From 41ee11094fabb788d375f48db2ced6191ace7822 Mon Sep 17 00:00:00 2001
From: Jean-Marie 'Histausse' Mineau <histausse@protonmail.com>
Date: Sat, 10 Feb 2024 18:31:53 +0100
Subject: [PATCH] add config for forgejo

---
 pp-forgejo.nix | 114 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 114 insertions(+)
 create mode 100644 pp-forgejo.nix

diff --git a/pp-forgejo.nix b/pp-forgejo.nix
new file mode 100644
index 0000000..8218871
--- /dev/null
+++ b/pp-forgejo.nix
@@ -0,0 +1,114 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfgBase = config.base;
+  cfg = config.services.ppForgejo;
+in
+{
+  options.services.ppForgejo = {
+    domain = mkOption {
+      type = types.str;
+      default = "git.${cfgBase.domainName}";
+      example = "git.example.com";
+      description = "The domain of the server";
+    };
+    openIdEnable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "If OpenId provider is setup and should be used exclusively.";
+    };
+    openIdClientName = mkOption {
+      type = types.str;
+      default = "";
+      description = "The name (id) of the openId client to use exclusively.";
+    };
+    customPackage = mkOption {
+      type = types.package;
+      default = pkgs.fetchgit {
+        url = "https://git.mineau.eu/histausse/gitea_custom";
+        sha256 = "0r1kjkn0mkfyp2lb8j59frh1vnd1m54swpqwiasvg77r04ibfmn5";
+      };
+      description= "The package for custom configs like theme.";
+    };
+    dbPasswordFile = mkOption {
+      type = types.str;
+      default = "/etc/forgejo_db_pwd";
+      description = "The file containing the database password. Be sure to secure it.";
+    };
+  };
+
+  config = {
+
+    services.forgejo.appName = "git";
+    services.forgejo.stateDir = "/var/lib/forgejo"; # default value, /var/lib/gitea in gitea, move it before migration!
+    services.forgejo.enable = true;
+    services.forgejo.rootUrl = "https://${cfg.domain}/";
+    services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true;        # Why do I need to override this???
+
+    # If true, openid users cannot create new account
+    #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable);
+    services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce false;
+    services.forgejo.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable;
+
+    services.forgejo.lfs.enable = true;
+    services.forgejo.domain = cfg.domain;
+    # services.forgejo.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
+    services.forgejo.database.passwordFile = cfg.dbPasswordFile;
+    # Set the permittions for the db file
+    system.activationScripts = {
+      forgejoDbFilePermission.text = 
+      ''
+        chmod 400 ${cfg.dbPasswordFile}
+        chown ${config.services.forgejo.user} ${cfg.dbPasswordFile}
+      '';
+    };
+    environment.systemPackages = with pkgs; [
+      forgejo
+    ];
+    systemd.services.forgejo.environment.FORGEJO_CUSTOM = "${config.services.forgejo.stateDir}/custom";
+    systemd.services.forgejo.preStart = lib.mkAfter ''
+      find ${config.services.forgejo.stateDir}/ -type d -exec chmod u+w {} \;
+      cp -f -s -r ${cfg.customPackage}/* ${config.services.forgejo.stateDir}/custom/
+    '';
+    services.forgejo.settings = {
+      ui = {
+        THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord";
+        DEFAULT_THEME = "forgejo-auto";
+      };
+      "ui.meta" = {
+        DESCRIPTION = "Code everywhere";
+      };
+    };
+  
+
+    # NGINX
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = cfgBase.adminEmail;
+    services.nginx = {
+        enable = true;
+        virtualHosts = {
+          "${cfg.domain}" = {
+            forceSSL = true;
+            enableACME = true;
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:3000";
+              extraConfig = ''
+                client_max_body_size 0;
+                proxy_set_header X-Forwarded-Host $host;
+                proxy_set_header X-Forwarded-Server $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header Host $host;
+                proxy_pass_request_headers on;
+              '';
+            };
+            locations."/user/login" = lib.mkIf (cfg.openIdEnable) {
+              return = "301 https://$host/user/oauth2/${cfg.openIdClientName}";
+            };
+          };
+        };
+      };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}