diff options
Diffstat (limited to 'nixos/modules/services/misc/gitea.nix')
-rw-r--r-- | nixos/modules/services/misc/gitea.nix | 97 |
1 files changed, 65 insertions, 32 deletions
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index af80e99746b..b6c1ca3e61a 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -82,7 +82,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = (if !usePostgresql then 3306 else pg.port); description = "Database host port."; }; @@ -349,7 +349,7 @@ in { DOMAIN = cfg.domain; STATIC_ROOT_PATH = cfg.staticRootPath; - LFS_JWT_SECRET = "#jwtsecret#"; + LFS_JWT_SECRET = "#lfsjwtsecret#"; ROOT_URL = cfg.rootUrl; } (mkIf cfg.enableUnixSocket { @@ -381,6 +381,7 @@ in security = { SECRET_KEY = "#secretkey#"; + INTERNAL_TOKEN = "#internaltoken#"; INSTALL_LOCK = true; }; @@ -396,6 +397,10 @@ in mailer = mkIf (cfg.mailerPasswordFile != null) { PASSWD = "#mailerpass#"; }; + + oauth2 = { + JWT_SECRET = "#oauth2jwtsecret#"; + }; }; services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { @@ -453,39 +458,68 @@ in description = "gitea"; after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; wantedBy = [ "multi-user.target" ]; - path = [ gitea pkgs.gitAndTools.git ]; - + path = [ gitea pkgs.git ]; + + # In older versions the secret naming for JWT was kind of confusing. + # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET + # wasn't persistant at all. + # To fix that, there is now the file oauth2_jwt_secret containing the + # values for JWT_SECRET and the file jwt_secret gets renamed to + # lfs_jwt_secret. + # We have to consider this to stay compatible with older installations. preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; secretKey = "${cfg.stateDir}/custom/conf/secret_key"; - jwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; + oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret"; + oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET + lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET + internalToken = "${cfg.stateDir}/custom/conf/internal_token"; in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' - cp -f ${configFile} ${runConfig} - - if [ ! -e ${secretKey} ]; then - ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} - fi - - if [ ! -e ${jwtSecret} ]; then - ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret} - fi - - KEY="$(head -n1 ${secretKey})" - DBPASS="$(head -n1 ${cfg.database.passwordFile})" - JWTSECRET="$(head -n1 ${jwtSecret})" - ${if (cfg.mailerPasswordFile == null) then '' - MAILERPASSWORD="#mailerpass#" - '' else '' - MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" - ''} - sed -e "s,#secretkey#,$KEY,g" \ - -e "s,#dbpass#,$DBPASS,g" \ - -e "s,#jwtsecret#,$JWTSECRET,g" \ - -e "s,#mailerpass#,$MAILERPASSWORD,g" \ - -i ${runConfig} - chmod 640 ${runConfig} ${secretKey} ${jwtSecret} + function gitea_setup { + cp -f ${configFile} ${runConfig} + + if [ ! -e ${secretKey} ]; then + ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} + fi + + # Migrate LFS_JWT_SECRET filename + if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then + mv ${oldLfsJwtSecret} ${lfsJwtSecret} + fi + + if [ ! -e ${oauth2JwtSecret} ]; then + ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} + fi + + if [ ! -e ${lfsJwtSecret} ]; then + ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} + fi + + if [ ! -e ${internalToken} ]; then + ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} + fi + + SECRETKEY="$(head -n1 ${secretKey})" + DBPASS="$(head -n1 ${cfg.database.passwordFile})" + OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" + LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" + INTERNALTOKEN="$(head -n1 ${internalToken})" + ${if (cfg.mailerPasswordFile == null) then '' + MAILERPASSWORD="#mailerpass#" + '' else '' + MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" + ''} + sed -e "s,#secretkey#,$SECRETKEY,g" \ + -e "s,#dbpass#,$DBPASS,g" \ + -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ + -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ + -e "s,#internaltoken#,$INTERNALTOKEN,g" \ + -e "s,#mailerpass#,$MAILERPASSWORD,g" \ + -i ${runConfig} + } + (umask 027; gitea_setup) ''} # update all hooks' binary paths @@ -565,8 +599,7 @@ in users.groups.gitea = {}; warnings = - optional (cfg.database.password != "") '' - config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead.'' ++ + optional (cfg.database.password != "") "config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead." ++ optional (cfg.extraConfig != null) '' services.gitea.`extraConfig` is deprecated, please use services.gitea.`settings`. ''; @@ -605,5 +638,5 @@ in timerConfig.OnCalendar = cfg.dump.interval; }; }; - meta.maintainers = with lib.maintainers; [ srhb ]; + meta.maintainers = with lib.maintainers; [ srhb ma27 ]; } |