{ config, lib, pkgs, flake, ... }: { age.secrets.forgejo-database-password = { file = "${flake.self}/secrets/forgejo-database-password.age"; mode = "600"; owner = "gitea"; }; age.secrets.forgejo-mailer-password = { file = "${flake.self}/secrets/forgejo-mailer-password.age"; mode = "600"; owner = "gitea"; }; services.nginx.virtualHosts."git.pub.solar" = { enableACME = true; forceSSL = true; locations."/user/login".extraConfig = '' return 302 /user/oauth2/keycloak; ''; locations."/" = { proxyPass = "http://127.0.0.1:3000"; extraConfig = '' client_max_body_size 1G; ''; }; }; services.gitea = { enable = true; package = pkgs.forgejo; appName = "pub.solar git server"; database = { type = "postgres"; passwordFile = config.age.secrets.forgejo-database-password.path; }; stateDir = "/var/lib/forgejo"; lfs.enable = true; mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; settings = { server = { ROOT_URL = "https://git.pub.solar"; DOMAIN = "git.pub.solar"; HTTP_ADDR = "127.0.0.1"; HTTP_PORT = 3000; }; log.LEVEL = "Warn"; mailer = { ENABLED = true; PROTOCOL = "smtps"; SMTP_ADDR = "mx2.greenbaum.cloud"; SMTP_PORT = 465; FROM = ''"pub.solar git server" ''; USER = "admins@pub.solar"; }; "repository.signing" = { SIGNING_KEY = "default"; MERGES = "always"; }; openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; }; service = { # uncomment after initial deployment, first user is admin user # required to setup SSO (oauth openid-connect, keycloak auth provider) ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ENABLE_NOTIFY_MAIL = true; DEFAULT_KEEP_EMAIL_PRIVATE = true; }; session = { COOKIE_SECURE = lib.mkForce true; }; # See https://forgejo.org/docs/latest/admin/actions/ actions.ENABLED = true; # In an actions workflow, when uses: does not specify an absolute URL, # the value of DEFAULT_ACTIONS_URL is prepended to it. actions.DEFAULT_ACTIONS_URL = "https://code.forgejo.org"; }; }; # See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea # Required for gitea server side gpg signatures # configured/setup manually in: # /var/lib/gitea/data/home/.gitconfig # /var/lib/gitea/data/home/.gnupg/ # sudo su gitea # export GNUPGHOME=/var/lib/gitea/data/home/.gnupg # gpg --quick-gen-key 'pub.solar gitea ' ed25519 # TODO: implement declarative GPG key generation and # gitea gitconfig programs.gnupg.agent = { enable = true; pinentryFlavor = "curses"; }; # Required to make gpg work without a graphical environment? # otherwise generating a new gpg key fails with this error: # gpg: agent_genkey failed: No pinentry # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675 environment.variables = { GPG_TTY = "$(tty)"; }; services.restic.backups.forgejo = { paths = [ "/var/lib/forgejo" "/tmp/forgejo-backup.sql" ]; timerConfig = { OnCalendar = "*-*-* 02:00:00 Etc/UTC"; # droppie will be offline if nachtigall misses the timer Persistent = false; }; initialize = true; passwordFile = config.age.secrets."restic-repo-droppie".path; repository = "yule@droppie.b12f.io:/media/internal/backups-pub-solar"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -iu postgres ${pkgs.postgresql}/bin/pg_dump -d gitea > /tmp/forgejo-backup.sql ''; backupCleanupCommand = '' rm /tmp/forgejo-backup.sql ''; }; }