diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2019-06-13 01:01:18 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-06-13 01:01:18 +0200 |
commit | 401360e15b6b48f8e144a0062880b137ef7c532c (patch) | |
tree | 46e4e4081a079ca4c0ffe2b92e432ef4ea70f5e7 | |
parent | 57301d9b2fc8e2f8fad375cb5ae8256e0988b6a7 (diff) | |
parent | 7145cf224c3eb45985d9bfc483c9e13c16fdaa91 (diff) |
Merge pull request #61923 from aanderse/gitea
nixos/gitea: make use of declarative features where applicable
-rw-r--r-- | nixos/modules/services/misc/gitea.nix | 90 | ||||
-rw-r--r-- | nixos/tests/gitea.nix | 16 |
2 files changed, 52 insertions, 54 deletions
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 6fd4183bd6b4..7daa2dd0d4cc 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -159,7 +159,8 @@ in socket = mkOption { type = types.nullOr types.path; - default = null; + default = if (cfg.database.createDatabase && usePostgresql) then "/run/postgresql" else if (cfg.database.createDatabase && useMysql) then "/run/mysqld/mysqld.sock" else null; + defaultText = "null"; example = "/run/mysqld/mysqld.sock"; description = "Path to the unix socket file to use for authentication."; }; @@ -173,10 +174,7 @@ in createDatabase = mkOption { type = types.bool; default = true; - description = '' - Whether to create a local postgresql database automatically. - This only applies if database type "postgres" is selected. - ''; + description = "Whether to create a local database automatically."; }; }; @@ -277,7 +275,46 @@ in }; config = mkIf cfg.enable { - services.postgresql.enable = mkIf usePostgresql (mkDefault true); + assertions = [ + { assertion = cfg.database.createDatabase -> cfg.database.user == cfg.user; + message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned"; + } + ]; + + services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { + enable = mkDefault true; + + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { name = cfg.database.user; + ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; + } + ]; + }; + + services.mysql = optionalAttrs (useMysql && cfg.database.createDatabase) { + enable = mkDefault true; + package = mkDefault pkgs.mariadb; + + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { name = cfg.database.user; + ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; + } + ]; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}/conf' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom/conf' - ${cfg.user} gitea - -" + "d '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" + "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" + + # If we have a folder or symlink with gitea locales, remove it + # And symlink the current gitea locales in place + "L+ '${cfg.stateDir}/conf/locale' - - - - ${gitea.out}/locale" + ]; systemd.services.gitea = { description = "gitea"; @@ -289,12 +326,8 @@ in runConfig = "${cfg.stateDir}/custom/conf/app.ini"; secretKey = "${cfg.stateDir}/custom/conf/secret_key"; in '' - # Make sure that the stateDir exists, as well as the conf dir in there - mkdir -p ${cfg.stateDir}/conf - # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' - mkdir -p ${cfg.stateDir}/custom/conf cp -f ${configFile} ${runConfig} if [ ! -e ${secretKey} ]; then @@ -309,7 +342,6 @@ in chmod 640 ${runConfig} ${secretKey} ''} - mkdir -p ${cfg.repositoryRoot} # update all hooks' binary paths HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 6 -type f -wholename "*git/hooks/*") if [ "$HOOKS" ] @@ -319,43 +351,19 @@ in sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS fi - # If we have a folder or symlink with gitea locales, remove it - if [ -e ${cfg.stateDir}/conf/locale ] - then - rm -r ${cfg.stateDir}/conf/locale - fi - # And symlink the current gitea locales in place - ln -s ${gitea.out}/locale ${cfg.stateDir}/conf/locale + # update command option in authorized_keys if [ -r ${cfg.stateDir}/.ssh/authorized_keys ] then sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' ${cfg.stateDir}/.ssh/authorized_keys fi - '' + optionalString (usePostgresql && cfg.database.createDatabase) '' - if ! test -e "${cfg.stateDir}/db-created"; then - echo "CREATE ROLE ${cfg.database.user} - WITH ENCRYPTED PASSWORD '$(head -n1 ${cfg.database.passwordFile})' - NOCREATEDB NOCREATEROLE LOGIN" | - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} ${pg.package}/bin/psql - ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ - ${pg.package}/bin/createdb \ - --owner=${cfg.database.user} \ - --encoding=UTF8 \ - --lc-collate=C \ - --lc-ctype=C \ - --template=template0 \ - ${cfg.database.name} - touch "${cfg.stateDir}/db-created" - fi - '' + '' - chown ${cfg.user} -R ${cfg.stateDir} ''; serviceConfig = { Type = "simple"; User = cfg.user; + Group = "gitea"; WorkingDirectory = cfg.stateDir; - PermissionsStartOnly = true; ExecStart = "${gitea.bin}/bin/gitea web"; Restart = "always"; }; @@ -367,15 +375,17 @@ in }; }; - users = mkIf (cfg.user == "gitea") { - users.gitea = { + users.users = mkIf (cfg.user == "gitea") { + gitea = { description = "Gitea Service"; home = cfg.stateDir; - createHome = true; useDefaultShell = true; + group = "gitea"; }; }; + users.groups.gitea = {}; + warnings = optional (cfg.database.password != "") ''config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead.''; diff --git a/nixos/tests/gitea.nix b/nixos/tests/gitea.nix index cccf8c7cd44f..b8ab6dabc8c1 100644 --- a/nixos/tests/gitea.nix +++ b/nixos/tests/gitea.nix @@ -13,18 +13,8 @@ with pkgs.lib; machine = { config, pkgs, ... }: - { services.mysql.enable = true; - services.mysql.package = pkgs.mariadb; - services.mysql.ensureDatabases = [ "gitea" ]; - services.mysql.ensureUsers = [ - { name = "gitea"; - ensurePermissions = { "gitea.*" = "ALL PRIVILEGES"; }; - } - ]; - - services.gitea.enable = true; + { services.gitea.enable = true; services.gitea.database.type = "mysql"; - services.gitea.database.socket = "/run/mysqld/mysqld.sock"; }; testScript = '' @@ -42,10 +32,8 @@ with pkgs.lib; machine = { config, pkgs, ... }: - { - services.gitea.enable = true; + { services.gitea.enable = true; services.gitea.database.type = "postgres"; - services.gitea.database.passwordFile = pkgs.writeText "db-password" "secret"; }; testScript = '' |