nixos-config/services/forgejo.nix

{ config, lib, my, pkgs, secrets, ... }:

let
  cfg = config.services.forgejo;
  fqdn = "git.${my.domain}";
  dataDir = "/mnt/data/forgejo";
in {
  sops.secrets = {
    "forgejo/mail/host" = {
      sopsFile = ../secrets/sops/forgejo.yaml;
      restartUnits = [ "forgejo.service" ];
    };
    "forgejo/mail/password" = {
      sopsFile = ../secrets/sops/forgejo.yaml;
      restartUnits = [ "forgejo.service" ];
    };
    "forgejo/secret-key" = {
      sopsFile = ../secrets/sops/forgejo.yaml;
      restartUnits = [ "forgejo.service" ];
    };
  };

  services.forgejo = {
    enable = true;
    user = "git";
    group = "git";
    lfs.enable = true;
    repositoryRoot = "${dataDir}/repositories";
    database = {
      type = "sqlite3";
      createDatabase = true;
    };
    # https://forgejo.org/docs/latest/admin/config-cheat-sheet/
    settings = {
      DEFAULT.APP_NAME = fqdn;
      admin.USER_DISABLED_FEATURES = "deletion";
      api.ENABLE_SWAGGER = false;
      cron = {
        ENABLE = true;
        RUN_AT_START = true;
      };
      "cron.repo_health_check".TIMEOUT = "600s"; # 10 min
      "cron.git_gc_repos" = {
        ENABLED = true;
        RUN_AT_START = true;
        SCHEDULE = "@every 48h";
        TIMEOUT = "1h";
      };
      "cron.delete_old_actions" = {
        ENABLED = true;
        RUN_AT_START = true;
        SCHEDULE = "@every 168h"; # 1 week
        OLDER_THAN = "4380h"; # half a year
      };
      "cron.archive_cleanup" = {
        SCHEDULE = "@every 2h";
        OLDER_THAN = "6h";
      };
      git = {
        GC_ARGS = "--prune=1.week.ago";
        HOME_PATH = "${config.services.forgejo.stateDir}/data/home";
      };
      cache = {
        ADAPTER = "twoqueue";
        HOST = ''{"size":100, "recent_ratio":0.25, "ghost_ratio":0.5}'';
      };
      cors = {
        ENABLED = true;
        ALLOW_DOMAIN = fqdn;
      };
      mailer = {
        ENABLED = true;
        FROM = "noreply@${my.domain}";
        PROTOCOL = "smtps";
        SMTP_PORT = 465;
        USER = "noreply@${my.domain}";
      };
      service = {
        ENABLE_CAPTCHA = false;
        ENABLE_BASIC_AUTHENTICATION = false;
        ENABLE_NOTIFY_MAIL = true;
        DISABLE_REGISTRATION = true;
        DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
        VALID_SITE_URL_SCHEMES = "https";
      };
      server = {
        PROTOCOL = "http";
        DOMAIN = fqdn;
        ROOT_URL = "https://${fqdn}";
        HTTP_ADDR = "::1";
        HTTP_PORT = 3110;
        SSH_USER = cfg.user;
        APP_DATA_PATH = "${dataDir}/data";
      };
      repository = {
        ENABLE_PUSH_CREATE_USER = true;
        ENABLE_PUSH_CREATE_ORG = false;
        PREFERRED_LICENSES = "MIT,GPL-3.0,LGPL-3.0";
      };
      security.INSTALL_LOCK = true;
      indexer.REPO_INDEXER_ENABLED = true;
      session = {
        PROVIDER = "db";
        COOKIE_SECURE = true;
      };
      storage = {
        STORAGE_TYPE = "local";
        PATH = "${dataDir}/data";
      };
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
      };
      "ssh.minimum_key_sizes" = {
        RSA = -1;
        DSA = -1;
      };
      "repository.pull-request".DEFAULT_MERGE_STYLE = "rebase";
      "ui.meta" = {
        AUTHOR = "Christoph Heiss";
        DESCRIPTION = "Christoph Heiss' git forge, powered by Forgejo.";
        KEYWORDS = "git,forge,forgejo,c8h4,christoph,heiss";
      };
      other = {
        SHOW_FOOTER_VERSION = false;
        SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
      };
    };
    secrets = {
      mailer = {
        SMTP_ADDR = secrets."forgejo/mail/host".path;
        PASSWD = secrets."forgejo/mail/password".path;
      };
      security.SECRET_KEY = lib.mkForce secrets."forgejo/secret-key".path;
    };
    dump = {
      enable = true;
      backupDir = "/var/backup/forgejo";
      interval = "04:15";
      type = "tar.zst";
      file = "forgejo-dump"; # by default, timestamp is included
    };
  };

  systemd.services.forgejo.serviceConfig.BindPaths = [ dataDir ];

  systemd.tmpfiles.settings."75-forgejo" = {
    ${dataDir}.d = {
      inherit (cfg) user group;
      mode = "0750";
    };
  };

  services.nginx.virtualHosts.${fqdn} =
    let inherit (config.services.forgejo.settings.server) HTTP_ADDR HTTP_PORT;
    in {
      forceSSL = true;
      useACMEHost = my.domain;
      kTLS = true;
      locations."/" = {
        proxyPass = "http://[${HTTP_ADDR}]:${toString HTTP_PORT}";
        proxyWebsockets = true;
        extraConfig = ''
          client_max_body_size 256M;
        '';
      };
    };

  users.groups.${cfg.group} = { };
  users.users.${cfg.user} = {
    inherit (cfg) group;
    createHome = false;
    home = config.services.forgejo.stateDir;
    isSystemUser = true;
    shell = pkgs.bash;
    packages = with pkgs; [ forgejo ];
    extraGroups = [ "restic-backup" ];
  };

  services.openssh.settings.AllowUsers = [ cfg.user ];

  services.restic.backups.forgejo = {
    environmentFile = secrets."restic/rest-env".path;
    initialize = true;
    repository =
      "${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
    passwordFile = secrets."restic/repo-password".path;
    inherit (config.services.forgejo) user;
    paths = [ "/var/backup/forgejo" ];
    timerConfig.OnCalendar = "*-*-* 5:30:00"; # daily at 05:30
    backupCleanupCommand = my.mkResticBackupNotificationCmd {
      name = "forgejo";
      inherit pkgs secrets;
    };
  };
}