services" "gitea" "log" "rootPath" ] [ "services" "gitea" "settings" "log" "ROOT_PATH" ])

    (mkRenamedOptionModule [ "services" "gitea" "rootUrl" ] [ "services" "gitea" "settings" "server" "ROOT_URL" ])

    (mkRenamedOptionModule [ "services" "gitea" "ssh" "clonePort" ] [ "services" "gitea" "settings" "server" "SSH_PORT" ])

    (mkRenamedOptionModule [ "services" "gitea" "staticRootPath" ] [ "services" "gitea" "settings" "server" "STATIC_ROOT_PATH" ])



    (mkChangedOptionModule [ "services" "gitea" "enableUnixSocket" ] [ "services" "gitea" "settings" "server" "PROTOCOL" ] (

      config: if config.services.gitea.enableUnixSocket then "http+unix" else "http"

    ))



    (mkRemovedOptionModule [ "services" "gitea" "ssh" "enable" ] "services.gitea.ssh.enable has been migrated into freeform setting services.gitea.settings.server.DISABLE_SSH. Keep in mind that the setting is inverted")

  ];
@@ -57,7 +66,14 @@ in 
      stateDir = mkOption {

        default = "/var/lib/gitea";

        type = types.str;

        description = lib.mdDoc "gitea data directory.";

        description = lib.mdDoc "Gitea data directory.";

      };



      customDir = mkOption {

        default = "${cfg.stateDir}/custom";

        defaultText = literalExpression ''"''${config.${opt.stateDir}}/custom"'';

        type = types.str;

        description = lib.mdDoc "Gitea custom directory. Used for config, custom templates and other options.";

      };



      user = mkOption {
@@ -66,6 +82,12 @@ in 
        description = lib.mdDoc "User account under which gitea runs.";

      };



      group = mkOption {

        type = types.str;

        default = "gitea";

        description = lib.mdDoc "Group under which gitea runs.";

      };



      database = {

        type = mkOption {

          type = types.enum [ "sqlite3" "mysql" "postgres" ];
@@ -216,44 +238,6 @@ in 
        description = lib.mdDoc "Path to the git repositories.";

      };



      domain = mkOption {

        type = types.str;

        default = "localhost";

        description = lib.mdDoc "Domain name of your server.";

      };



      rootUrl = mkOption {

        type = types.str;

        default = "http://localhost:3000/";

        description = lib.mdDoc "Full public URL of gitea server.";

      };



      httpAddress = mkOption {

        type = types.str;

        default = "0.0.0.0";

        description = lib.mdDoc "HTTP listen address.";

      };



      httpPort = mkOption {

        type = types.port;

        default = 3000;

        description = lib.mdDoc "HTTP listen port.";

      };



      enableUnixSocket = mkOption {

        type = types.bool;

        default = false;

        description = lib.mdDoc "Configure Gitea to listen on a unix socket instead of the default TCP port.";

      };



      staticRootPath = mkOption {

        type = types.either types.str types.path;

        default = cfg.package.data;

        defaultText = literalExpression "package.data";

        example = "/var/lib/gitea/data";

        description = lib.mdDoc "Upper level of template and static files path.";

      };



      mailerPasswordFile = mkOption {

        type = types.nullOr types.str;

        default = null;
@@ -285,7 +269,7 @@ in 
            };

          }

        '';

        type = with types; submodule {

        type = types.submodule {

          freeformType = format.type;

          options = {

            log = {
@@ -303,6 +287,46 @@ in 
            };



            server = {

              PROTOCOL = mkOption {

                type = types.enum [ "http" "https" "fcgi" "http+unix" "fcgi+unix" ];

                default = "http";

                description = lib.mdDoc ''Listen protocol. `+unix` means "over unix", not "in addition to."'';

              };



              HTTP_ADDR = mkOption {

                type = types.either types.str types.path;

                default = if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0";

                defaultText = literalExpression ''if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"'';

                description = lib.mdDoc "Listen address. Must be a path when using a unix socket.";

              };



              HTTP_PORT = mkOption {

                type = types.port;

                default = 3000;

                description = lib.mdDoc "Listen port. Ignored when using a unix socket.";

              };



              DOMAIN = mkOption {

                type = types.str;

                default = "localhost";

                description = lib.mdDoc "Domain name of your server.";

              };



              ROOT_URL = mkOption {

                type = types.str;

                default = "http://${cfg.settings.server.DOMAIN}:${toString cfg.settings.server.HTTP_PORT}/";

                defaultText = literalExpression ''"http://''${config.services.gitea.settings.server.DOMAIN}:''${toString config.services.gitea.settings.server.HTTP_PORT}/"'';

                description = lib.mdDoc "Full public URL of gitea server.";

              };



              STATIC_ROOT_PATH = mkOption {

                type = types.either types.str types.path;

                default = cfg.package.data;

                defaultText = literalExpression "config.${opt.package}.data";

                example = "/var/lib/gitea/data";

                description = lib.mdDoc "Upper level of template and static files path.";

              };



              DISABLE_SSH = mkOption {

                type = types.bool;

                default = false;
@@ -359,7 +383,7 @@ in 


  config = mkIf cfg.enable {

    assertions = [

      { assertion = cfg.database.createDatabase -> cfg.database.user == cfg.user;

      { assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user;

        message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned";

      }

    ];
@@ -389,26 +413,10 @@ in 
        ROOT = cfg.repositoryRoot;

      };



      server = mkMerge [

        {

          DOMAIN = cfg.domain;

          STATIC_ROOT_PATH = toString cfg.staticRootPath;

          LFS_JWT_SECRET = "#lfsjwtsecret#";

          ROOT_URL = cfg.rootUrl;

        }

        (mkIf cfg.enableUnixSocket {

          PROTOCOL = "http+unix";

          HTTP_ADDR = "/run/gitea/gitea.sock";

        })

        (mkIf (!cfg.enableUnixSocket) {

          HTTP_ADDR = cfg.httpAddress;

          HTTP_PORT = cfg.httpPort;

        })

        (mkIf cfg.lfs.enable {

      server = mkIf cfg.lfs.enable {

        LFS_START_SERVER = true;

        })



      ];

        LFS_JWT_SECRET = "#lfsjwtsecret#";

      };



      session = {

        COOKIE_NAME = lib.mkDefault "session";
@@ -428,7 +436,7 @@ in 
        JWT_SECRET = "#oauth2jwtsecret#";

      };



      lfs = mkIf (cfg.lfs.enable) {

      lfs = mkIf cfg.lfs.enable {

        PATH = cfg.lfs.contentDir;

      };

    };
@@ -457,33 +465,35 @@ in 
    };



    systemd.tmpfiles.rules = [

      "d '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -"

      "z '${cfg.dump.backupDir}' 0750 ${cfg.user} gitea - -"

      "Z '${cfg.dump.backupDir}' - ${cfg.user} gitea - -"

      "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -"

      "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} gitea - -"

      "Z '${cfg.lfs.contentDir}' - ${cfg.user} gitea - -"

      "d '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -"

      "z '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -"

      "Z '${cfg.repositoryRoot}' - ${cfg.user} gitea - -"

      "d '${cfg.stateDir}' 0750 ${cfg.user} gitea - -"

      "d '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -"

      "d '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -"

      "d '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -"

      "d '${cfg.stateDir}/data' 0750 ${cfg.user} gitea - -"

      "d '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -"

      "z '${cfg.stateDir}' 0750 ${cfg.user} gitea - -"

      "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} gitea - -"

      "z '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -"

      "z '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -"

      "z '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -"

      "z '${cfg.stateDir}/data' 0750 ${cfg.user} gitea - -"

      "z '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -"

      "Z '${cfg.stateDir}' - ${cfg.user} gitea - -"

      "d '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -"

      "Z '${cfg.dump.backupDir}' - ${cfg.user} ${cfg.group} - -"

      "d '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -"

      "Z '${cfg.repositoryRoot}' - ${cfg.user} ${cfg.group} - -"

      "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"

      "d '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"

      "d '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -"

      "d '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"

      "d '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -"

      "d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -"

      "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -"



      # If we have a folder or symlink with gitea locales, remove it

      # And symlink the current gitea locales in place

      "L+ '${cfg.stateDir}/conf/locale' - - - - ${cfg.package.out}/locale"



    ] ++ lib.optionals cfg.lfs.enable [

      "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -"

      "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -"

      "Z '${cfg.lfs.contentDir}' - ${cfg.user} ${cfg.group} - -"

    ];



    systemd.services.gitea = {
@@ -500,47 +510,52 @@ in 
      # lfs_jwt_secret.

      # We have to consider this to stay compatible with older installations.

      preStart = let

        runConfig = "${cfg.stateDir}/custom/conf/app.ini";

        secretKey = "${cfg.stateDir}/custom/conf/secret_key";

        oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret";

        oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET

        lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET

        internalToken = "${cfg.stateDir}/custom/conf/internal_token";

        runConfig = "${cfg.customDir}/conf/app.ini";

        secretKey = "${cfg.customDir}/conf/secret_key";

        oauth2JwtSecret = "${cfg.customDir}/conf/oauth2_jwt_secret";

        oldLfsJwtSecret = "${cfg.customDir}/conf/jwt_secret"; # old file for LFS_JWT_SECRET

        lfsJwtSecret = "${cfg.customDir}/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET

        internalToken = "${cfg.customDir}/conf/internal_token";

        replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";

      in ''

        # copy custom configuration and generate a random secret key if needed

        # copy custom configuration and generate random secrets if needed

        ${optionalString (!cfg.useWizard) ''

          function gitea_setup {

            cp -f ${configFile} ${runConfig}

            cp -f '${configFile}' '${runConfig}'



            if [ ! -s ${secretKey} ]; then

                ${exe} generate secret SECRET_KEY > ${secretKey}

            if [ ! -s '${secretKey}' ]; then

                ${exe} generate secret SECRET_KEY > '${secretKey}'

            fi



            # Migrate LFS_JWT_SECRET filename

            if [[ -s ${oldLfsJwtSecret} && ! -s ${lfsJwtSecret} ]]; then

                mv ${oldLfsJwtSecret} ${lfsJwtSecret}

            if [[ -s '${oldLfsJwtSecret}' && ! -s '${lfsJwtSecret}' ]]; then

                mv '${oldLfsJwtSecret}' '${lfsJwtSecret}'

            fi



            if [ ! -s ${oauth2JwtSecret} ]; then

                ${exe} generate secret JWT_SECRET > ${oauth2JwtSecret}

            if [ ! -s '${oauth2JwtSecret}' ]; then

                ${exe} generate secret JWT_SECRET > '${oauth2JwtSecret}'

            fi



            if [ ! -s ${lfsJwtSecret} ]; then

                ${exe} generate secret LFS_JWT_SECRET > ${lfsJwtSecret}

            ${lib.optionalString cfg.lfs.enable ''

            if [ ! -s '${lfsJwtSecret}' ]; then

                ${exe} generate secret LFS_JWT_SECRET > '${lfsJwtSecret}'

            fi

            ''}



            if [ ! -s ${internalToken} ]; then

                ${exe} generate secret INTERNAL_TOKEN > ${internalToken}

            if [ ! -s '${internalToken}' ]; then

                ${exe} generate secret INTERNAL_TOKEN > '${internalToken}'

            fi



            chmod u+w '${runConfig}'

            ${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}'

            ${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}'

            ${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}'

            ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}'

            ${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}'



            ${lib.optionalString cfg.lfs.enable ''

              ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}'"

            ''}



            ${lib.optionalString (cfg.mailerPasswordFile != null) ''

              ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}'

            ''}
@@ -565,7 +580,7 @@ in 
      serviceConfig = {

        Type = "simple";

        User = cfg.user;

        Group = "gitea";

        Group = cfg.group;

        WorkingDirectory = cfg.stateDir;

        ExecStart = "${exe} web --pid /run/gitea/gitea.pid";

        Restart = "always";
@@ -573,7 +588,7 @@ in 
        RuntimeDirectory = "gitea";

        RuntimeDirectoryMode = "0755";

        # Access write directories

        ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ];

        ReadWritePaths = [ cfg.customDir cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ];

        UMask = "0027";

        # Capabilities

        CapabilityBoundingSet = "";
@@ -606,6 +621,7 @@ in 
        USER = cfg.user;

        HOME = cfg.stateDir;

        GITEA_WORK_DIR = cfg.stateDir;

        GITEA_CUSTOM = cfg.customDir;

      };

    };
@@ -614,12 +630,14 @@ in 
        description = "Gitea Service";

        home = cfg.stateDir;

        useDefaultShell = true;

        group = "gitea";

        group = cfg.group;

        isSystemUser = true;

      };

    };



    users.groups.gitea = {};

    users.groups = mkIf (cfg.group == "gitea") {

      gitea = {};

    };



    warnings =

      optional (cfg.database.password != "") "config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead." ++