{ config, lib, options, pkgs, ... }: with lib; let cfg = config.services.gitea; opt = options.services.gitea; exe = lib.getExe cfg.package; pg = config.services.postgresql; useMysql = cfg.database.type == "mysql"; usePostgresql = cfg.database.type == "postgres"; useSqlite = cfg.database.type == "sqlite3"; format = pkgs.formats.ini { }; configFile = pkgs.writeText "app.ini" '' APP_NAME = ${cfg.appName} RUN_USER = ${cfg.user} RUN_MODE = prod WORK_PATH = ${cfg.stateDir} ${generators.toINI {} cfg.settings} ${optionalString (cfg.extraConfig != null) cfg.extraConfig} ''; in { imports = [ (mkRenamedOptionModule [ "services" "gitea" "cookieSecure" ] [ "services" "gitea" "settings" "session" "COOKIE_SECURE" ]) (mkRenamedOptionModule [ "services" "gitea" "disableRegistration" ] [ "services" "gitea" "settings" "service" "DISABLE_REGISTRATION" ]) (mkRenamedOptionModule [ "services" "gitea" "domain" ] [ "services" "gitea" "settings" "server" "DOMAIN" ]) (mkRenamedOptionModule [ "services" "gitea" "httpAddress" ] [ "services" "gitea" "settings" "server" "HTTP_ADDR" ]) (mkRenamedOptionModule [ "services" "gitea" "httpPort" ] [ "services" "gitea" "settings" "server" "HTTP_PORT" ]) (mkRenamedOptionModule [ "services" "gitea" "log" "level" ] [ "services" "gitea" "settings" "log" "LEVEL" ]) (mkRenamedOptionModule [ "services" "gitea" "log" "rootPath" ] [ "services" "gitea" "settings" "log" "ROOT_PATH" ]) (mkRenamedOptionModule [ "services" "gitea" "rootUrl" ] [ "services" "gitea" "settings" "server" "ROOT_URL" ]) (mkRenamedOptionModule [ "services" "gitea" "ssh" "clonePort" ] [ "services" "gitea" "settings" "server" "SSH_PORT" ]) (mkRenamedOptionModule [ "services" "gitea" "staticRootPath" ] [ "services" "gitea" "settings" "server" "STATIC_ROOT_PATH" ]) (mkChangedOptionModule [ "services" "gitea" "enableUnixSocket" ] [ "services" "gitea" "settings" "server" "PROTOCOL" ] ( config: if config.services.gitea.enableUnixSocket then "http+unix" else "http" )) (mkRemovedOptionModule [ "services" "gitea" "ssh" "enable" ] "services.gitea.ssh.enable has been migrated into freeform setting services.gitea.settings.server.DISABLE_SSH. Keep in mind that the setting is inverted") ]; options = { services.gitea = { enable = mkOption { default = false; type = types.bool; description = "Enable Gitea Service."; }; package = mkPackageOption pkgs "gitea" { }; useWizard = mkOption { default = false; type = types.bool; description = "Do not generate a configuration and use gitea' installation wizard instead. The first registered user will be administrator."; }; stateDir = mkOption { default = "/var/lib/gitea"; type = types.str; description = "Gitea data directory."; }; customDir = mkOption { default = "${cfg.stateDir}/custom"; defaultText = literalExpression ''"''${config.${opt.stateDir}}/custom"''; type = types.str; description = "Gitea custom directory. Used for config, custom templates and other options."; }; user = mkOption { type = types.str; default = "gitea"; description = "User account under which gitea runs."; }; group = mkOption { type = types.str; default = "gitea"; description = "Group under which gitea runs."; }; database = { type = mkOption { type = types.enum [ "sqlite3" "mysql" "postgres" ]; example = "mysql"; default = "sqlite3"; description = "Database engine to use."; }; host = mkOption { type = types.str; default = "127.0.0.1"; description = "Database host address."; }; port = mkOption { type = types.port; default = if usePostgresql then pg.settings.port else 3306; defaultText = literalExpression '' if config.${opt.database.type} != "postgresql" then 3306 else 5432 ''; description = "Database host port."; }; name = mkOption { type = types.str; default = "gitea"; description = "Database name."; }; user = mkOption { type = types.str; default = "gitea"; description = "Database user."; }; password = mkOption { type = types.str; default = ""; description = '' The password corresponding to {option}`database.user`. Warning: this is stored in cleartext in the Nix store! Use {option}`database.passwordFile` instead. ''; }; passwordFile = mkOption { type = types.nullOr types.path; default = null; example = "/run/keys/gitea-dbpassword"; description = '' A file containing the password corresponding to {option}`database.user`. ''; }; socket = mkOption { type = types.nullOr types.path; default = if (cfg.database.createDatabase && usePostgresql) then "/run/postgresql" else if (cfg.database.createDatabase && useMysql) then "/run/mysqld/mysqld.sock" else null; defaultText = literalExpression "null"; example = "/run/mysqld/mysqld.sock"; description = "Path to the unix socket file to use for authentication."; }; path = mkOption { type = types.str; default = "${cfg.stateDir}/data/gitea.db"; defaultText = literalExpression ''"''${config.${opt.stateDir}}/data/gitea.db"''; description = "Path to the sqlite3 database file."; }; createDatabase = mkOption { type = types.bool; default = true; description = "Whether to create a local database automatically."; }; }; dump = { enable = mkOption { type = types.bool; default = false; description = '' Enable a timer that runs gitea dump to generate backup-files of the current gitea database and repositories. ''; }; interval = mkOption { type = types.str; default = "04:31"; example = "hourly"; description = '' Run a gitea dump at this interval. Runs by default at 04:31 every day. The format is described in {manpage}`systemd.time(7)`. ''; }; backupDir = mkOption { type = types.str; default = "${cfg.stateDir}/dump"; defaultText = literalExpression ''"''${config.${opt.stateDir}}/dump"''; description = "Path to the dump files."; }; type = mkOption { type = types.enum [ "zip" "rar" "tar" "sz" "tar.gz" "tar.xz" "tar.bz2" "tar.br" "tar.lz4" "tar.zst" ]; default = "zip"; description = "Archive format used to store the dump file."; }; file = mkOption { type = types.nullOr types.str; default = null; description = "Filename to be used for the dump. If `null` a default name is chosen by gitea."; example = "gitea-dump"; }; }; lfs = { enable = mkOption { type = types.bool; default = false; description = "Enables git-lfs support."; }; contentDir = mkOption { type = types.str; default = "${cfg.stateDir}/data/lfs"; defaultText = literalExpression ''"''${config.${opt.stateDir}}/data/lfs"''; description = "Where to store LFS files."; }; }; appName = mkOption { type = types.str; default = "gitea: Gitea Service"; description = "Application name."; }; repositoryRoot = mkOption { type = types.str; default = "${cfg.stateDir}/repositories"; defaultText = literalExpression ''"''${config.${opt.stateDir}}/repositories"''; description = "Path to the git repositories."; }; camoHmacKeyFile = mkOption { type = types.nullOr types.str; default = null; example = "/var/lib/secrets/gitea/camoHmacKey"; description = "Path to a file containing the camo HMAC key."; }; mailerPasswordFile = mkOption { type = types.nullOr types.str; default = null; example = "/var/lib/secrets/gitea/mailpw"; description = "Path to a file containing the SMTP password."; }; metricsTokenFile = mkOption { type = types.nullOr types.str; default = null; example = "/var/lib/secrets/gitea/metrics_token"; description = "Path to a file containing the metrics authentication token."; }; settings = mkOption { default = {}; description = '' Gitea configuration. Refer to for details on supported values. ''; example = literalExpression '' { "cron.sync_external_users" = { RUN_AT_START = true; SCHEDULE = "@every 24h"; UPDATE_EXISTING = true; }; mailer = { ENABLED = true; MAILER_TYPE = "sendmail"; FROM = "do-not-reply@example.org"; SENDMAIL_PATH = "''${pkgs.system-sendmail}/bin/sendmail"; }; other = { SHOW_FOOTER_VERSION = false; }; } ''; type = types.submodule { freeformType = format.type; options = { log = { ROOT_PATH = mkOption { default = "${cfg.stateDir}/log"; defaultText = literalExpression ''"''${config.${opt.stateDir}}/log"''; type = types.str; description = "Root path for log files."; }; LEVEL = mkOption { default = "Info"; type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ]; description = "General log level."; }; }; server = { PROTOCOL = mkOption { type = types.enum [ "http" "https" "fcgi" "http+unix" "fcgi+unix" ]; default = "http"; description = ''Listen protocol. `+unix` means "over unix", not "in addition to."''; }; HTTP_ADDR = mkOption { type = types.either types.str types.path; default = if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"; defaultText = literalExpression ''if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"''; description = "Listen address. Must be a path when using a unix socket."; }; HTTP_PORT = mkOption { type = types.port; default = 3000; description = "Listen port. Ignored when using a unix socket."; }; DOMAIN = mkOption { type = types.str; default = "localhost"; description = "Domain name of your server."; }; ROOT_URL = mkOption { type = types.str; default = "http://${cfg.settings.server.DOMAIN}:${toString cfg.settings.server.HTTP_PORT}/"; defaultText = literalExpression ''"http://''${config.services.gitea.settings.server.DOMAIN}:''${toString config.services.gitea.settings.server.HTTP_PORT}/"''; description = "Full public URL of gitea server."; }; STATIC_ROOT_PATH = mkOption { type = types.either types.str types.path; default = cfg.package.data; defaultText = literalExpression "config.${opt.package}.data"; example = "/var/lib/gitea/data"; description = "Upper level of template and static files path."; }; DISABLE_SSH = mkOption { type = types.bool; default = false; description = "Disable external SSH feature."; }; SSH_PORT = mkOption { type = types.port; default = 22; example = 2222; description = '' SSH port displayed in clone URL. The option is required to configure a service when the external visible port differs from the local listening port i.e. if port forwarding is used. ''; }; }; service = { DISABLE_REGISTRATION = mkEnableOption "the registration lock" // { description = '' By default any user can create an account on this `gitea` instance. This can be disabled by using this option. *Note:* please keep in mind that this should be added after the initial deploy unless [](#opt-services.gitea.useWizard) is `true` as the first registered user will be the administrator if no install wizard is used. ''; }; }; session = { COOKIE_SECURE = mkOption { type = types.bool; default = false; description = '' Marks session cookies as "secure" as a hint for browsers to only send them via HTTPS. This option is recommend, if gitea is being served over HTTPS. ''; }; }; }; }; }; extraConfig = mkOption { type = with types; nullOr str; default = null; description = "Configuration lines appended to the generated gitea configuration file."; }; }; }; config = mkIf cfg.enable { assertions = [ { assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user; message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned"; } { assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name; message = '' When creating a database via NixOS, the db user and db name must be equal! If you already have an existing DB+user and this assertion is new, you can safely set `services.gitea.createDatabase` to `false` because removal of `ensureUsers` and `ensureDatabases` doesn't have any effect. ''; } ]; services.gitea.settings = { "cron.update_checker".ENABLED = lib.mkDefault false; database = mkMerge [ { DB_TYPE = cfg.database.type; } (mkIf (useMysql || usePostgresql) { HOST = if cfg.database.socket != null then cfg.database.socket else cfg.database.host + ":" + toString cfg.database.port; NAME = cfg.database.name; USER = cfg.database.user; PASSWD = "#dbpass#"; }) (mkIf useSqlite { PATH = cfg.database.path; }) (mkIf usePostgresql { SSL_MODE = "disable"; }) ]; repository = { ROOT = cfg.repositoryRoot; }; server = mkIf cfg.lfs.enable { LFS_START_SERVER = true; LFS_JWT_SECRET = "#lfsjwtsecret#"; }; camo = mkIf (cfg.camoHmacKeyFile != null) { HMAC_KEY = "#hmackey#"; }; session = { COOKIE_NAME = lib.mkDefault "session"; }; security = { SECRET_KEY = "#secretkey#"; INTERNAL_TOKEN = "#internaltoken#"; INSTALL_LOCK = true; }; mailer = mkIf (cfg.mailerPasswordFile != null) { PASSWD = "#mailerpass#"; }; metrics = mkIf (cfg.metricsTokenFile != null) { TOKEN = "#metricstoken#"; }; oauth2 = { JWT_SECRET = "#oauth2jwtsecret#"; }; lfs = mkIf cfg.lfs.enable { PATH = cfg.lfs.contentDir; }; packages.CHUNKED_UPLOAD_PATH = "${cfg.stateDir}/tmp/package-upload"; }; services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { enable = mkDefault true; ensureDatabases = [ cfg.database.name ]; ensureUsers = [ { name = cfg.database.user; ensureDBOwnership = true; } ]; }; services.mysql = optionalAttrs (useMysql && cfg.database.createDatabase) { enable = mkDefault true; package = mkDefault pkgs.mariadb; ensureDatabases = [ cfg.database.name ]; ensureUsers = [ { name = cfg.database.user; ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; } ]; }; systemd.tmpfiles.rules = [ "d '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" # If we have a folder or symlink with gitea locales, remove it # And symlink the current gitea locales in place "L+ '${cfg.stateDir}/conf/locale' - - - - ${cfg.package.out}/locale" ] ++ lib.optionals cfg.lfs.enable [ "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" ]; systemd.services.gitea = { description = "gitea"; after = [ "network.target" ] ++ optional usePostgresql "postgresql.service" ++ optional useMysql "mysql.service"; requires = optional (cfg.database.createDatabase && usePostgresql) "postgresql.service" ++ optional (cfg.database.createDatabase && useMysql) "mysql.service"; wantedBy = [ "multi-user.target" ]; path = [ cfg.package pkgs.git pkgs.gnupg ]; # In older versions the secret naming for JWT was kind of confusing. # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET # wasn't persistent at all. # To fix that, there is now the file oauth2_jwt_secret containing the # values for JWT_SECRET and the file jwt_secret gets renamed to # lfs_jwt_secret. # We have to consider this to stay compatible with older installations. preStart = let runConfig = "${cfg.customDir}/conf/app.ini"; secretKey = "${cfg.customDir}/conf/secret_key"; oauth2JwtSecret = "${cfg.customDir}/conf/oauth2_jwt_secret"; oldLfsJwtSecret = "${cfg.customDir}/conf/jwt_secret"; # old file for LFS_JWT_SECRET lfsJwtSecret = "${cfg.customDir}/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET internalToken = "${cfg.customDir}/conf/internal_token"; replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; in '' # copy custom configuration and generate random secrets if needed ${optionalString (!cfg.useWizard) '' function gitea_setup { cp -f '${configFile}' '${runConfig}' if [ ! -s '${secretKey}' ]; then ${exe} generate secret SECRET_KEY > '${secretKey}' fi # Migrate LFS_JWT_SECRET filename if [[ -s '${oldLfsJwtSecret}' && ! -s '${lfsJwtSecret}' ]]; then mv '${oldLfsJwtSecret}' '${lfsJwtSecret}' fi if [ ! -s '${oauth2JwtSecret}' ]; then ${exe} generate secret JWT_SECRET > '${oauth2JwtSecret}' fi ${lib.optionalString cfg.lfs.enable '' if [ ! -s '${lfsJwtSecret}' ]; then ${exe} generate secret LFS_JWT_SECRET > '${lfsJwtSecret}' fi ''} if [ ! -s '${internalToken}' ]; then ${exe} generate secret INTERNAL_TOKEN > '${internalToken}' fi chmod u+w '${runConfig}' ${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}' ${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}' ${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}' ${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}' ${lib.optionalString cfg.lfs.enable '' ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}' ''} ${lib.optionalString (cfg.camoHmacKeyFile != null) '' ${replaceSecretBin} '#hmackey#' '${cfg.camoHmacKeyFile}' '${runConfig}' ''} ${lib.optionalString (cfg.mailerPasswordFile != null) '' ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}' ''} ${lib.optionalString (cfg.metricsTokenFile != null) '' ${replaceSecretBin} '#metricstoken#' '${cfg.metricsTokenFile}' '${runConfig}' ''} chmod u-w '${runConfig}' } (umask 027; gitea_setup) ''} # run migrations/init the database ${exe} migrate # update all hooks' binary paths ${exe} admin regenerate hooks # update command option in authorized_keys if [ -r ${cfg.stateDir}/.ssh/authorized_keys ] then ${exe} admin regenerate keys fi ''; serviceConfig = { Type = "simple"; User = cfg.user; Group = cfg.group; WorkingDirectory = cfg.stateDir; ExecStart = "${exe} web --pid /run/gitea/gitea.pid"; Restart = "always"; # Runtime directory and mode RuntimeDirectory = "gitea"; RuntimeDirectoryMode = "0755"; # Proc filesystem ProcSubset = "pid"; ProtectProc = "invisible"; # Access write directories ReadWritePaths = [ cfg.customDir cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ]; UMask = "0027"; # Capabilities CapabilityBoundingSet = ""; # Security NoNewPrivileges = true; # Sandboxing ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; PrivateDevices = true; PrivateUsers = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; RemoveIPC = true; PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" "setrlimit" ]; }; environment = { USER = cfg.user; HOME = cfg.stateDir; GITEA_WORK_DIR = cfg.stateDir; GITEA_CUSTOM = cfg.customDir; }; }; users.users = mkIf (cfg.user == "gitea") { gitea = { description = "Gitea Service"; home = cfg.stateDir; useDefaultShell = true; group = cfg.group; isSystemUser = true; }; }; users.groups = mkIf (cfg.group == "gitea") { gitea = {}; }; warnings = optional (cfg.database.password != "") "config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead." ++ optional (cfg.extraConfig != null) '' services.gitea.`extraConfig` is deprecated, please use services.gitea.`settings`. '' ++ optional (lib.getName cfg.package == "forgejo") '' Running forgejo via services.gitea.package is no longer supported. Please use services.forgejo instead. See https://nixos.org/manual/nixos/unstable/#module-forgejo for migration instructions. ''; # Create database passwordFile default when password is configured. services.gitea.database.passwordFile = mkDefault (toString (pkgs.writeTextFile { name = "gitea-database-password"; text = cfg.database.password; })); systemd.services.gitea-dump = mkIf cfg.dump.enable { description = "gitea dump"; after = [ "gitea.service" ]; path = [ cfg.package ]; environment = { USER = cfg.user; HOME = cfg.stateDir; GITEA_WORK_DIR = cfg.stateDir; GITEA_CUSTOM = cfg.customDir; }; serviceConfig = { Type = "oneshot"; User = cfg.user; ExecStart = "${exe} dump --type ${cfg.dump.type}" + optionalString (cfg.dump.file != null) " --file ${cfg.dump.file}"; WorkingDirectory = cfg.dump.backupDir; }; }; systemd.timers.gitea-dump = mkIf cfg.dump.enable { description = "Update timer for gitea-dump"; partOf = [ "gitea-dump.service" ]; wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = cfg.dump.interval; }; }; meta.maintainers = with lib.maintainers; [ srhb ma27 pyrox0 ]; }