# SPDX-FileCopyrightText: 2021-2023 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later { config, lib, pkgs, ... }: let cfg = config.services.forgejo; in { sops.secrets.forgejo-mail = { owner = cfg.user; sopsFile = ../secrets.yaml; }; systemd.services.forgejo.serviceConfig.SupplementaryGroups = lib.singleton "keys"; services.forgejo = { enable = true; lfs = { enable = true; }; database.type = "postgres"; mailerPasswordFile = config.sops.secrets.forgejo-mail.path; settings = { DEFAULT = { APP_NAME = "sbrudergit"; }; mailer = { ENABLED = true; PROTOCOL = "smtps"; SMTP_ADDR = "vueko.sbruder.de"; FROM = "forgejo@sbruder.de"; USER = "forgejo@sbruder.de"; }; avatar = { DISABLE_GRAVATAR = true; }; server = { # http server DOMAIN = "git.sbruder.de"; PROTOCOL = "http+unix"; ROOT_URL = "https://git.sbruder.de/"; # privacy DISABLE_ROUTER_LOG = true; OFFLINE_MODE = true; # internal ssh server BUILTIN_SSH_SERVER_USER = "git"; START_SSH_SERVER = true; SSH_PORT = 2022; SSH_SERVER_HOST_KEYS = "ssh/forgejo.ed25519,ssh/forgejo.rsa"; }; service = { DEFAULT_ALLOW_CREATE_ORGANIZATION = false; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_NOTIFY_MAIL = true; NO_REPLY_ADDRESS = "users.git.sbruder.de"; REGISTER_MANUAL_CONFIRM = true; }; session = { PROVIDER = "file"; COOKIE_SECURE = true; }; log = { LEVEL = "Warn"; }; }; }; networking.firewall.allowedTCPPorts = [ cfg.settings.server.SSH_PORT ]; services.nginx.virtualHosts."git.sbruder.de" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://unix:/run/forgejo/forgejo.sock"; }; extraConfig = '' client_max_body_size 1G; # Git LFS ''; }; }