nixos/services: add gitea server

nixos/common.nix

@@ -4,6 +4,7 @@
   lib,
   pkgs,
   self,
+  config,
   ...
 }:
 let
@@ -92,11 +93,29 @@ in
   networking = {
     networkmanager.enable = true;
 
+    extraHosts =
+      let
+        subdomains = [ "" ".git" ];
+      in
+      builtins.foldl' (
+        hosts-acc: domain-prefix:
+        let
+          host = "${domain-prefix}${config.networking.fqdn}";
+        in
+        hosts-acc
+        + ''
+          127.0.0.1 ${host}
+          ::1 ${host}
+        ''
+      ) "" subdomains;
+
     firewall = {
       enable = true;
 
       allowedTCPPorts = [
         22
+        80
+        443
       ];
     };
   };

nixos/default.nix

@@ -31,5 +31,7 @@ in
 {
   flake.nixosConfigurations = {
     tuxcord-ca = mkSystem "tuxcord-ca" "x86_64-linux";
+
+    tuxcord-test = mkSystem "tuxcord-test" "x86_64-linux";
   };
 }

nixos/hosts/tuxcord-ca/default.nix

@@ -5,4 +5,5 @@
   ];
 
   time.timeZone = "Canada/Eastern";
+  networking.fqdn = "tuxcord.net";
 }

nixos/hosts/tuxcord-test/default.nix

@@ -0,0 +1,3 @@
+{
+  networking.fqdn = "tuxcord.test";
+}

nixos/modules/default.nix

@@ -1,9 +1,11 @@
 {
   imports = [
     ./fail2ban.nix
-    ./sysctl.nix
+    ./gitea.nix
     ./host.nix
+    ./nginx.nix
     ./snapper.nix
     ./substituters.nix
+    ./sysctl.nix
   ];
 }

nixos/modules/gitea.nix

@@ -0,0 +1,27 @@
+{ config, lib, ... }:
+{
+  services.gitea = {
+    enable = true;
+
+    appName = "Tuxcord's Gitea";
+    database.type = "mysql";
+
+    lfs.enable = true;
+
+    settings.server.DOMAIN = config.networking.fqdn;
+    # settings.server.ROOT_URL = "https://git.tuxcord.net/"; ? would also depend on ssl status
+    settings.server.HTTP_PORT = 3000;
+
+    settings.service.DISABLE_REGISTRATION = true;
+    settings.service.REQUIRE_SIGNIN_VIEW = false;
+
+    settings.repository.ENABLE_PUSH_CREATE_USER = true;
+    settings.repository.ENABLE_PUSH_CREATE_ORG = true;
+    settings.repository.DEFAULT_BRANCH = "main";
+
+    # settings.ui.DEFAULT_THEME = "...";
+
+    # TODO: once we have email setup this would be nice
+    settings.mailer.ENABLED = true;
+  };
+}

nixos/modules/nginx.nix

@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+let
+  fqdn = config.networking.fqdn;
+
+  mkVhost =
+    attrs:
+    {
+      forceSSL = false; # TODO: tweak per host
+    }
+    // attrs;
+
+  mkProxy = port: {
+    proxyPass = "http://127.0.0.1:${toString port}/";
+  };
+in
+{
+  services.nginx = {
+    enable = true;
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    # services.nginx.virtualHosts."${fqdn}" = {
+    #   addSSL = true;
+    #   root = "/var/www/myhost.org";
+    #   default = true;
+    # };
+
+    virtualHosts."git.${fqdn}" = mkVhost {
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+    };
+  };
+}

nixos/vm.nix

@@ -1,8 +1,14 @@
+{ lib, ... }:
 {
   virtualisation.vmVariant.virtualisation = {
     cores = 2;
     diskSize = 8192;
     graphics = false;
     memorySize = 4096;
+
+    qemu.networkingOptions = lib.mkForce [
+      "-nic bridge,br=virbr0,id=hn0,model=virt-net-pci,helper=/run/wrappers/bin/qemu-bridge-helper"
+      "-device virtio-net-pci,netdev=hn0,id=nic1"
+    ];
   };
 }