nichts/modules/services/forgejo/module.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib.modules) mkIf;
  inherit (config.services.forgejo) customDir user group;
  cfg = config.modules.system.services.forgejo;

  port = 3000;
  domain = "copeberg.org";
  img = ./img;
  acmeRoot = "/var/lib/acme/challenges-forgejo";
  dataDir = "/srv/data/forgejo";
in {
  options.modules.system.services.forgejo.enable = lib.mkEnableOption "forgejo";

  config = mkIf cfg.enable {
    modules.system.services = {
      database.postgresql.enable = true;
    };

    networking.firewall.allowedTCPPorts = [
      443
      80
    ];

    services.nginx = {
      enable = true;
      virtualHosts.${domain} = {
        forceSSL = true;
        # enableACME = true;
        useACMEHost = domain;
        inherit acmeRoot;
        extraConfig = ''
          # nginx defaults to a 1MB size limit for uploads, which
          # *definitely* isn't enough for Git LFS.
          # 'client_max_body_size 300m;' would set a limit of 300MB
          # setting it to 0 means "no limit"
          client_max_body_size 512M;
        '';
        locations."/" = {
          recommendedProxySettings = true;
          proxyPass = "http://localhost:${toString port}";
        };
      };
    };

    security.acme = let
      email = "charlie@charlieroot.dev";
    in {
      acceptTerms = true;
      defaults.email = email;
      defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      certs = {
        ${domain} = {
          webroot = acmeRoot;
          inherit email;
          group = "nginx";
        };
      };
    };

    # create the git user for forgejo
    # NOTE: this is important and it will _not_ work otherwise.
    users.users.git = {
      home = dataDir;
      useDefaultShell = true;
      group = "git";
      isSystemUser = true;
    };
    users.groups.git = {};

    services.forgejo = {
      enable = true;
      package = pkgs.forgejo;
      stateDir = dataDir;

      user = "git";
      group = "git";
      database = {
        createDatabase = true;
        name = "git";
        user = "git";
        type = "postgres";
      };

      # Disable support for Git Large File Storage
      lfs.enable = false;

      settings = {
        server = {
          DOMAIN = domain;
          # You need to specify this to remove the port from URLs in the web UI.
          ROOT_URL = "https://${domain}/";
          HTTP_PORT = port;
        };
        DEFAULT = {
          APP_NAME = "Copeberg.org";
          APP_SLOGAN = "Code and seethe.";
        };
        # disable registration by default.
        service.DISABLE_REGISTRATION = true;

        # Add support for actions, based on act: https://github.com/nektos/act
        actions = {
          ENABLED = false;
          DEFAULT_ACTIONS_URL = "github";
        };

        "repository.signing" = {
          SIGNING_KEY = "none";
        };
      };
    };

    systemd.tmpfiles.rules = let
      # no crawlers, thank you.
      robots = pkgs.writeText "robots-txt" ''
        User-agent: *
        Disallow: /
      '';
    in [
      "d '${customDir}/public' 0750 ${user} ${group} - -"
      "d '${customDir}/public/assets' 0750 ${user} ${group} - -"
      "d '${customDir}/public/assets/img' 0750 ${user} ${group} - -"

      "L+ '${customDir}/public/assets/img/logo.svg' - - - - ${img}/logo.svg"
      "L+ '${customDir}/public/assets/img/logo.png' - - - - ${img}/logo.png"
      "L+ '${customDir}/public/assets/img/apple-touch-icon' - - - - ${img}/logo.png"
      "L+ '${customDir}/public/assets/img/favicon.svg' - - - - ${img}/logo.svg"
      "L+ '${customDir}/public/assets/img/favicon.png' - - - - ${img}/logo.png"

      "L+ ${customDir}/public/robots.txt - - - - ${robots.outPath}"
    ];
  };
}
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}: let`
			`inherit (lib.modules) mkIf;`
			`inherit (config.services.forgejo) customDir user group;`
forgejo: update whole module, add new data dir 2025-03-04 21:01:50 +01:00			`cfg = config.modules.system.services.forgejo;`
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00
			`port = 3000;`
			`domain = "copeberg.org";`
			`img = ./img;`
			`acmeRoot = "/var/lib/acme/challenges-forgejo";`
forgejo: update whole module, add new data dir 2025-03-04 21:01:50 +01:00			`dataDir = "/srv/data/forgejo";`
forgejo/module.nix: init 2025-03-02 21:40:06 +01:00			`in {`
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`options.modules.system.services.forgejo.enable = lib.mkEnableOption "forgejo";`

			`config = mkIf cfg.enable {`
forgejo: update whole module, add new data dir 2025-03-04 21:01:50 +01:00			`modules.system.services = {`
			`database.postgresql.enable = true;`
			`};`

forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`networking.firewall.allowedTCPPorts = [`
			`443`
			`80`
			`];`

			`services.nginx = {`
			`enable = true;`
			`virtualHosts.${domain} = {`
			`forceSSL = true;`
			`# enableACME = true;`
			`useACMEHost = domain;`
			`inherit acmeRoot;`
			`extraConfig = ''`
forgejo/module.nix: change user to git 2025-03-05 07:52:53 +01:00			`# nginx defaults to a 1MB size limit for uploads, which`
			`# definitely isn't enough for Git LFS.`
			`# 'client_max_body_size 300m;' would set a limit of 300MB`
			`# setting it to 0 means "no limit"`
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`client_max_body_size 512M;`
			`'';`
			`locations."/" = {`
forgejo: update whole module, add new data dir 2025-03-04 21:01:50 +01:00			`recommendedProxySettings = true;`
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`proxyPass = "http://localhost:${toString port}";`
			`};`
			`};`
forgejo/module.nix: init 2025-03-02 21:40:06 +01:00			`};`

forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`security.acme = let`
			`email = "charlie@charlieroot.dev";`
			`in {`
			`acceptTerms = true;`
			`defaults.email = email;`
			`defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";`
			`certs = {`
			`${domain} = {`
			`webroot = acmeRoot;`
			`inherit email;`
			`group = "nginx";`
			`};`
forgejo/module.nix: init 2025-03-02 21:40:06 +01:00			`};`
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`};`
forgejo: update whole module, add new data dir 2025-03-04 21:01:50 +01:00
forgejo/module.nix: change user to git 2025-03-05 07:52:53 +01:00			`# create the git user for forgejo`
			`# NOTE: this is important and it will _not_ work otherwise.`
			`users.users.git = {`
			`home = dataDir;`
			`useDefaultShell = true;`
			`group = "git";`
			`isSystemUser = true;`
			`};`
			`users.groups.git = {};`

forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`services.forgejo = {`
			`enable = true;`
			`package = pkgs.forgejo;`
forgejo: update whole module, add new data dir 2025-03-04 21:01:50 +01:00			`stateDir = dataDir;`
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00
			`user = "git";`
forgejo/module.nix: change user to git 2025-03-05 07:52:53 +01:00			`group = "git";`
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`database = {`
forgejo/module.nix: change user to git 2025-03-05 07:52:53 +01:00			`createDatabase = true;`
forgejo: update whole module, add new data dir 2025-03-04 21:01:50 +01:00			`name = "git";`
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`user = "git";`
			`type = "postgres";`
forgejo/module.nix: init 2025-03-02 21:40:06 +01:00			`};`
forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00
			`# Disable support for Git Large File Storage`
			`lfs.enable = false;`

			`settings = {`
			`server = {`
			`DOMAIN = domain;`
			`# You need to specify this to remove the port from URLs in the web UI.`
			`ROOT_URL = "https://${domain}/";`
			`HTTP_PORT = port;`
			`};`
			`DEFAULT = {`
			`APP_NAME = "Copeberg.org";`
			`APP_SLOGAN = "Code and seethe.";`
			`};`
			`# disable registration by default.`
			`service.DISABLE_REGISTRATION = true;`

			`# Add support for actions, based on act: https://github.com/nektos/act`
			`actions = {`
			`ENABLED = false;`
			`DEFAULT_ACTIONS_URL = "github";`
			`};`
forgejo/module.nix: disable repository signing 2025-03-05 15:24:59 +01:00
			`"repository.signing" = {`
			`SIGNING_KEY = "none";`
			`};`
forgejo/module.nix: init 2025-03-02 21:40:06 +01:00			`};`
			`};`

forgejo/module.nix: update, add sane settings forgejo/module.nix: fix enable option 2025-03-04 20:11:09 +01:00			`systemd.tmpfiles.rules = let`
			`# no crawlers, thank you.`
			`robots = pkgs.writeText "robots-txt" ''`
			`User-agent: *`
			`Disallow: /`
			`'';`
			`in [`
			`"d '${customDir}/public' 0750 ${user} ${group} - -"`
			`"d '${customDir}/public/assets' 0750 ${user} ${group} - -"`
			`"d '${customDir}/public/assets/img' 0750 ${user} ${group} - -"`

			`"L+ '${customDir}/public/assets/img/logo.svg' - - - - ${img}/logo.svg"`
			`"L+ '${customDir}/public/assets/img/logo.png' - - - - ${img}/logo.png"`
			`"L+ '${customDir}/public/assets/img/apple-touch-icon' - - - - ${img}/logo.png"`
			`"L+ '${customDir}/public/assets/img/favicon.svg' - - - - ${img}/logo.svg"`
			`"L+ '${customDir}/public/assets/img/favicon.png' - - - - ${img}/logo.png"`

			`"L+ ${customDir}/public/robots.txt - - - - ${robots.outPath}"`
			`];`
			`};`
forgejo/module.nix: init 2025-03-02 21:40:06 +01:00			`}`