diff --git a/services/acme-cert-store.nix b/services/acme-cert-store.nix index b53f1e6..9f758a8 100644 --- a/services/acme-cert-store.nix +++ b/services/acme-cert-store.nix @@ -5,7 +5,6 @@ description = "Read-only access to certs"; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ gitea" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgIXTr7HxC13UNZP0UCALBRJuiDh4U0Nnd4GPIE4RQR vaultwarden" ]; }; diff --git a/services/gitea.nix b/services/gitea.nix index d805bbc..e76a21e 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -1,16 +1,21 @@ { config, ... }: { - imports = [ ./cert-store-client.nix ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; - networking.firewall.allowedTCPPorts = [ 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; + security.acme = { + acceptTerms = true; + defaults.email = "vili.m.sinerva@gmail.com"; + }; services = { gitea = { enable = true; lfs.enable = true; appName = "Gitea for Vili Sinervä"; - mailerPasswordFile = "${config.services.gitea.stateDir}/smtp_pass"; # TODO + mailerPasswordFile = "${config.services.gitea.stateDir}/smtp_pass"; settings = { repository = { @@ -19,7 +24,7 @@ ui.DEFAULT_SHOW_FULL_NAME = true; "ui.meta".AUTHOR = "Gitea, hosted by Vili Sinervä"; server = { - DOMAIN = "gitea.vsinerva.fi"; + DOMAIN = "gitea.sinerva.eu"; HTTP_PORT = 8000; ROOT_URL = "https://${config.services.gitea.settings.server.DOMAIN}"; }; @@ -30,7 +35,7 @@ SMTP_ADDR = "smtp.gmail.com"; SMTP_PORT = 587; USER = "vmsskv12@gmail.com"; # Password set in file - FROM = "gitea@vsinerva.fi"; + FROM = "gitea@sinerva.eu"; }; cron = { ENABLED = true; @@ -48,10 +53,9 @@ recommendedProxySettings = true; virtualHosts.${config.services.gitea.settings.server.DOMAIN} = { + enableACME = true; forceSSL = true; kTLS = true; - sslCertificate = "/mnt/acme/fullchain.pem"; - sslCertificateKey = "/mnt/acme/key.pem"; locations."/" = { proxyPass = "http://localhost:8000"; };