From 8ee11574f6917805da831fae1ed1d0a6824ab1ae Mon Sep 17 00:00:00 2001
From: Erwin Boskma <erwin@datarift.nl>
Date: Wed, 26 Oct 2022 17:12:39 +0200
Subject: [PATCH] Tweak gitea config

---
 machines/gitea/configuration.nix | 3 +++
 modules/gitea/default.nix        | 6 +++---
 modules/nix-common/default.nix   | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/machines/gitea/configuration.nix b/machines/gitea/configuration.nix
index 4bf16b7..c78ffea 100644
--- a/machines/gitea/configuration.nix
+++ b/machines/gitea/configuration.nix
@@ -41,6 +41,9 @@
 
   environment.noXlibs = true;
 
+  security.sudo.execWheelOnly = true;
+  security.pam.enableSSHAgentAuth = true;
+
   # services.openssh.enable = true;
 
   sops.defaultSopsFile = ./secrets.yaml;
diff --git a/modules/gitea/default.nix b/modules/gitea/default.nix
index e61641d..abc2a29 100644
--- a/modules/gitea/default.nix
+++ b/modules/gitea/default.nix
@@ -36,9 +36,7 @@ in
         };
 
         log.LEVEL = "Warn";
-        DISABLE_REGISTRATION = true;
-        COOKIE_SECURE = true;
-
+        
         database = {
           LOG_SQL = false;
         };
@@ -50,6 +48,7 @@ in
 
         service = {
           DEFAULT_KEEP_EMAIL_PRIVATE = true;
+          DISABLE_REGISTRATION = true;
         };
 
         picture = {
@@ -59,6 +58,7 @@ in
         session = {
           PROVIDER = "db";
           SAME_SITE = "strict";
+          COOKIE_SECURE = true;
         };
 
         webhook = {
diff --git a/modules/nix-common/default.nix b/modules/nix-common/default.nix
index 76a3f8a..5dab9ac 100644
--- a/modules/nix-common/default.nix
+++ b/modules/nix-common/default.nix
@@ -47,7 +47,7 @@ in
       settings = {
         auto-optimise-store = true;
         allowed-users = [ "root" ];
-        trusted-users = [ "root" ];
+        trusted-users = [ "root" "@wheel" ];
         substituters = [
           "https://nix-community.cachix.org"
           "https://marcus7070.cachix.org"