Unverified Commit b59e5a34 authored by Tristan Daniël Maat's avatar Tristan Daniël Maat
Browse files

nixos/gitea: Add option to supply the metrics token via file

parent 4d675aec

nixos/modules/services/misc/gitea.nix

+15 −0
Original line number Diff line number Diff line
@@ -246,6 +246,13 @@ in 
        description = lib.mdDoc "Path to a file containing the SMTP password.";

      };



      metricsTokenFile = mkOption {

        type = types.nullOr types.str;

        default = null;

        example = "/var/lib/secrets/gitea/metrics_token";

        description = lib.mdDoc "Path to a file containing the metrics authentication token.";

      };



      settings = mkOption {

        default = {};

        description = lib.mdDoc ''
@@ -433,6 +440,10 @@ in 
        PASSWD = "#mailerpass#";

      };



      metrics = mkIf (cfg.metricsTokenFile != null) {

        TOKEN = "#metricstoken#";

      };



      oauth2 = {

        JWT_SECRET = "#oauth2jwtsecret#";

      };
@@ -559,6 +570,10 @@ in 
            ${lib.optionalString (cfg.mailerPasswordFile != null) ''

              ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}'

            ''}



            ${lib.optionalString (cfg.metricsTokenFile != null) ''

              ${replaceSecretBin} '#metricstoken#' '${cfg.metricsTokenFile}' '${runConfig}'

            ''}

            chmod u-w '${runConfig}'

          }

          (umask 027; gitea_setup)

nixos/tests/gitea.nix

+8 −0
Original line number Diff line number Diff line
@@ -35,9 +35,11 @@ let 
          enable = true;

          database = { inherit type; };

          package = giteaPackage;

          metricsTokenFile = (pkgs.writeText "metrics_secret" "fakesecret").outPath;

          settings.service.DISABLE_REGISTRATION = true;

          settings."repository.signing".SIGNING_KEY = signingPrivateKeyId;

          settings.actions.ENABLED = true;

          settings.metrics.ENABLED = true;

        };

        environment.systemPackages = [ giteaPackage pkgs.gnupg pkgs.jq ];

        services.openssh.enable = true;
@@ -143,6 +145,12 @@ let 
          + '-H "Accept: application/json" | jq length)" = "1"'

      )



      with subtest("Testing metrics endpoint"):

          server.succeed('curl '

                         + '-H "Authorization: Bearer fakesecret" '

                         + 'http://localhost:3000/metrics '

                         + '| grep gitea_accesses')



      with subtest("Testing runner registration"):

          server.succeed(

              "su -l gitea -c 'GITEA_WORK_DIR=/var/lib/gitea gitea actions generate-runner-token' | sed 's/^/TOKEN=/' | tee /var/lib/gitea/runner_token"