tadpole: Add webfinger for gitea

2024-08-30 20:50:03 +02:00
parent 0d5b7fe3f5
commit c4bab62de4
2 changed files with 82 additions and 11 deletions
--- a/hosts/tadpole/modules/gitea/default.nix
+++ b/hosts/tadpole/modules/gitea/default.nix
@@ -1,7 +1,7 @@
-{ lib, config, ... }:
+{ pkgs, lib, config, ... }:
 let
-  enable = config.mod.gitea.enable;
-  domain = config.mod.gitea.domain;
+  conf = config.mod.gitea;
+  gitDomain = "git.${conf.baseDomain}";

  nginxEnable = config.mod.nginx.enable;
 in
@@ -10,15 +10,48 @@ in
    mod.gitea = {
      enable = lib.mkEnableOption "Enable gitea";

-      domain = lib.mkOption {
+      baseDomain = lib.mkOption {
        type = lib.types.str;
        default = "";
-        description = "The domain that nginx will use as a virtual host";
+        description = ''
+          The base domain that will be used to
+          - create https://git.<base domain> which will host the frontend of gitea
+          - host the webfinger
+
+          Note: A cert is required for this domain and "git.<base domain>".
+        '';
+      };
+
+      webfingerEnable = lib.mkEnableOption "Enable webfinger pointing to gitea";
+
+      webfingerAccounts = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [];
+        description = "The accounts that should be listed";
      };
    };
  };

-  config = lib.mkIf (enable && nginxEnable) {
+  config = lib.mkIf (conf.enable && nginxEnable) {
+    assertions = [
+      {
+        assertion = conf.baseDomain != "";
+        message = "Option 'mod.gitea.baseDomain' cannot be empty";
+      }
+      {
+        assertion = builtins.hasAttr gitDomain config.security.acme.certs;
+        message = "There is no cert configured for ${gitDomain} used by gitea";
+      }
+      {
+        assertion = conf.webfingerEnable && builtins.hasAttr conf.baseDomain config.security.acme.certs;
+        message = "There is no cert configured for ${conf.baseDomain} used by webfinger";
+      }
+      {
+        assertion = conf.webfingerEnable && conf.webfingerAccounts != [];
+        message = "Option 'mod.gitea.webfingerAccounts' cannot be empty";
+      }
+    ];
+
    services.gitea = {
      enable = true;

@@ -28,8 +61,8 @@ in
        };

        server = {
-          DOMAIN = domain;
-          ROOT_URL = "https://${domain}";
+          DOMAIN = gitDomain;
+          ROOT_URL = "https://${gitDomain}";

          SSH_PORT = 1122; # See `ssh` module
        };
@@ -46,9 +79,44 @@ in
    };

    services.nginx = {
-      virtualHosts."${domain}" = {
+      virtualHosts."${conf.baseDomain}" =
+        let
+          mkWebfinger = account:
+            pkgs.writeTextDir (lib.escapeURL "acct:${account}") (lib.generators.toJSON {} {
+              subject = "acct:${account}";
+              links = [{
+                rel = "http://openid.net/specs/connect/1.0/issuer";
+                href = "https://${gitDomain}";
+              }];
+            });
+
+          webfingerRoot = pkgs.symlinkJoin {
+            name = "${gitDomain}-webfinger";
+            paths = builtins.map mkWebfinger conf.webfingerAccounts;
+          };
+        in
+          lib.mkIf conf.webfingerEnable {
+            forceSSL = true;
+            useACMEHost = conf.baseDomain;
+
+            locations."/.well-known/webfinger" = {
+              root = webfingerRoot;
+
+              extraConfig = ''
+                add_header Access-Control-Allow-Origin "*";
+                default_type "application/jrd+json";
+                types { application/jrd+json json; }
+                if ($arg_resource) {
+                  rewrite ^(.*)$ /$arg_resource break;
+                }
+                return 400;
+              '';
+            };
+          };
+
+      virtualHosts."${gitDomain}" = {
        forceSSL = true;
-        useACMEHost = domain;
+        useACMEHost = gitDomain;

        locations."/" = {
          proxyPass = "http://0.0.0:3000";