{ pkgs, config, lib, ... }: with lib; let forgejoCfg = config.services.forgejo; in { services.forgejo = { enable = true; user = "git"; lfs = { enable = true; }; database = { type = "postgres"; socket = "/run/postgresql"; passwordFile = config.sops.secrets.gitea_db_password.path; createDatabase = false; name = "git"; user = "git"; }; dump = { enable = true; interval = "*-*-* 2,14:00:00"; type = "tar.zst"; }; settings = { DEFAULT = { APP_NAME = "Datarift Git"; }; security = { PASSWORD_HASH_ALGO = "argon2"; DISABLE_GIT_HOOKS = false; }; log.LEVEL = "Warn"; database = { LOG_SQL = false; }; repository = { ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; server = { DOMAIN = "git.datarift.nl"; ROOT_URL = "https://git.datarift.nl/"; }; service = { DEFAULT_KEEP_EMAIL_PRIVATE = true; DISABLE_REGISTRATION = true; }; picture = { ENABLE_FEDERATED_AVATAR = true; }; session = { PROVIDER = "db"; SAME_SITE = "strict"; COOKIE_SECURE = true; }; webhook = { ALLOWED_HOST_LIST = "external,10.0.0.202/32,ci.datarift.nl,10.0.0.210/32"; }; cron = { ENABLED = true; RUN_AT_START = true; }; actions = { ENABLED = true; }; }; }; networking.firewall.allowedTCPPorts = [ 3000 ]; users.users.git = { description = "Forgejo service user"; home = forgejoCfg.stateDir; useDefaultShell = true; group = "forgejo"; isSystemUser = true; }; services.postgresql = { enable = true; # Explicitly specify version here, because upgrading is a manual process that involves dumping and restoring databases: # https://nixos.org/manual/nixos/unstable/index.html#module-services-postgres-upgrading package = pkgs.postgresql_14; ensureDatabases = [ "git" ]; ensureUsers = [ { name = "git"; ensureDBOwnership = true; } ]; }; }