main
 1{lib, ...}: {
 2  flake.modules.nixos."services/forgejo" = {
 3    config,
 4    pkgs,
 5    ...
 6  }: {
 7    services.forgejo = {
 8      enable = true;
 9      package = pkgs.forgejo;
10      user = "git";
11      group = "forgejo";
12      database = {
13        type = "sqlite3";
14      };
15      settings = {
16        default = {
17          APP_NAME = "Forgejo"; # TODO: A new name for my forgejo instance.
18          APP_SLOGAN = "Beyond coding. We Forge."; # TODO: A new slogan.
19        };
20        server = {
21          DOMAIN = "repo.hpcesia.com";
22          HTTP_ADDR = "127.0.0.1";
23          HTTP_PORT = 3125;
24          PROTOCOL = "http";
25          START_SSH_SERVER = true;
26          SSH_PORT = 2233;
27          ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
28        };
29        service = {
30          DISABLE_REGISTRATION = true;
31          ENABLE_NOTIFY_MAIL = true;
32          ENABLE_BASIC_AUTHENTICATION = false;
33        };
34        repository = {
35          DEFAULT_REPO_UNITS = "repo.code,repo.releases";
36        };
37        mailer = {
38          ENABLED = true;
39          PROTOCOL = "smtps";
40          SMTP_ADDR = "glacier.mxrouting.net";
41          SMTP_PORT = 465;
42          USER = "info@hpcesia.com";
43          FROM = "Forgejo Infomation <info@hpcesia.com>";
44          SUBJECT_PREFIX = "[repo.hpcesia.com] ";
45        };
46        # TODO: Enable federation after I finalize a suitable instance name and switch to an independent domain.
47        federation.ENABLED = false;
48        session.COOKIE_SECURE = true;
49        log = {
50          LEVEL = "Info";
51          ENABLE_SSH_LOG = true; # Enable ssh log for fail2ban.
52          "logger.router.MODE" = "Error";
53        };
54        actions = {
55          ENABLED = true;
56        };
57      };
58      secrets = {
59        mailer.PASSWD = config.vaultix.secrets.forgejo-mailer-password.path;
60      };
61    };
62
63    users.users."git" = {
64      isSystemUser = true;
65      useDefaultShell = true;
66      group = config.services.forgejo.group;
67      home = config.services.forgejo.stateDir;
68    };
69
70    networking.firewall.allowedTCPPorts = [
71      config.services.forgejo.settings.server.SSH_PORT
72    ];
73
74    services.caddy.virtualHosts."repo.hpcesia.com".extraConfig =
75      lib.mkIf config.services.caddy.enable
76      (let
77        localAddress = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
78      in ''
79        encode zstd gzip
80        reverse_proxy ${localAddress}
81      '');
82
83    vaultix.secrets.forgejo-mailer-password = {
84      file = ./mailer-password.age;
85      owner = "root";
86      group = "forgejo";
87      mode = "0440";
88    };
89  };
90}