{ config, pkgs, ... }: let cids = import ../modules/staticids.nix; domain = "git.cloonar.com"; networkPrefix = config.networkPrefix; user = { isSystemUser = true; uid = cids.uids.forgejo; group = "forgejo"; home = "/var/lib/forgejo"; createHome = true; }; group = { gid = cids.gids.forgejo; }; in { users.users.forgejo = user; users.groups.forgejo = group; # Reuse the existing git.cloonar.com ACME cert from gitea.nix security.acme.certs."forgejo.cloonar.com" = { group = "nginx"; }; containers.forgejo = { autoStart = false; # Don't start until migration is complete ephemeral = false; # because of ssh key privateNetwork = true; hostBridge = "server"; hostAddress = "${networkPrefix}.97.1"; localAddress = "${networkPrefix}.97.55/24"; # Different from gitea's .50 bindMounts = { "/var/lib/forgejo" = { hostPath = "/var/lib/forgejo/"; isReadOnly = false; }; "/var/lib/acme/forgejo/" = { # hostPath = config.security.acme.certs.${domain}.directory; hostPath = config.security.acme.certs."forgejo.cloonar.com".directory; isReadOnly = true; }; "/run/secrets/forgejo-mailer-password" = { hostPath = config.sops.secrets.forgejo-mailer-password.path; }; }; config = { lib, config, pkgs, ... }: { imports = [ ../fleet.nix ../modules/cloonar-assistant-config-server.nix ]; environment.systemPackages = with pkgs; [ vim # my preferred editor ]; networking = { hostName = "forgejo"; useHostResolvConf = false; defaultGateway = { address = "${networkPrefix}.96.1"; interface = "eth0"; }; firewall.enable = false; nameservers = [ "${networkPrefix}.97.1" ]; }; services.nginx.enable = true; services.nginx.virtualHosts."${domain}" = { sslCertificate = "/var/lib/acme/forgejo/fullchain.pem"; sslCertificateKey = "/var/lib/acme/forgejo/key.pem"; sslTrustedCertificate = "/var/lib/acme/forgejo/chain.pem"; forceSSL = true; extraConfig = '' client_max_body_size 2048M; ''; locations."/" = { proxyPass = "http://localhost:3001/"; }; }; services.forgejo = { enable = true; stateDir = "/var/lib/forgejo"; settings = { DEFAULT = { APP_NAME = "Cloonar Forgejo server"; }; server = { ROOT_URL = "https://${domain}/"; HTTP_PORT = 3001; DOMAIN = domain; }; repository = { DEFAULT_BRANCH = "main"; }; openid = { ENABLE_OPENID_SIGNIN = false; ENABLE_OPENID_SIGNUP = true; WHITELISTED_URIS = "auth.cloonar.com"; }; service = { DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; ENABLE_NOTIFY_MAIL = true; REQUIRE_SIGNIN_VIEW = false; }; mailer = { ENABLED = true; FROM = "Forgejo Cloonar "; PROTOCOL = "smtp+starttls"; SMTP_ADDR = "mail.cloonar.com"; SMTP_PORT = 587; USER = "gitea@cloonar.com"; }; actions.ENABLED=true; attachment = { MAX_SIZE = 2048; # 2GB in MB for general attachments }; packages = { ENABLED = true; }; }; }; # Configure mailer password systemd.services.forgejo.serviceConfig.EnvironmentFile = "/run/secrets/forgejo-mailer-password"; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" ]; users.users.forgejo = user; users.groups.forgejo = group; system.stateVersion = "23.05"; }; }; sops.secrets.forgejo-mailer-password = { owner = "forgejo"; # restartUnits removed - would start the container even with autoStart=false # Re-add after migration: restartUnits = [ "container@forgejo.service" ]; }; }