nixos/hosts/fw.cloonar.com/modules/gitea.nix

{ config, ... }:
let
  domain = "git.cloonar.com";
  ip = "10.42.97.3";
in
{

  users.users.gitea = {
    isSystemUser = true;
    uid = 990;
    group = "gitea";
    home = "/var/lib/gitea";
    createHome = true;
  };
  users.groups.gitea = {
    gid = 989;
  };

  security.acme.certs."${domain}" = {
    domain = "${domain}";
  };

  containers.gitea = {
    autoStart = true;
    ephemeral = true;
    macvlans = [ "vserver" ];
    bindMounts = {
      "/var/lib/gitea" = {
        hostPath = "/var/lib/gitea/";
        isReadOnly = false;
      };
    };
    bindMounts = {
      "/var/lib/acme/gitea/" = {
        hostPath = "${config.security.acme.certs.${domain}.directory}";
        isReadOnly = true;
      };
    };
    config = { lib, config, pkgs, ... }: {
      networking = {
        hostName = "gitea";
        interfaces.mv-vserver = {
          useDHCP = true;
        };
        firewall = {
          enable = true;
          allowedTCPPorts = [ 22 80 443 ];
        };
      };
      # services.nginx.enable = true;
      # services.nginx.virtualHosts."${domain}" = {
      #   sslCertificate = "/var/lib/acme/gitea/fullchain.pem";
      #   sslCertificateKey = "/var/lib/acme/gitea/key.pem";
      #   sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem";
      #   forceSSL = true;
      #   locations."/" = {
      #     proxyPass = "http://localhost:3001/";
      #   };
      # };
      #
      # nixpkgs.config.permittedInsecurePackages = [
      #   "gitea-1.19.4"
      # ];
      #
      # services.gitea = {
      #   enable = true;
      #   appName = "Cloonar Gitea server"; # Give the site a name
      #   settings = {
      #     server = {
      #       ROOT_URL = "https://${domain}/";
      #       HTTP_PORT = 3001;
      #       DOMAIN = domain;
      #     };
      #     openid = {
      #       ENABLE_OPENID_SIGNIN = false;
      #       ENABLE_OPENID_SIGNUP = true;
      #       WHITELISTED_URIS     = "auth.example.com";
      #     };
      #     service = {
      #       DISABLE_REGISTRATION                          = false;
      #       ALLOW_ONLY_EXTERNAL_REGISTRATION              = true;
      #       SHOW_REGISTRATION_BUTTON                      = false;
      #     };
      #     webhook.ALLOWED_HOST_LIST = "drone.cloonar.com";
      #   };
      # };
      #
      system.stateVersion = "23.05";
    };
  };
}