{ pkgs, config, lib, ... }: let domain = "gitea.${config.services.nginx.domain}"; in { services.forgejo = { enable = true; database.type = "postgres"; settings = { server = { DOMAIN = domain; HTTP_ADDR = "127.0.0.1"; ROOT_URL = "https://${domain}/"; SSH_PORT = 2222; }; metrics = { ENABLED = true; TOKEN = "#metricstoken#"; }; service.DISABLE_REGISTRATION = true; session.COOKIE_SECURE = true; }; }; systemd.services.forgejo.serviceConfig.ExecStartPre = let replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; secretPath = config.sops.secrets."forgejo/metrics-token".path; runConfig = "${config.services.forgejo.customDir}/conf/app.ini"; in [ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ]; # Set up SSL services.nginx.virtualHosts."${domain}" = let httpAddress = config.services.forgejo.settings.server.HTTP_ADDR; httpPort = config.services.forgejo.settings.server.HTTP_PORT; in { forceSSL = true; useACMEHost = "tlater.net"; enableHSTS = true; locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}"; locations."/metrics" = { extraConfig = '' access_log off; allow 127.0.0.1; ${lib.optionalString config.networking.enableIPv6 "allow ::1;"} deny all; ''; }; }; services.backups.forgejo = { user = "forgejo"; paths = [ "/var/lib/forgejo/forgejo-db.sql" "/var/lib/forgejo/repositories/" "/var/lib/forgejo/data/" "/var/lib/forgejo/custom/" # Conf is backed up via nix ]; preparation = { packages = [ config.services.postgresql.package ]; text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql"; }; cleanup = { packages = [ pkgs.coreutils ]; text = "rm /var/lib/forgejo/forgejo-db.sql"; }; pauseServices = [ "forgejo.service" ]; }; }