{ pkgs , config , lib , ... }: with lib; let cfg = config.eboskma.gitea; giteaCfg = config.services.gitea; in { options.eboskma.gitea = { enable = mkEnableOption "gitea"; }; config = mkIf (cfg.enable) { services.gitea = { enable = true; user = "git"; domain = "git.datarift.nl"; appName = "Gitea Datarift"; rootUrl = "https://git.datarift.nl/"; log.level = "Warn"; lfs = { enable = true; }; disableRegistration = true; cookieSecure = true; database = { type = "postgres"; socket = "/run/postgresql"; passwordFile = "/run/secrets/gitea_db_password"; createDatabase = false; user = "git"; }; settings = { security = { PASSWORD_HASH_ALGO = "argon2"; DISABLE_GIT_HOOKS = false; }; database = { LOG_SQL = false; }; repository = { ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; service = { DEFAULT_KEEP_EMAIL_PRIVATE = true; }; picture = { ENABLE_FEDERATED_AVATAR = true; }; session = { PROVIDER = "db"; SAME_SITE = "strict"; }; webhook = { ALLOWED_HOST_LIST = "external,10.0.0.202/32,drone.datarift.nl"; }; }; }; networking.firewall.allowedTCPPorts = [ 3000 ]; users.users.git = { description = "Gitea service user"; home = giteaCfg.stateDir; useDefaultShell = true; group = "gitea"; isSystemUser = true; }; services.postgresql = { enable = true; # Explicitly specify version here, because upgrading is a manual process that involves dumping and restoring databases: # https://nixos.org/manual/nixos/unstable/index.html#module-services-postgres-upgrading package = pkgs.postgresql_14; ensureDatabases = [ "gitea" ]; ensureUsers = [ { name = "git"; ensurePermissions = { "DATABASE gitea" = "ALL PRIVILEGES"; }; } ]; }; }; }