diff --git a/hosts/tadpole/modules/default.nix b/hosts/tadpole/modules/default.nix
index a757051..9954f50 100644
--- a/hosts/tadpole/modules/default.nix
+++ b/hosts/tadpole/modules/default.nix
@@ -15,7 +15,10 @@ in
gitea = {
enable = true;
- domain = "git.ppp.pm";
+ baseDomain = "ppp.pm";
+
+ webfingerEnable = true;
+ webfingerAccounts = [ "p@ppp.pm" ];
};
pppdotpm-site.enable = true;
diff --git a/hosts/tadpole/modules/gitea/default.nix b/hosts/tadpole/modules/gitea/default.nix
index acfe13f..f1a23f7 100644
--- a/hosts/tadpole/modules/gitea/default.nix
+++ b/hosts/tadpole/modules/gitea/default.nix
@@ -1,7 +1,7 @@
-{ lib, config, ... }:
+{ pkgs, lib, config, ... }:
let
- enable = config.mod.gitea.enable;
- domain = config.mod.gitea.domain;
+ conf = config.mod.gitea;
+ gitDomain = "git.${conf.baseDomain}";
nginxEnable = config.mod.nginx.enable;
in
@@ -10,15 +10,48 @@ in
mod.gitea = {
enable = lib.mkEnableOption "Enable gitea";
- domain = lib.mkOption {
+ baseDomain = lib.mkOption {
type = lib.types.str;
default = "";
- description = "The domain that nginx will use as a virtual host";
+ description = ''
+ The base domain that will be used to
+ - create https://git. which will host the frontend of gitea
+ - host the webfinger
+
+ Note: A cert is required for this domain and "git.".
+ '';
+ };
+
+ webfingerEnable = lib.mkEnableOption "Enable webfinger pointing to gitea";
+
+ webfingerAccounts = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ default = [];
+ description = "The accounts that should be listed";
};
};
};
- config = lib.mkIf (enable && nginxEnable) {
+ config = lib.mkIf (conf.enable && nginxEnable) {
+ assertions = [
+ {
+ assertion = conf.baseDomain != "";
+ message = "Option 'mod.gitea.baseDomain' cannot be empty";
+ }
+ {
+ assertion = builtins.hasAttr gitDomain config.security.acme.certs;
+ message = "There is no cert configured for ${gitDomain} used by gitea";
+ }
+ {
+ assertion = conf.webfingerEnable && builtins.hasAttr conf.baseDomain config.security.acme.certs;
+ message = "There is no cert configured for ${conf.baseDomain} used by webfinger";
+ }
+ {
+ assertion = conf.webfingerEnable && conf.webfingerAccounts != [];
+ message = "Option 'mod.gitea.webfingerAccounts' cannot be empty";
+ }
+ ];
+
services.gitea = {
enable = true;
@@ -28,8 +61,8 @@ in
};
server = {
- DOMAIN = domain;
- ROOT_URL = "https://${domain}";
+ DOMAIN = gitDomain;
+ ROOT_URL = "https://${gitDomain}";
SSH_PORT = 1122; # See `ssh` module
};
@@ -46,9 +79,44 @@ in
};
services.nginx = {
- virtualHosts."${domain}" = {
+ virtualHosts."${conf.baseDomain}" =
+ let
+ mkWebfinger = account:
+ pkgs.writeTextDir (lib.escapeURL "acct:${account}") (lib.generators.toJSON {} {
+ subject = "acct:${account}";
+ links = [{
+ rel = "http://openid.net/specs/connect/1.0/issuer";
+ href = "https://${gitDomain}";
+ }];
+ });
+
+ webfingerRoot = pkgs.symlinkJoin {
+ name = "${gitDomain}-webfinger";
+ paths = builtins.map mkWebfinger conf.webfingerAccounts;
+ };
+ in
+ lib.mkIf conf.webfingerEnable {
+ forceSSL = true;
+ useACMEHost = conf.baseDomain;
+
+ locations."/.well-known/webfinger" = {
+ root = webfingerRoot;
+
+ extraConfig = ''
+ add_header Access-Control-Allow-Origin "*";
+ default_type "application/jrd+json";
+ types { application/jrd+json json; }
+ if ($arg_resource) {
+ rewrite ^(.*)$ /$arg_resource break;
+ }
+ return 400;
+ '';
+ };
+ };
+
+ virtualHosts."${gitDomain}" = {
forceSSL = true;
- useACMEHost = domain;
+ useACMEHost = gitDomain;
locations."/" = {
proxyPass = "http://0.0.0:3000";