140 lines
5.4 KiB
Nix
140 lines
5.4 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
domain = "git.25120.org";
|
|
giteaCustom = pkgs.callPackage ../packages/directory.nix {
|
|
name = "gitea-custom";
|
|
source = ./gitea-custom;
|
|
};
|
|
in
|
|
{
|
|
services.gitea = {
|
|
enable = true;
|
|
appName = "${domain}";
|
|
database = {
|
|
type = "postgres";
|
|
passwordFile = "/secrets/gitea_db_password";
|
|
createDatabase = false;
|
|
};
|
|
repositoryRoot = "/data/git/repositories";
|
|
lfs = {
|
|
enable = true;
|
|
contentDir = "/data/git/data/lfs";
|
|
};
|
|
settings = let
|
|
docutils =
|
|
pkgs.python310.withPackages (ps: with ps; [
|
|
docutils # Provides rendering of ReStructured Text files
|
|
pygments # Provides syntax highlighting
|
|
]);
|
|
nbconvert = pkgs.python310.withPackages (ps: with ps; [
|
|
jupyter
|
|
ipykernel
|
|
nbconvert
|
|
]);
|
|
max_cached_jupyter_notebooks = 200;
|
|
cached_jupyter_preview = pkgs.writeScript "cache_preview" ''
|
|
#!${pkgs.bash}/bin/bash
|
|
|
|
set -eu
|
|
|
|
input_file="$1"
|
|
|
|
command="${nbconvert}/bin/jupyter nbconvert --stdout --to html --template basic"
|
|
cache_directory="${config.services.gitea.stateDir}/markup_cache/jupyter"
|
|
max_cache_file_count="${toString max_cached_jupyter_notebooks}"
|
|
|
|
cache_file="$cache_directory/$(md5sum "$input_file" | cut -d' ' -f1)"
|
|
|
|
if [ -e "$cache_file" ] ; then
|
|
>&2 echo "Using cached file $cache_file"
|
|
touch "$cache_file"
|
|
else
|
|
(
|
|
if cd "$cache_directory" ; then
|
|
ls -t | tail -n "+$max_cache_file_count" | xargs -r rm
|
|
else
|
|
mkdir -p "$cache_directory"
|
|
fi
|
|
)
|
|
eval "$command \"$input_file\" > \"$cache_file\""
|
|
fi
|
|
|
|
cat "$cache_file"
|
|
'';
|
|
in
|
|
{
|
|
server = {
|
|
SSH_PORT = lib.head config.services.openssh.ports;
|
|
ROOT_URL = "https://${domain}/";
|
|
HTTP_PORT = 3001;
|
|
DOMAIN = "${domain}";
|
|
};
|
|
service.DISABLE_REGISTRATION = true;
|
|
session.COOKIE_SECURE = true;
|
|
"markup.restructuredtext" = {
|
|
ENABLED = true;
|
|
FILE_EXTENSIONS = ".rst";
|
|
RENDER_COMMAND = "${docutils}/bin/rst2html.py";
|
|
IS_INPUT_FILE = false;
|
|
};
|
|
"markup.jupyter" = {
|
|
ENABLED = true;
|
|
FILE_EXTENSIONS = ".ipynb";
|
|
# RENDER_COMMAND = "\"${nbconvert}/bin/jupyter nbconvert --stdout --to html --template basic \"";
|
|
RENDER_COMMAND = "\"${cached_jupyter_preview} \"";
|
|
IS_INPUT_FILE = true;
|
|
# RENDER_CONTENT_MODE = "iframe";
|
|
};
|
|
"markup.sanitizer.jupyter.div" = { ELEMENT = "div"; ALLOW_ATTR = "class"; REGEXP = ""; };
|
|
"markup.sanitizer.jupyter.span" = { ELEMENT = "span"; ALLOW_ATTR = "class"; REGEXP = ""; };
|
|
"markup.sanitizer.jupyter.img" = { ELEMENT = "img"; ALLOW_ATTR = "class"; REGEXP = ""; ALLOW_DATA_URI_IMAGES = "true"; };
|
|
"markup.sanitizer.jupyter.svg.width" = { ELEMENT = "svg"; ALLOW_ATTR = "width"; REGEXP = ""; };
|
|
"markup.sanitizer.jupyter.svg.height" = { ELEMENT = "svg"; ALLOW_ATTR = "height"; REGEXP = ""; };
|
|
"markup.sanitizer.jupyter.svg.viewbox" = { ELEMENT = "svg"; ALLOW_ATTR = "viewbox"; REGEXP = ""; };
|
|
"markup.sanitizer.jupyter.svg.use" = { ELEMENT = "use"; ALLOW_ATTR = "transform"; REGEXP = ""; };
|
|
"markup.sanitizer.jupyter.svg.g" = { ELEMENT = "g"; ALLOW_ATTR = "class"; REGEXP = ""; };
|
|
"markup.sanitizer.jupyter.svg.path.style" = { ELEMENT = "path"; ALLOW_ATTR = "style"; REGEXP = ""; };
|
|
"markup.sanitizer.jupyter.svg.path.d" = { ELEMENT = "path"; ALLOW_ATTR = "d"; REGEXP = ""; };
|
|
"markup.sanitizer.jupyter.svg.path.transform" = { ELEMENT = "path"; ALLOW_ATTR = "transform"; REGEXP = ""; };
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
authentication = ''
|
|
local gitea all ident map=gitea-users
|
|
'';
|
|
# Map the gitea user to postgresql
|
|
identMap = ''
|
|
gitea-users gitea gitea
|
|
'';
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
virtualHosts."${domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".proxyPass = "http://localhost:3001/";
|
|
};
|
|
};
|
|
|
|
# users.users.gitea.extraGroups = [ "keys" ];
|
|
systemd.services.gitea = {
|
|
serviceConfig = {
|
|
ReadOnlyPaths = [ "/secrets" ];
|
|
};
|
|
preStart = ''
|
|
cp -frT "${giteaCustom}/" "${config.services.gitea.stateDir}/custom/"
|
|
find "${config.services.gitea.stateDir}/custom/" -type d -exec chmod 0750 '{}' + -or -type f -exec chmod 0640 '{}' +
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
}
|