{ pkgs, config, lib, ... }: let domain = "gitea.${config.services.nginx.domain}"; in { services.forgejo = { enable = true; database.type = "postgres"; settings = { server = { DOMAIN = domain; HTTP_ADDR = "127.0.0.1"; ROOT_URL = "https://${domain}/"; SSH_PORT = 2222; }; metrics = { ENABLED = true; TOKEN = "#metricstoken#"; }; service.DISABLE_REGISTRATION = true; session.COOKIE_SECURE = true; }; }; systemd.services.forgejo.serviceConfig.ExecStartPre = let replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; secretPath = config.sops.secrets."forgejo/metrics-token".path; runConfig = "${config.services.forgejo.customDir}/conf/app.ini"; in [ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ]; # Set up SSL services.nginx.virtualHosts."${domain}" = let httpAddress = config.services.forgejo.settings.server.HTTP_ADDR; httpPort = config.services.forgejo.settings.server.HTTP_PORT; in { forceSSL = true; enableACME = true; enableHSTS = true; locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}"; locations."/metrics" = { extraConfig = '' access_log off; allow 127.0.0.1; ${lib.optionalString config.networking.enableIPv6 "allow ::1;"} deny all; ''; }; }; # Block repeated failed login attempts # # TODO(tlater): Update this - we switched to forgejo, who knows what # the new matches are. # environment.etc = { # "fail2ban/filter.d/gitea.conf".text = '' # [Definition] # failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from # journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo # ''; # }; # services.fail2ban.jails = { # gitea = '' # enabled = true # ''; # }; services.backups.forgejo = { user = "forgejo"; paths = [ "/var/lib/forgejo/forgejo-db.sql" "/var/lib/forgejo/repositories/" "/var/lib/forgejo/data/" "/var/lib/forgejo/custom/" # Conf is backed up via nix ]; preparation = { packages = [config.services.postgresql.package]; text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql"; }; cleanup = { packages = [pkgs.coreutils]; text = "rm /var/lib/forgejo/forgejo-db.sql"; }; pauseServices = ["forgejo.service"]; }; }