alex/nixos-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tadpole: Add webfinger for gitea

Browse Source
This commit is contained in:
Alexander Heldt
2024-08-30 20:50:03 +02:00
parent 0d5b7fe3f5
commit c4bab62de4
2 changed files with 82 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/tadpole/modules/default.nix
View File

@@ -15,7 +15,10 @@ in
gitea = {
enable = true;
domain = "git.ppp.pm";
baseDomain = "ppp.pm";
webfingerEnable = true;
webfingerAccounts = [ "p@ppp.pm" ];
};
pppdotpm-site.enable = true;

88
hosts/tadpole/modules/gitea/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, config, ... }:
{ pkgs, lib, config, ... }:
let
enable = config.mod.gitea.enable;
domain = config.mod.gitea.domain;
conf = config.mod.gitea;
gitDomain = "git.${conf.baseDomain}";
nginxEnable = config.mod.nginx.enable;
in
@@ -10,15 +10,48 @@ in
mod.gitea = {
enable = lib.mkEnableOption "Enable gitea";
domain = lib.mkOption {
baseDomain = lib.mkOption {
type = lib.types.str;
default = "";
description = "The domain that nginx will use as a virtual host";
description = ''
The base domain that will be used to
- create https://git.<base domain> which will host the frontend of gitea
- host the webfinger
Note: A cert is required for this domain and "git.<base domain>".
'';
};
webfingerEnable = lib.mkEnableOption "Enable webfinger pointing to gitea";
webfingerAccounts = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "The accounts that should be listed";
};
};
};
config = lib.mkIf (enable && nginxEnable) {
config = lib.mkIf (conf.enable && nginxEnable) {
assertions = [
{
assertion = conf.baseDomain != "";
message = "Option 'mod.gitea.baseDomain' cannot be empty";
}
{
assertion = builtins.hasAttr gitDomain config.security.acme.certs;
message = "There is no cert configured for ${gitDomain} used by gitea";
}
{
assertion = conf.webfingerEnable && builtins.hasAttr conf.baseDomain config.security.acme.certs;
message = "There is no cert configured for ${conf.baseDomain} used by webfinger";
}
{
assertion = conf.webfingerEnable && conf.webfingerAccounts != [];
message = "Option 'mod.gitea.webfingerAccounts' cannot be empty";
}
];
services.gitea = {
enable = true;
@@ -28,8 +61,8 @@ in
};
server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}";
DOMAIN = gitDomain;
ROOT_URL = "https://${gitDomain}";
SSH_PORT = 1122; # See `ssh` module
};
@@ -46,9 +79,44 @@ in
};
services.nginx = {
virtualHosts."${domain}" = {
virtualHosts."${conf.baseDomain}" =
let
mkWebfinger = account:
pkgs.writeTextDir (lib.escapeURL "acct:${account}") (lib.generators.toJSON {} {
subject = "acct:${account}";
links = [{
rel = "http://openid.net/specs/connect/1.0/issuer";
href = "https://${gitDomain}";
}];
});
webfingerRoot = pkgs.symlinkJoin {
name = "${gitDomain}-webfinger";
paths = builtins.map mkWebfinger conf.webfingerAccounts;
};
in
lib.mkIf conf.webfingerEnable {
forceSSL = true;
useACMEHost = domain;
useACMEHost = conf.baseDomain;
locations."/.well-known/webfinger" = {
root = webfingerRoot;
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
default_type "application/jrd+json";
types { application/jrd+json json; }
if ($arg_resource) {
rewrite ^(.*)$ /$arg_resource break;
}
return 400;
'';
};
};
virtualHosts."${gitDomain}" = {
forceSSL = true;
useACMEHost = gitDomain;
locations."/" = {
proxyPass = "http://0.0.0:3000";