{ self, inputs, ... }: { flake.modules.nixos.forgejo = {config, pkgs, lib, ... }: let cfg = config.forgejo; in { options.forgejo = { enable = lib.mkEnableOption "Enable Forgejo backed with PostgreSQL"; port = lib.mkOption { type = lib.types.port; default = 3000; description = "TCP port for the Forgejo web interface."; }; openFirewall = lib.mkOption { type = lib.types.bool; default = true; description = "Open the Forgejo web interface port in the firewall."; }; https = lib.mkEnableOption "Open the Forgejo web interface port in the firewall."; }; config = lib.mkIf cfg.enable { networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ]; sops.secrets = { "forgejo/secret_key".owner = config.services.forgejo.user; "forgejo/internal_token".owner = config.services.forgejo.user; "forgejo/jwt_secret".owner = config.services.forgejo.user; "forgejo/lfs_jwt_secret".owner = config.services.forgejo.user; }; services = { forgejo = { enable = true; lfs.enable = true; settings = { DEFAULT = { RUN_MODE = "dev"; }; server = lib.mkMerge [ { HTTP_PORT = cfg.port; DISABLE_SSH = true; ROOT_URL = "https://forgejo.john-stream.com"; } (lib.mkIf cfg.https { PROTOCOL = "https"; COOKIE_SECURE = true; KEY_FILE = config.mtls.keyFile; CERT_FILE = config.mtls.certFile; }) ]; repository = { ENABLE_PUSH_CREATE_USER = true; }; ui.SHOW_USER_EMAIL = false; markup = { ENABLED = true; }; }; secrets = { security = { SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path; INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path; }; oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path; server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path; }; database = { type = "postgres"; port = config.services.postgresql.settings.port; # createDatabase = false; }; # dump = { # enable = true; # interval = "12h"; # }; }; postgresql = { enable = true; settings = { }; }; }; environment.systemPackages = let systemctl = lib.getExe' pkgs.systemd "systemctl"; clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" '' set -e ${systemctl} stop forgejo.service sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir} ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}" ''); clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" '' set -e ${systemctl} stop postgresql.service ${lib.getExe' pkgs.coreutils "echo"} Stopped sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir} ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}" ''); in [ clean-forgejo clean-postgres (pkgs.writeShellScriptBin "clean-all" '' set -e ${lib.getExe clean-forgejo} ${lib.getExe clean-postgres} ${lib.getExe' pkgs.coreutils "echo"} "Removed everything related to forgejo" '') ]; }; }; }