{ config, lib, pkgs, namespace, ... }: let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.development.forgejo; domain = "git.amarth.cloud"; in { options.${namespace}.services.development.forgejo = { enable = mkEnableOption "Forgejo"; }; config = mkIf cfg.enable { ${namespace}.services = { persistance.postgresql.enable = true; virtualisation.podman.enable = true; }; environment.systemPackages = with pkgs; [ forgejo ]; services = { forgejo = { enable = true; useWizard = false; database.type = "postgres"; settings = { DEFAULT = { APP_NAME = "Tamin Amarth"; APP_SLOGAN = "Where code is forged"; }; server = { DOMAIN = domain; ROOT_URL = "https://${domain}/"; HTTP_PORT = 5002; LANDING_PAGE = "explore"; }; cors = { ENABLED = true; ALLOW_DOMAIN = "https://*.amarth.cloud"; }; security = { INSTALL_LOCK = true; PASSWORD_HASH_ALGO = "argon2"; DISABLE_WEBHOOKS = true; }; ui = { EXPLORE_PAGING_NUM = 50; ISSUE_PAGING_NUM = 50; MEMBERS_PAGING_NUM = 50; }; "ui.meta" = { AUTHOR = "Where code is forged!"; DESCRIPTION = "Self-hosted solution for git, because FOSS is the anvil of the future"; }; admin = { USER_DISABLED_FEATURES = "manage_gpg_keys"; EXTERNAL_USER_DISABLE_FEATURES = "manage_gpg_keys"; }; service = { # Auth ENABLE_BASIC_AUTHENTICATION = false; DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; # Privacy DEFAULT_KEEP_EMAIL_PRIVATE = true; DEFAULT_USER_VISIBILITY = "private"; DEFAULT_ORG_VISIBILITY = "private"; # Common sense VALID_SITE_URL_SCHEMES = "https"; }; openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; WHITELISTED_URIS = "https://auth.amarth.cloud"; }; oauth2_client = { ENABLE_AUTO_REGISTRATION = true; UPDATE_AVATAR = true; ACCOUNT_LINKING = "auto"; }; actions = { ENABLED = true; # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; }; other = { SHOW_FOOTER_VERSION = false; SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; }; api = { ENABLE_SWAGGER = false; }; mirror = { ENABLED = false; }; session = { PROVIDER = "db"; COOKIE_SECURE = true; }; mailer = { ENABLED = true; PROTOCOL = "smtp+starttls"; SMTP_ADDR = "black-mail.nl"; SMTP_PORT = 587; FROM = "info@amarth.cloud"; USER = "info@amarth.cloud"; PASSWD = "__TODO_USE_SOPS__"; }; }; }; openssh.settings.AllowUsers = [ "forgejo" ]; gitea-actions-runner = { package = pkgs.forgejo-actions-runner; instances.default = { enable = true; name = "default"; url = "https://git.amarth.cloud"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd # tokenFile = config.age.secrets.forgejo-runner-token.path; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ "default:docker://nixos/nix:latest" "ubuntu:docker://ubuntu:24-bookworm" "nix:docker://git.amarth.cloud/amarth/runners/default:latest" ]; settings = { log.level = "info"; }; }; }; caddy = { enable = true; virtualHosts = { ${domain}.extraConfig = '' # import auth-z # stupid dumb way to prevent the login page and go to zitadel instead # be aware that this does not disable local login at all! # rewrite /user/login /user/oauth2/Zitadel reverse_proxy http://127.0.0.1:5002 ''; }; }; }; }; }