nixos-config/modules/services/server/gitea.nix

#
# System notifications
#

{ config, lib, pkgs, ... }:

{
  services.gitea = {
    enable = true;
    dump.enable = false;
    lfs.enable = true;
    dump.type = "tar.xz";
    database.type = "postgres";
    database.user = "gitea";
    database.name = "giteadb";
    database.host = "127.0.0.1";
    database.passwordFile = config.age.secrets."services/gitea/databasePassword".path;
    database.createDatabase = false;
    appName = "Kabtop Git";
    mailerPasswordFile = config.age.secrets."services/gitea/mailerPassword".path;
    settings = {
        server = {
            ROOT_URL = "https://git.kabtop.de";
            HTTP_ADDR = "localhost";
            DOMAIN = "git.kabtop.de";
            SSH_PORT = 2220;
            ENABLE_GZIP = true;
        };
        security = {
            MIN_PASSWORD_LENGTH = 8;
            PASSWORD_CHECK_PWN = true;
            PASSWORD_HASH_ALGO = "argon2";
        };
#        oauth2 = {
#            ENABLE = true;
#            #JWT_SECRET = "secret123";
#        };
        repository = {
            MAX_CREATION_LIMIT = 100;
        };
        ui = {
            SHOW_USER_EMAIL = false;
            DEFAULT_THEME = "arc-green";
        };
#        openid = {
#            ENABLE_OPENID_SIGNIN = true;
#            WHITELISTED_URIS = "https://auth.kabtop.de";
#        };
#        oauth2_client = {
#            ENABLE_AUTO_REGISTRATION = true;
#        };
        time = {
            DEFAULT_UI_LOCATION = "Europe/Berlin";
        };
        other = {
            SHOW_FOOTER_VERSION = false;
        };

        session.COOKIE_SECURE = true;
        service = {
            REGISTER_EMAIL_CONFIRM = true;
            DISABLE_REGISTRATION = true;
        };
        actions = {
            ENABLED = true;
        };
    };
  };

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "${config.services.gitea.settings.server.DOMAIN}" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:3000";
      };
    };
  };
  age.secrets."services/gitea/mailerPassword" = {
      file = ../../../secrets/services/gitea/mailerPassword.age;
      owner = "gitea";
  };
  age.secrets."services/gitea/databasePassword" = {
      file = ../../../secrets/services/gitea/databasePassword.age;
      owner = "gitea";
  };
}