nixos-config/machines/gitea/forgejo/default.nix

{
  pkgs,
  config,
  lib,
  ...
}:
with lib;
let
  forgejoCfg = config.services.forgejo;
in
{
  services.forgejo = {
    enable = true;
    package = pkgs.forgejo;

    user = "git";
    lfs = {
      enable = true;
    };

    database = {
      type = "postgres";
      socket = "/run/postgresql";
      passwordFile = config.sops.secrets.gitea_db_password.path;
      createDatabase = false;
      name = "git";
      user = "git";
    };

    dump = {
      enable = true;
      interval = "*-*-* 2,14:00:00";
      type = "tar.zst";
    };

    settings = {
      DEFAULT = {
        APP_NAME = "Datarift Git";
      };

      security = {
        PASSWORD_HASH_ALGO = "argon2";
        DISABLE_GIT_HOOKS = false;
      };

      log.LEVEL = "Warn";

      database = {
        LOG_SQL = false;
      };

      repository = {
        ENABLE_PUSH_CREATE_USER = true;
        ENABLE_PUSH_CREATE_ORG = true;
      };

      server = {
        DOMAIN = "git.datarift.nl";
        ROOT_URL = "https://git.datarift.nl/";
      };

      service = {
        DEFAULT_KEEP_EMAIL_PRIVATE = true;
        DISABLE_REGISTRATION = true;
      };

      picture = {
        ENABLE_FEDERATED_AVATAR = true;
      };

      session = {
        PROVIDER = "db";
        SAME_SITE = "strict";
        COOKIE_SECURE = true;
      };

      webhook = {
        ALLOWED_HOST_LIST = "external,10.0.0.202/32,ci.datarift.nl,10.0.0.210/32";
      };

      cron = {
        ENABLED = true;
        RUN_AT_START = true;
      };

      actions = {
        ENABLED = true;
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 3000 ];

  users.users.git = {
    description = "Forgejo service user";
    home = forgejoCfg.stateDir;
    useDefaultShell = true;
    group = "forgejo";
    isSystemUser = true;
  };

  services.postgresql = {
    enable = true;
    # Explicitly specify version here, because upgrading is a manual process that involves dumping and restoring databases:
    # https://nixos.org/manual/nixos/unstable/index.html#module-services-postgres-upgrading
    package = pkgs.postgresql_14;

    ensureDatabases = [ "git" ];
    ensureUsers = [
      {
        name = "git";
        ensureDBOwnership = true;
      }
    ];
  };
}