{ config, lib, pkgs, self', self, ... }: let cfg = config.services.forgejo.settings; age = config.age.secrets; forgejoSecret = { owner = "forgejo"; group = "forgejo"; }; d = self.lib.data.services.git; in { catppuccin.forgejo.enable = true; py.services.forgejo-runner = { enable = true; tokenFile = age.forgejo-default-runner-token.path; }; services.forgejo = { enable = true; package = pkgs.forgejo; lfs.enable = true; database = { type = "postgres"; createDatabase = true; passwordFile = age.forgejo-db-pw.path; }; secrets = { mailer.PASSWD = age.forgejo-mail-pw.path; security.SECRET_KEY = lib.mkForce age.forgejo-secret-key.path; security.INTERNAL_TOKEN = lib.mkForce age.forgejo-internal-token.path; oauth2.JWT_SECRET = lib.mkForce age.forgejo-oauth2-jwt-secret.path; server.LFS_JWT_SECRET = lib.mkForce age.forgejo-lfs-jwt-secret.path; }; settings = { DEFAULT = { APP_NAME = "PyroNet Git"; RUN_MODE = "prod"; }; attachment = { MAX_SIZE = 200; }; log."logger.router.MODE" = ""; mailer = { ENABLED = true; FROM = "PyroNet Git "; PROTOCOL = "smtps"; SMTP_ADDR = "mail.pyrox.dev"; SMTP_PORT = 465; USER = "git@pyrox.dev"; }; picture = { ENABLE_FEDERATED_AVATAR = true; }; ui = { DEFAULT_SHOW_FULL_NAME = true; USE_SERVICE_WORKER = true; SHOW_USER_EMAIL = false; }; "ui.meta" = { AUTHOR = "dish"; DESCRIPTION = "PyroNet Git Services"; }; metrics = { ENABLED = true; }; server = { DISABLE_SSH = true; DOMAIN = d.extUrl; HTTP_PORT = d.port; ROOT_URL = "https://${cfg.server.DOMAIN}"; LFS_START_SERVER = true; }; # indexer = { # Enable issue indexing ISSUE_INDEXER_TYPE = "bleve"; ISSUE_INDEXER_PATH = "indexers/issues.bleve"; # Enable repo indexing REPO_INDEXER_ENABLED = true; REPO_INDEXER_REPO_TYPES = "sources,forks,templates,mirrors"; REPO_INDEXER_TYPE = "bleve"; REPO_INDEXER_PATH = "indexers/repos.bleve"; }; session = { PROVIDER = "db"; COOKIE_SECURE = true; COOKIE_NAME = "pyrogit-session"; DOMAIN = d.extUrl; # Sessions last for 1 week GC_INTERVAL_TIME = 86400 * 7; SESSION_LIFE_TIME = 86400 * 7; }; service = { DISABLE_REGISTRATION = true; AUTO_WATCH_NEW_REPOS = false; }; security = { INSTALL_LOCK = true; COOKIE_USERNAME = "pyrogit-user"; COOKIE_REMEMBER_NAME = "pyrogit-auth"; MIN_PASSWORD_LENGTH = 10; PASSWORD_COMPLEXITY = "lower,upper,digit,spec"; PASSWORD_HASH_ALGO = "argon2"; PASSWORD_CHECK_PWN = true; ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true; # Only allow reverse proxies from Tailscale tailnet REVERSE_PROXY_TRUSTED_PROXIES = "10.64.0.0/10"; }; actions = { ENABLED = true; }; }; }; age.secrets = lib.mkIf config.services.forgejo.enable { forgejo-db-pw = forgejoSecret // { file = ./secrets/forgejo/db-pw.age; }; forgejo-mail-pw = forgejoSecret // { file = ./secrets/forgejo/mail-pw.age; }; forgejo-aux-docs-runner-token = forgejoSecret // { file = ./secrets/forgejo/aux-docs-runner-token.age; }; forgejo-default-runner-token = forgejoSecret // { file = ./secrets/forgejo/default-runner-token.age; }; forgejo-gitgay-runner-token = forgejoSecret // { file = ./secrets/forgejo/gitgay-runner-token.age; }; forgejo-internal-token = forgejoSecret // { file = ./secrets/forgejo/internal-token.age; }; forgejo-oauth2-jwt-secret = forgejoSecret // { file = ./secrets/forgejo/oauth2-jwt-secret.age; }; forgejo-lfs-jwt-secret = forgejoSecret // { file = ./secrets/forgejo/lfs-jwt-secret.age; }; forgejo-secret-key = forgejoSecret // { file = ./secrets/forgejo/secret-key.age; }; }; services.anubis.instances.forgejo = lib.mkIf config.services.forgejo.enable { settings = { BIND = ":${toString d.anubis}"; POLICY_FNAME = "${self'.packages.anubis-files}/policies/forgejo.yaml"; TARGET = "http://localhost:${toString d.port}"; }; }; services.prometheus.scrapeConfigs = lib.mkIf config.services.forgejo.enable [ { job_name = "forgejo"; static_configs = [ { targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ]; } ]; } ]; }