| blob | d43250c882683fb29526d2dd06583f005ca9c0b1 |
1 { config, lib, options, pkgs, ... }:
3 with lib;
5 let
6 cfg = config.services.gitea;
7 opt = options.services.gitea;
8 exe = lib.getExe cfg.package;
9 pg = config.services.postgresql;
10 useMysql = cfg.database.type == "mysql";
11 usePostgresql = cfg.database.type == "postgres";
12 useSqlite = cfg.database.type == "sqlite3";
13 format = pkgs.formats.ini { };
14 configFile = pkgs.writeText "app.ini" ''
15 APP_NAME = ${cfg.appName}
16 RUN_USER = ${cfg.user}
17 RUN_MODE = prod
18 WORK_PATH = ${cfg.stateDir}
20 ${generators.toINI {} cfg.settings}
22 ${optionalString (cfg.extraConfig != null) cfg.extraConfig}
23 '';
24 in
26 {
27 imports = [
28 (mkRenamedOptionModule [ "services" "gitea" "cookieSecure" ] [ "services" "gitea" "settings" "session" "COOKIE_SECURE" ])
29 (mkRenamedOptionModule [ "services" "gitea" "disableRegistration" ] [ "services" "gitea" "settings" "service" "DISABLE_REGISTRATION" ])
30 (mkRenamedOptionModule [ "services" "gitea" "domain" ] [ "services" "gitea" "settings" "server" "DOMAIN" ])
31 (mkRenamedOptionModule [ "services" "gitea" "httpAddress" ] [ "services" "gitea" "settings" "server" "HTTP_ADDR" ])
32 (mkRenamedOptionModule [ "services" "gitea" "httpPort" ] [ "services" "gitea" "settings" "server" "HTTP_PORT" ])
33 (mkRenamedOptionModule [ "services" "gitea" "log" "level" ] [ "services" "gitea" "settings" "log" "LEVEL" ])
34 (mkRenamedOptionModule [ "services" "gitea" "log" "rootPath" ] [ "services" "gitea" "settings" "log" "ROOT_PATH" ])
35 (mkRenamedOptionModule [ "services" "gitea" "rootUrl" ] [ "services" "gitea" "settings" "server" "ROOT_URL" ])
36 (mkRenamedOptionModule [ "services" "gitea" "ssh" "clonePort" ] [ "services" "gitea" "settings" "server" "SSH_PORT" ])
37 (mkRenamedOptionModule [ "services" "gitea" "staticRootPath" ] [ "services" "gitea" "settings" "server" "STATIC_ROOT_PATH" ])
39 (mkChangedOptionModule [ "services" "gitea" "enableUnixSocket" ] [ "services" "gitea" "settings" "server" "PROTOCOL" ] (
40 config: if config.services.gitea.enableUnixSocket then "http+unix" else "http"
41 ))
43 (mkRemovedOptionModule [ "services" "gitea" "ssh" "enable" ] "services.gitea.ssh.enable has been migrated into freeform setting services.gitea.settings.server.DISABLE_SSH. Keep in mind that the setting is inverted")
44 ];
46 options = {
47 services.gitea = {
48 enable = mkOption {
49 default = false;
50 type = types.bool;
51 description = "Enable Gitea Service.";
52 };
54 package = mkPackageOption pkgs "gitea" { };
56 useWizard = mkOption {
57 default = false;
58 type = types.bool;
59 description = "Do not generate a configuration and use gitea' installation wizard instead. The first registered user will be administrator.";
60 };
62 stateDir = mkOption {
63 default = "/var/lib/gitea";
64 type = types.str;
65 description = "Gitea data directory.";
66 };
68 customDir = mkOption {
69 default = "${cfg.stateDir}/custom";
70 defaultText = literalExpression ''"''${config.${opt.stateDir}}/custom"'';
71 type = types.str;
72 description = "Gitea custom directory. Used for config, custom templates and other options.";
73 };
75 user = mkOption {
76 type = types.str;
77 default = "gitea";
78 description = "User account under which gitea runs.";
79 };
81 group = mkOption {
82 type = types.str;
83 default = "gitea";
84 description = "Group under which gitea runs.";
85 };
87 database = {
88 type = mkOption {
89 type = types.enum [ "sqlite3" "mysql" "postgres" ];
90 example = "mysql";
91 default = "sqlite3";
92 description = "Database engine to use.";
93 };
95 host = mkOption {
96 type = types.str;
97 default = "127.0.0.1";
98 description = "Database host address.";
99 };
101 port = mkOption {
102 type = types.port;
103 default = if usePostgresql then pg.settings.port else 3306;
104 defaultText = literalExpression ''
105 if config.${opt.database.type} != "postgresql"
106 then 3306
107 else 5432
108 '';
109 description = "Database host port.";
110 };
112 name = mkOption {
113 type = types.str;
114 default = "gitea";
115 description = "Database name.";
116 };
118 user = mkOption {
119 type = types.str;
120 default = "gitea";
121 description = "Database user.";
122 };
124 password = mkOption {
125 type = types.str;
126 default = "";
127 description = ''
128 The password corresponding to {option}`database.user`.
129 Warning: this is stored in cleartext in the Nix store!
130 Use {option}`database.passwordFile` instead.
131 '';
132 };
134 passwordFile = mkOption {
135 type = types.nullOr types.path;
136 default = null;
137 example = "/run/keys/gitea-dbpassword";
138 description = ''
139 A file containing the password corresponding to
140 {option}`database.user`.
141 '';
142 };
144 socket = mkOption {
145 type = types.nullOr types.path;
146 default = if (cfg.database.createDatabase && usePostgresql) then "/run/postgresql" else if (cfg.database.createDatabase && useMysql) then "/run/mysqld/mysqld.sock" else null;
147 defaultText = literalExpression "null";
148 example = "/run/mysqld/mysqld.sock";
149 description = "Path to the unix socket file to use for authentication.";
150 };
152 path = mkOption {
153 type = types.str;
154 default = "${cfg.stateDir}/data/gitea.db";
155 defaultText = literalExpression ''"''${config.${opt.stateDir}}/data/gitea.db"'';
156 description = "Path to the sqlite3 database file.";
157 };
159 createDatabase = mkOption {
160 type = types.bool;
161 default = true;
162 description = "Whether to create a local database automatically.";
163 };
164 };
166 dump = {
167 enable = mkOption {
168 type = types.bool;
169 default = false;
170 description = ''
171 Enable a timer that runs gitea dump to generate backup-files of the
172 current gitea database and repositories.
173 '';
174 };
176 interval = mkOption {
177 type = types.str;
178 default = "04:31";
179 example = "hourly";
180 description = ''
181 Run a gitea dump at this interval. Runs by default at 04:31 every day.
183 The format is described in
184 {manpage}`systemd.time(7)`.
185 '';
186 };
188 backupDir = mkOption {
189 type = types.str;
190 default = "${cfg.stateDir}/dump";
191 defaultText = literalExpression ''"''${config.${opt.stateDir}}/dump"'';
192 description = "Path to the dump files.";
193 };
195 type = mkOption {
196 type = types.enum [ "zip" "rar" "tar" "sz" "tar.gz" "tar.xz" "tar.bz2" "tar.br" "tar.lz4" "tar.zst" ];
197 default = "zip";
198 description = "Archive format used to store the dump file.";
199 };
201 file = mkOption {
202 type = types.nullOr types.str;
203 default = null;
204 description = "Filename to be used for the dump. If `null` a default name is chosen by gitea.";
205 example = "gitea-dump";
206 };
207 };
209 lfs = {
210 enable = mkOption {
211 type = types.bool;
212 default = false;
213 description = "Enables git-lfs support.";
214 };
216 contentDir = mkOption {
217 type = types.str;
218 default = "${cfg.stateDir}/data/lfs";
219 defaultText = literalExpression ''"''${config.${opt.stateDir}}/data/lfs"'';
220 description = "Where to store LFS files.";
221 };
222 };
224 appName = mkOption {
225 type = types.str;
226 default = "gitea: Gitea Service";
227 description = "Application name.";
228 };
230 repositoryRoot = mkOption {
231 type = types.str;
232 default = "${cfg.stateDir}/repositories";
233 defaultText = literalExpression ''"''${config.${opt.stateDir}}/repositories"'';
234 description = "Path to the git repositories.";
235 };
237 camoHmacKeyFile = mkOption {
238 type = types.nullOr types.str;
239 default = null;
240 example = "/var/lib/secrets/gitea/camoHmacKey";
241 description = "Path to a file containing the camo HMAC key.";
242 };
244 mailerPasswordFile = mkOption {
245 type = types.nullOr types.str;
246 default = null;
247 example = "/var/lib/secrets/gitea/mailpw";
248 description = "Path to a file containing the SMTP password.";
249 };
251 metricsTokenFile = mkOption {
252 type = types.nullOr types.str;
253 default = null;
254 example = "/var/lib/secrets/gitea/metrics_token";
255 description = "Path to a file containing the metrics authentication token.";
256 };
258 settings = mkOption {
259 default = {};
260 description = ''
261 Gitea configuration. Refer to <https://docs.gitea.io/en-us/config-cheat-sheet/>
262 for details on supported values.
263 '';
264 example = literalExpression ''
265 {
266 "cron.sync_external_users" = {
267 RUN_AT_START = true;
268 SCHEDULE = "@every 24h";
269 UPDATE_EXISTING = true;
270 };
271 mailer = {
272 ENABLED = true;
273 MAILER_TYPE = "sendmail";
274 FROM = "do-not-reply@example.org";
275 SENDMAIL_PATH = "''${pkgs.system-sendmail}/bin/sendmail";
276 };
277 other = {
278 SHOW_FOOTER_VERSION = false;
279 };
280 }
281 '';
282 type = types.submodule {
283 freeformType = format.type;
284 options = {
285 log = {
286 ROOT_PATH = mkOption {
287 default = "${cfg.stateDir}/log";
288 defaultText = literalExpression ''"''${config.${opt.stateDir}}/log"'';
289 type = types.str;
290 description = "Root path for log files.";
291 };
292 LEVEL = mkOption {
293 default = "Info";
294 type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ];
295 description = "General log level.";
296 };
297 };
299 server = {
300 PROTOCOL = mkOption {
301 type = types.enum [ "http" "https" "fcgi" "http+unix" "fcgi+unix" ];
302 default = "http";
303 description = ''Listen protocol. `+unix` means "over unix", not "in addition to."'';
304 };
306 HTTP_ADDR = mkOption {
307 type = types.either types.str types.path;
308 default = if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0";
309 defaultText = literalExpression ''if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"'';
310 description = "Listen address. Must be a path when using a unix socket.";
311 };
313 HTTP_PORT = mkOption {
314 type = types.port;
315 default = 3000;
316 description = "Listen port. Ignored when using a unix socket.";
317 };
319 DOMAIN = mkOption {
320 type = types.str;
321 default = "localhost";
322 description = "Domain name of your server.";
323 };
325 ROOT_URL = mkOption {
326 type = types.str;
327 default = "http://${cfg.settings.server.DOMAIN}:${toString cfg.settings.server.HTTP_PORT}/";
328 defaultText = literalExpression ''"http://''${config.services.gitea.settings.server.DOMAIN}:''${toString config.services.gitea.settings.server.HTTP_PORT}/"'';
329 description = "Full public URL of gitea server.";
330 };
332 STATIC_ROOT_PATH = mkOption {
333 type = types.either types.str types.path;
334 default = cfg.package.data;
335 defaultText = literalExpression "config.${opt.package}.data";
336 example = "/var/lib/gitea/data";
337 description = "Upper level of template and static files path.";
338 };
340 DISABLE_SSH = mkOption {
341 type = types.bool;
342 default = false;
343 description = "Disable external SSH feature.";
344 };
346 SSH_PORT = mkOption {
347 type = types.port;
348 default = 22;
349 example = 2222;
350 description = ''
351 SSH port displayed in clone URL.
352 The option is required to configure a service when the external visible port
353 differs from the local listening port i.e. if port forwarding is used.
354 '';
355 };
356 };
358 service = {
359 DISABLE_REGISTRATION = mkEnableOption "the registration lock" // {
360 description = ''
361 By default any user can create an account on this `gitea` instance.
362 This can be disabled by using this option.
364 *Note:* please keep in mind that this should be added after the initial
365 deploy unless [](#opt-services.gitea.useWizard)
366 is `true` as the first registered user will be the administrator if
367 no install wizard is used.
368 '';
369 };
370 };
372 session = {
373 COOKIE_SECURE = mkOption {
374 type = types.bool;
375 default = false;
376 description = ''
377 Marks session cookies as "secure" as a hint for browsers to only send
378 them via HTTPS. This option is recommend, if gitea is being served over HTTPS.
379 '';
380 };
381 };
382 };
383 };
384 };
386 extraConfig = mkOption {
387 type = with types; nullOr str;
388 default = null;
389 description = "Configuration lines appended to the generated gitea configuration file.";
390 };
391 };
392 };
394 config = mkIf cfg.enable {
395 assertions = [
396 { assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user;
397 message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned";
398 }
399 { assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name;
400 message = ''
401 When creating a database via NixOS, the db user and db name must be equal!
402 If you already have an existing DB+user and this assertion is new, you can safely set
403 `services.gitea.createDatabase` to `false` because removal of `ensureUsers`
404 and `ensureDatabases` doesn't have any effect.
405 '';
406 }
407 ];
409 services.gitea.settings = {
410 "cron.update_checker".ENABLED = lib.mkDefault false;
412 database = mkMerge [
413 {
414 DB_TYPE = cfg.database.type;
415 }
416 (mkIf (useMysql || usePostgresql) {
417 HOST = if cfg.database.socket != null then cfg.database.socket else cfg.database.host + ":" + toString cfg.database.port;
418 NAME = cfg.database.name;
419 USER = cfg.database.user;
420 PASSWD = "#dbpass#";
421 })
422 (mkIf useSqlite {
423 PATH = cfg.database.path;
424 })
425 (mkIf usePostgresql {
426 SSL_MODE = "disable";
427 })
428 ];
430 repository = {
431 ROOT = cfg.repositoryRoot;
432 };
434 server = mkIf cfg.lfs.enable {
435 LFS_START_SERVER = true;
436 LFS_JWT_SECRET = "#lfsjwtsecret#";
437 };
439 camo = mkIf (cfg.camoHmacKeyFile != null) {
440 HMAC_KEY = "#hmackey#";
441 };
443 session = {
444 COOKIE_NAME = lib.mkDefault "session";
445 };
447 security = {
448 SECRET_KEY = "#secretkey#";
449 INTERNAL_TOKEN = "#internaltoken#";
450 INSTALL_LOCK = true;
451 };
453 mailer = mkIf (cfg.mailerPasswordFile != null) {
454 PASSWD = "#mailerpass#";
455 };
457 metrics = mkIf (cfg.metricsTokenFile != null) {
458 TOKEN = "#metricstoken#";
459 };
461 oauth2 = {
462 JWT_SECRET = "#oauth2jwtsecret#";
463 };
465 lfs = mkIf cfg.lfs.enable {
466 PATH = cfg.lfs.contentDir;
467 };
469 packages.CHUNKED_UPLOAD_PATH = "${cfg.stateDir}/tmp/package-upload";
470 };
472 services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) {
473 enable = mkDefault true;
475 ensureDatabases = [ cfg.database.name ];
476 ensureUsers = [
477 { name = cfg.database.user;
478 ensureDBOwnership = true;
479 }
480 ];
481 };
483 services.mysql = optionalAttrs (useMysql && cfg.database.createDatabase) {
484 enable = mkDefault true;
485 package = mkDefault pkgs.mariadb;
487 ensureDatabases = [ cfg.database.name ];
488 ensureUsers = [
489 { name = cfg.database.user;
490 ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
491 }
492 ];
493 };
495 systemd.tmpfiles.rules = [
496 "d '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -"
497 "z '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -"
498 "d '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -"
499 "z '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -"
500 "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
501 "d '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
502 "d '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -"
503 "d '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
504 "d '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -"
505 "d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -"
506 "z '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
507 "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} ${cfg.group} - -"
508 "z '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
509 "z '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -"
510 "z '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
511 "z '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -"
512 "z '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -"
514 # If we have a folder or symlink with gitea locales, remove it
515 # And symlink the current gitea locales in place
516 "L+ '${cfg.stateDir}/conf/locale' - - - - ${cfg.package.out}/locale"
518 ] ++ lib.optionals cfg.lfs.enable [
519 "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -"
520 "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -"
521 ];
523 systemd.services.gitea = {
524 description = "gitea";
525 after = [ "network.target" ] ++ optional usePostgresql "postgresql.service" ++ optional useMysql "mysql.service";
526 requires = optional (cfg.database.createDatabase && usePostgresql) "postgresql.service" ++ optional (cfg.database.createDatabase && useMysql) "mysql.service";
527 wantedBy = [ "multi-user.target" ];
528 path = [ cfg.package pkgs.git pkgs.gnupg ];
530 # In older versions the secret naming for JWT was kind of confusing.
531 # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET
532 # wasn't persistent at all.
533 # To fix that, there is now the file oauth2_jwt_secret containing the
534 # values for JWT_SECRET and the file jwt_secret gets renamed to
535 # lfs_jwt_secret.
536 # We have to consider this to stay compatible with older installations.
537 preStart = let
538 runConfig = "${cfg.customDir}/conf/app.ini";
539 secretKey = "${cfg.customDir}/conf/secret_key";
540 oauth2JwtSecret = "${cfg.customDir}/conf/oauth2_jwt_secret";
541 oldLfsJwtSecret = "${cfg.customDir}/conf/jwt_secret"; # old file for LFS_JWT_SECRET
542 lfsJwtSecret = "${cfg.customDir}/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
543 internalToken = "${cfg.customDir}/conf/internal_token";
544 replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
545 in ''
546 # copy custom configuration and generate random secrets if needed
547 ${optionalString (!cfg.useWizard) ''
548 function gitea_setup {
549 cp -f '${configFile}' '${runConfig}'
551 if [ ! -s '${secretKey}' ]; then
552 ${exe} generate secret SECRET_KEY > '${secretKey}'
553 fi
555 # Migrate LFS_JWT_SECRET filename
556 if [[ -s '${oldLfsJwtSecret}' && ! -s '${lfsJwtSecret}' ]]; then
557 mv '${oldLfsJwtSecret}' '${lfsJwtSecret}'
558 fi
560 if [ ! -s '${oauth2JwtSecret}' ]; then
561 ${exe} generate secret JWT_SECRET > '${oauth2JwtSecret}'
562 fi
564 ${lib.optionalString cfg.lfs.enable ''
565 if [ ! -s '${lfsJwtSecret}' ]; then
566 ${exe} generate secret LFS_JWT_SECRET > '${lfsJwtSecret}'
567 fi
568 ''}
570 if [ ! -s '${internalToken}' ]; then
571 ${exe} generate secret INTERNAL_TOKEN > '${internalToken}'
572 fi
574 chmod u+w '${runConfig}'
575 ${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}'
576 ${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}'
577 ${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}'
578 ${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}'
580 ${lib.optionalString cfg.lfs.enable ''
581 ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}'
582 ''}
584 ${lib.optionalString (cfg.camoHmacKeyFile != null) ''
585 ${replaceSecretBin} '#hmackey#' '${cfg.camoHmacKeyFile}' '${runConfig}'
586 ''}
588 ${lib.optionalString (cfg.mailerPasswordFile != null) ''
589 ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}'
590 ''}
592 ${lib.optionalString (cfg.metricsTokenFile != null) ''
593 ${replaceSecretBin} '#metricstoken#' '${cfg.metricsTokenFile}' '${runConfig}'
594 ''}
595 chmod u-w '${runConfig}'
596 }
597 (umask 027; gitea_setup)
598 ''}
600 # run migrations/init the database
601 ${exe} migrate
603 # update all hooks' binary paths
604 ${exe} admin regenerate hooks
606 # update command option in authorized_keys
607 if [ -r ${cfg.stateDir}/.ssh/authorized_keys ]
608 then
609 ${exe} admin regenerate keys
610 fi
611 '';
613 serviceConfig = {
614 Type = "simple";
615 User = cfg.user;
616 Group = cfg.group;
617 WorkingDirectory = cfg.stateDir;
618 ExecStart = "${exe} web --pid /run/gitea/gitea.pid";
619 Restart = "always";
620 # Runtime directory and mode
621 RuntimeDirectory = "gitea";
622 RuntimeDirectoryMode = "0755";
623 # Proc filesystem
624 ProcSubset = "pid";
625 ProtectProc = "invisible";
626 # Access write directories
627 ReadWritePaths = [ cfg.customDir cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ];
628 UMask = "0027";
629 # Capabilities
630 CapabilityBoundingSet = "";
631 # Security
632 NoNewPrivileges = true;
633 # Sandboxing
634 ProtectSystem = "strict";
635 ProtectHome = true;
636 PrivateTmp = true;
637 PrivateDevices = true;
638 PrivateUsers = true;
639 ProtectHostname = true;
640 ProtectClock = true;
641 ProtectKernelTunables = true;
642 ProtectKernelModules = true;
643 ProtectKernelLogs = true;
644 ProtectControlGroups = true;
645 RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
646 RestrictNamespaces = true;
647 LockPersonality = true;
648 MemoryDenyWriteExecute = true;
649 RestrictRealtime = true;
650 RestrictSUIDSGID = true;
651 RemoveIPC = true;
652 PrivateMounts = true;
653 # System Call Filtering
654 SystemCallArchitectures = "native";
655 SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" "setrlimit" ];
656 };
658 environment = {
659 USER = cfg.user;
660 HOME = cfg.stateDir;
661 GITEA_WORK_DIR = cfg.stateDir;
662 GITEA_CUSTOM = cfg.customDir;
663 };
664 };
666 users.users = mkIf (cfg.user == "gitea") {
667 gitea = {
668 description = "Gitea Service";
669 home = cfg.stateDir;
670 useDefaultShell = true;
671 group = cfg.group;
672 isSystemUser = true;
673 };
674 };
676 users.groups = mkIf (cfg.group == "gitea") {
677 gitea = {};
678 };
680 warnings =
681 optional (cfg.database.password != "") "config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead." ++
682 optional (cfg.extraConfig != null) ''
683 services.gitea.`extraConfig` is deprecated, please use services.gitea.`settings`.
684 '' ++
685 optional (lib.getName cfg.package == "forgejo") ''
686 Running forgejo via services.gitea.package is no longer supported.
687 Please use services.forgejo instead.
688 See https://nixos.org/manual/nixos/unstable/#module-forgejo for migration instructions.
689 '';
691 # Create database passwordFile default when password is configured.
692 services.gitea.database.passwordFile =
693 mkDefault (toString (pkgs.writeTextFile {
694 name = "gitea-database-password";
695 text = cfg.database.password;
696 }));
698 systemd.services.gitea-dump = mkIf cfg.dump.enable {
699 description = "gitea dump";
700 after = [ "gitea.service" ];
701 path = [ cfg.package ];
703 environment = {
704 USER = cfg.user;
705 HOME = cfg.stateDir;
706 GITEA_WORK_DIR = cfg.stateDir;
707 GITEA_CUSTOM = cfg.customDir;
708 };
710 serviceConfig = {
711 Type = "oneshot";
712 User = cfg.user;
713 ExecStart = "${exe} dump --type ${cfg.dump.type}" + optionalString (cfg.dump.file != null) " --file ${cfg.dump.file}";
714 WorkingDirectory = cfg.dump.backupDir;
715 };
716 };
718 systemd.timers.gitea-dump = mkIf cfg.dump.enable {
719 description = "Update timer for gitea-dump";
720 partOf = [ "gitea-dump.service" ];
721 wantedBy = [ "timers.target" ];
722 timerConfig.OnCalendar = cfg.dump.interval;
723 };
724 };
725 meta.maintainers = with lib.maintainers; [ ma27 techknowlogick SuperSandro2000 ];
726 }