{ pkgs , config , lib , ... }: with lib; let cfg = config.eboskma.gitea; giteaCfg = config.services.gitea; in { options.eboskma.gitea = { enable = mkEnableOption "gitea"; }; config = mkIf cfg.enable { services.gitea = { enable = true; package = pkgs.forgejo; user = "git"; appName = "Datarift Git"; lfs = { enable = true; }; database = { type = "postgres"; socket = "/run/postgresql"; passwordFile = "/run/secrets/gitea_db_password"; createDatabase = false; user = "git"; }; settings = { security = { PASSWORD_HASH_ALGO = "argon2"; DISABLE_GIT_HOOKS = false; }; log.LEVEL = "Warn"; database = { LOG_SQL = false; }; repository = { ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; server = { DOMAIN = "git.datarift.nl"; ROOT_URL = "https://git.datarift.nl/"; }; service = { DEFAULT_KEEP_EMAIL_PRIVATE = true; DISABLE_REGISTRATION = true; }; picture = { ENABLE_FEDERATED_AVATAR = true; }; session = { PROVIDER = "db"; SAME_SITE = "strict"; COOKIE_SECURE = true; }; webhook = { ALLOWED_HOST_LIST = "external,10.0.0.202/32,ci.datarift.nl"; }; # Experimental Gitea Actions actions = { ENABLED = true; }; }; }; networking.firewall.allowedTCPPorts = [ 3000 ]; users.users.git = { description = "Gitea service user"; home = giteaCfg.stateDir; useDefaultShell = true; group = "gitea"; isSystemUser = true; }; services.postgresql = { enable = true; # Explicitly specify version here, because upgrading is a manual process that involves dumping and restoring databases: # https://nixos.org/manual/nixos/unstable/index.html#module-services-postgres-upgrading package = pkgs.postgresql_14; ensureDatabases = [ "gitea" ]; ensureUsers = [ { name = "git"; ensurePermissions = { "DATABASE gitea" = "ALL PRIVILEGES"; }; } ]; }; }; }