{ config, lib, ... }: let customDomain = config.customOps.domain; mail = "forgejo@${customDomain}"; cfg = config.services.forgejo; srv = cfg.settings.server; in { sops.secrets = { "forgejo/mail".owner = "forgejo"; "forgejo/admin".owner = "forgejo"; "mailserver/forgejo".owner = "dovecot2"; }; mailserver.loginAccounts.${mail} = lib.mkIf config.mailserver.enable { hashedPasswordFile = config.sops.secrets."mailserver/forgejo".path; sendOnly = true; }; services.nginx.virtualHosts.${srv.DOMAIN} = { forceSSL = true; enableACME = true; extraConfig = '' client_max_body_size 512M; ''; locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; }; services.forgejo = { enable = true; lfs.enable = true; settings = { DEFAULT = { APP_NAME = "git.${customDomain}"; APP_SLOGAN = "the git repositories of ${config.customOps.owner}'s projects"; APP_DISPLAY_NAME_FORMAT = "${config.customOps.owner}'s forge | {APP_NAME}"; }; server = { DOMAIN = "git.${customDomain}"; ROOT_URL = "https://${srv.DOMAIN}/"; HTTP_PORT = 3000; SSH_PORT = lib.head config.services.openssh.ports; LANDING_PAGE = "/${config.customOps.owner}"; }; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "https://${srv.DOMAIN}"; }; repository = { DISABLE_STARS = true; }; ui = { DEFAULT_THEME = "forgejo-light"; THEMES = "forgejo-auto,forgejo-light,forgejo-dark"; DEFAULT_SHOW_FULL_NAME = true; PREFERRED_TIMESTAMP_TENSE = "absolute"; }; "ui.meta" = { AUTHOR = cfg.settings.DEFAULT.APP_NAME; DESCRIPTION = cfg.settings.DEFAULT.APP_SLOGAN; }; admin = { DISABLE_REGULAR_ORG_CREATION = true; }; security = { INSTALL_LOCK = true; GLOBAL_TWO_FACTOR_REQUIREMENT = "all"; PASSWORD_COMPLEXITY = "lower,upper,digit,spec"; DISABLE_QUERY_AUTH_TOKEN = true; }; service = { DISABLE_REGISTRATION = true; VALID_SITE_URL_SCHEMES = "https"; }; "service.explore" = { DISABLE_USERS_PAGE = true; }; picture = { ENABLE_FEDERATED_AVATAR = true; AVATAR_MAX_FILE_SIZE = 10485760; REPOSITORY_AVATAR_FALLBACK = "random"; }; federation = { ENABLED = true; }; mailer = lib.mkIf config.mailserver.enable { ENABLED = true; SMTP_ADDR = config.mailserver.fqdn; FROM = mail; USER = mail; }; i18n = { LANGS = "en-US,zh-CN,zh-HK,zh-TW,da,de-DE,nds,fr-FR" + ",nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR" + ",pt-PT,pl-PL,bg,it-IT,fi-FI,fil,eo,tr-TR" + ",cs-CZ,sl,sv-SE,ko-KR,el-GR,fa-IR,hu-HU," + "id-ID,ar"; NAMES = "English,简体中文,繁體中文(香港)" + ",繁體中文(台灣),Dansk,Deutsch,Plattdüütsch" + ",Français,Nederlands,Latviešu,Русский,Українська" + ",日本語,Español,Português do Brasil" + ",Português de Portugal,Polski,Български,Italiano" + ",Suomi,Filipino,Esperanto,Türkçe,Čeština,Slovenščina" + ",Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv" + ",Bahasa Indonesia,العربية"; }; other = { SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; }; }; secrets = lib.mkIf config.mailserver.enable { mailer.PASSWD = config.sops.secrets."forgejo/mail".path; }; }; systemd.services.forgejo.preStart = let adminCmd = "${lib.getExe cfg.package} admin user"; passwd = config.sops.secrets."forgejo/admin".path; user = config.customOps.owner; email = "root@${config.mailserver.fqdn}"; in '' ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${passwd})" || true ''; }