{ config, pkgs, lib, ... }: with lib; let cfgBase = config.base; cfg = config.services.ppForgejo; in { options.services.ppForgejo = { domain = mkOption { type = types.str; default = "git.${cfgBase.domainName}"; example = "git.example.com"; description = "The domain of the server"; }; openIdEnable = mkOption { type = types.bool; default = false; description = "If OpenId provider is setup and should be used exclusively."; }; openIdClientName = mkOption { type = types.str; default = ""; description = "The name (id) of the openId client to use exclusively."; }; customPackage = mkOption { type = types.package; default = pkgs.fetchgit { url = "https://git.mineau.eu/histausse/gitea_custom"; sha256 = "0r1kjkn0mkfyp2lb8j59frh1vnd1m54swpqwiasvg77r04ibfmn5"; }; description= "The package for custom configs like theme."; }; dbPasswordFile = mkOption { type = types.str; default = "/etc/forgejo_db_pwd"; description = "The file containing the database password. Be sure to secure it."; }; }; config = { services.forgejo.appName = "git"; services.forgejo.stateDir = "/var/lib/forgejo"; # default value, /var/lib/gitea in gitea, move it before migration! services.forgejo.enable = true; services.forgejo.rootUrl = "https://${cfg.domain}/"; services.forgejo.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? # If true, openid users cannot create new account #services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable); services.forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce false; services.forgejo.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable; services.forgejo.lfs.enable = true; services.forgejo.domain = cfg.domain; # services.forgejo.database.type = "postgres"; # Default is sqlite3, probably better for a small instance services.forgejo.database.passwordFile = cfg.dbPasswordFile; services.forgejo.settings.repository.ENABLE_PUSH_CREATE_USER = true; services.forgejo.settings.repository.ENABLE_PUSH_CREATE_ORG = true; # Set the permittions for the db file system.activationScripts = { forgejoDbFilePermission.text = '' chmod 400 ${cfg.dbPasswordFile} chown ${config.services.forgejo.user} ${cfg.dbPasswordFile} ''; }; environment.systemPackages = with pkgs; [ forgejo ]; systemd.services.forgejo.environment.FORGEJO_CUSTOM = "${config.services.forgejo.stateDir}/custom"; systemd.services.forgejo.preStart = lib.mkAfter '' find ${config.services.forgejo.stateDir}/ -type d -exec chmod u+w {} \; cp -f -s -r ${cfg.customPackage}/* ${config.services.forgejo.stateDir}/custom/ ''; services.forgejo.settings = { ui = { THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green,plex,aquamarine,dark,dracula,hotline,organizr,space-gray,hotpink,onedark,overseerr,nord"; DEFAULT_THEME = "forgejo-auto"; }; "ui.meta" = { DESCRIPTION = "Code everywhere"; }; }; # NGINX security.acme.acceptTerms = true; security.acme.defaults.email = cfgBase.adminEmail; services.nginx = { enable = true; virtualHosts = { "${cfg.domain}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3000"; extraConfig = '' client_max_body_size 0; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_pass_request_headers on; ''; }; locations."/user/login" = lib.mkIf (cfg.openIdEnable) { return = "301 https://$host/user/oauth2/${cfg.openIdClientName}"; }; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }; }