os/hosts/flora-6/gitea.nix

{
  config,
  lib,
  pkgs,
  self,
  ...
}: {
  age.secrets.gitea-database-password = {
    file = "${self}/secrets/gitea-database-password.age";
    mode = "600";
    owner = "gitea";
  };
  age.secrets.gitea-mailer-password = {
    file = "${self}/secrets/gitea-mailer-password.age";
    mode = "600";
    owner = "gitea";
  };

  users.users.git = {
    description = "Gitea SSH Service";
    home = "/var/lib/gitea/git";
    useDefaultShell = false;
    uid = 995;
    isSystemUser = true;
  };

  virtualisation = {
    docker = {
      enable = true; # sadly podman is not supported rightnow
    };

    oci-containers = {
      backend = "docker";
      containers."gitea" = {
        image = "gitea:gitea:1.18.3";
        autoStart = true;
        user = "995";
        ports = [
          "127.0.0.1:3000:3000"
          "127.0.0.1:2222:22"
        ];
        volumes = [
          "/var/lib/gitea:/data"
          # Secrets go in the app.ini file, the rest wil be done in nix via environment variables
          "/var/lib/gitea/custom/conf/app.ini:/${config.age.secrets.gitea-secrets-app-ini.path}"
          "/etc/timezone:/etc/timezone:ro"
          "/etc/localtime:/etc/localtime:ro"
        ];
        extraOptions = [
          "--network=gitea"
        ];
        environment = {
          USER_UID = "postgres";
          USER_GID = "postgres";
          RUN_MODE = "prod";
          SSH_DOMAIN = "git.pub.solar";
          ROOT_URL = "git.pub.solar";
          DB_TYPE = "postgres";
          DB_HOST = "gitea-db";
          DISABLE_REGISTRATION = "true";
        };
      };

      containers."gitea-db" = {
        image = "postgres:14";
        autoStart = true;
        volumes = [
          "/var/lib/gitea-db:/var/lib/postgresql/data"
        ];
        extraOptions = [
          "--network=gitea"
        ];
        environmentFiles = [
          config.age.secrets.gitea-db-secrets.path
        ];
      };
    };
  };

  # gitea
  services.gitea = {
    enable = true;
    appName = "pub.solar git server";
    database = {
      type = "postgres";
      passwordFile = config.age.secrets.gitea-database-password.path;
    };
    domain = "git.pub.solar";
    httpAddress = "127.0.0.1";
    httpPort = 3000;
    lfs.enable = true;
    mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
    rootUrl = "https://git.pub.solar";
    settings = {
      mailer = {
        ENABLED = true;
        MAILER_TYPE = "smtp";
        HOST = "mx2.greenbaum.cloud:465";
        FROM = ''"pub.solar git server" <gitea@pub.solar>'';
        USER = "admins@pub.solar";
      };
      # currently broken, gpg core dumps
      #"repository.signing" = {
      #  SIGNING_KEY = "default";
      #  MERGES = "always";
      #};
      openid = {
        ENABLE_OPENID_SIGNIN = true;
        ENABLE_OPENID_SIGNUP = true;
      };
      # uncomment after initial deployment, first user is admin user
      # required to setup SSO (oauth openid-connect, keycloak auth provider)
      service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
      session.COOKIE_SECURE = lib.mkForce true;
    };
  };

  # Required for gitea server side gpg signatures
  # configured / setup manually in
  # /var/lib/gitea/data/home/.gitconfig and
  # /var/lib/gitea/data/home/.gnupg/
  programs.gnupg.agent = {
    enable = true;
    pinentryFlavor = "curses";
  };
  # Required to make gpg work without a graphical environment?
  # otherwise generating a new gpg key fails with this error:
  # gpg: agent_genkey failed: No pinentry
  # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
  environment.variables = {
    GPG_TTY = "$(tty)";
  };
}