{ config, pkgs, lib, ... }: with lib; let cfgBase = config.base; cfg = config.services.ppForgejo; in { options.services.ppForgejo = { domain = mkOption { type = types.str; default = "git.${cfgBase.domainName}"; example = "git.example.com"; description = "The domain of the server"; }; openIdEnabled = mkOption { type = types.bool; default = false; description = "If OpenId provider is setup and should be used exclusively."; }; openIdClientName = mkOption { type = types.str; default = ""; description = "The name (id) of the openId client to use exclusively."; }; dbPasswordFile = mkOption { type = types.path; default = "/etc/forgejo_db_pwd"; description = "The file containing the database password. Be sure to secure it."; }; actionsEnabled = mkOption { type = types.bool; default = false; description = "Enable the use of actions"; }; }; config = { services.forgejo.settings.DEFAULT.APP_NAME = "git"; services.forgejo.stateDir = "/var/lib/forgejo"; # default value, /var/lib/gitea in gitea, move it before migration! # carefull to change ownership from gitea to forgejo # and to move /var/lib/forgejo/data/gitea.db to /var/lib/forgejo/data/forgejo.db services.forgejo.enable = true; services.forgejo.settings.server.ROOT_URL = "https://${cfg.domain}/"; services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? services.forgejo.user = "git"; users.users.git = { home = config.services.forgejo.stateDir; useDefaultShell = true; isSystemUser = true; group = "git"; }; users.groups.git = {}; # If true, openid users cannot create new account #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnabled); services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce false; services.forgejo.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnabled; services.forgejo.lfs.enable = true; services.forgejo.settings.server.DOMAIN = cfg.domain; # services.forgejo.database.type = "postgres"; # Default is sqlite3, probably better for a small instance services.forgejo.database.passwordFile = cfg.dbPasswordFile; services.forgejo.settings.repository.ENABLE_PUSH_CREATE_USER = true; services.forgejo.settings.repository.ENABLE_PUSH_CREATE_ORG = true; services.forgejo.settings.repository.DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages,repo.actions"; # Set the permittions for the db file system.activationScripts = { forgejoDbFilePermission.text = '' chmod 400 ${cfg.dbPasswordFile} chown ${config.services.forgejo.user} ${cfg.dbPasswordFile} ''; }; environment.systemPackages = with pkgs; [ forgejo ]; systemd.services.forgejo.environment.FORGEJO_CUSTOM = "${config.services.forgejo.stateDir}/custom"; services.forgejo.settings = { ui = { THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green"; DEFAULT_THEME = "forgejo-auto"; }; "ui.meta" = { DESCRIPTION = "Code everywhere"; }; }; services.forgejo.settings.actions = lib.mkIf (cfg.actionsEnabled) { ENABLED = true; DEFAULT_ACTION_URL = "https://${cfg.domain}"; }; # NGINX security.acme.acceptTerms = true; security.acme.defaults.email = cfgBase.adminEmail; services.nginx = { enable = true; virtualHosts = { "${cfg.domain}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3000"; extraConfig = '' client_max_body_size 0; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_pass_request_headers on; ''; }; locations."/user/login" = lib.mkIf (cfg.openIdEnabled) { return = "301 https://$host/user/oauth2/${cfg.openIdClientName}"; }; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }; }