nixos-modules/pp-gitea.nix

{ config, pkgs, lib, ... }:
with lib;
let
  cfgBase = config.base;
  cfg = config.services.ppGitea;
in
{
  options.services.ppGitea = {
    domain = mkOption {
      type = types.str;
      default = "git.${cfgBase.domainName}";
      example = "git.example.com";
      description = "The domain of the server";
    };
    openIdEnable = mkOption {
      type = types.bool;
      default = false;
      description = "If OpenId provider is setup and should be used exclusively.";
    };
    openIdClientName = mkOption {
      type = types.str;
      default = "";
      description = "The name (id) of the openId client to use exclusively.";
    };
    customPackage = mkOption {
      type = types.package;
      default = pkgs.fetchgit {
        url = "https://git.mineau.eu/histausse/gitea_custom";
        sha256 = "0r1kjkn0mkfyp2lb8j59frh1vnd1m54swpqwiasvg77r04ibfmn5";
      };
      description= "The package for custom configs like theme.";
    };
    dbPasswordFile = mkOption {
      type = types.str;
      default = "/etc/gitea_db_pwd";
      description = "The file containing the database password. Be sure to secure it.";
    };
  };

  config = {

    services.gitea.appName = "git";
    services.gitea.stateDir = "/var/lib/gitea"; # default value
    services.gitea.enable = true;
    services.gitea.rootUrl = "https://${cfg.domain}/";
    services.gitea.settings.session.COOKIE_SECURE = lib.mkForce true;        # Why do I need to override this???
    services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable);
    services.gitea.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable;
    services.gitea.settings.openid.ENABLE_OPENID_SIGNUP = cfg.openIdEnable;
    services.gitea.lfs.enable = true;
    services.gitea.domain = cfg.domain;
    # services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
    services.gitea.database.passwordFile = cfg.dbPasswordFile;
    # Set the permittions for the db file
    system.activationScripts = {
      giteaDbFilePermission.text = 
      ''
        chmod 400 ${cfg.dbPasswordFile}
        chown ${config.services.gitea.user} ${cfg.dbPasswordFile}
      '';
    };
    environment.systemPackages = with pkgs; [
      gitea
    ];
    systemd.services.gitea.environment.GITEA_CUSTOM = "${config.services.gitea.stateDir}/custom";
    systemd.services.gitea.preStart = lib.mkAfter ''
      find ${config.services.gitea.stateDir}/ -type d -exec chmod u+w {} \;
      cp -f -s -r ${cfg.customPackage}/* ${config.services.gitea.stateDir}/custom/
    '';
    services.gitea.settings = {
      ui = {
        THEMES = "gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord";
        DEFAULT_THEME = "dark";
      };
      "ui.meta" = {
        DESCRIPTION = "Code everywhere";
      };
    };
  

    # NGINX
    security.acme.acceptTerms = true;
    security.acme.defaults.email = cfgBase.adminEmail;
    services.nginx = {
        enable = true;
        virtualHosts = {
          "${cfg.domain}" = {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
              proxyPass = "http://127.0.0.1:3000";
              extraConfig = ''
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $host;
                proxy_pass_request_headers on;
              '';
            };
            pkgs.lib.mkIf cfg.openIdEnable {
              locations."/user/login".globalRedirect = "$host/${cfg.openIdClientName}";
            };
          };
        };
      };
    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}