{ config, pkgs, inputs, lib, system, ... }: let unstable = inputs.nixpkgs-nixos-unstable; package = unstable.legacyPackages."${system}".gitea; httpPort = 8083; sshPort = 22; domain = "git.cyplo.dev"; emailDomain = "peninsula.industries"; baseurl = "https://${domain}"; path = "/var/lib/gitea"; mailgunSmtpSecretName = "gitea-mailgun-smtp-password"; mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}"; uid = 2051; gid = 3051; systemUserName = "gitea"; systemGroupName = "gitea"; users = { users."${systemUserName}" = { inherit uid; isSystemUser = true; isNormalUser = false; group = systemGroupName; }; groups."${systemGroupName}" = { inherit gid; members = ["${systemUserName}" "nginx"]; }; }; in { imports = [../nginx.nix]; inherit users; boot.kernel.sysctl = {"net.ipv4.ip_unprivileged_port_start" = 0;}; systemd.services.systemd-sysctl.enable = lib.mkForce true; networking.firewall.allowedTCPPorts = [sshPort]; services.nginx = { virtualHosts = { "${domain}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:" + toString httpPort; }; }; }; }; sops.secrets."${mailgunSmtpSecretName}" = { sopsFile = ./mailgun.sops.yaml; path = mailgunSmtpPasswordPath; owner = systemUserName; group = systemGroupName; }; containers.gitea = { autoStart = true; forwardPorts = [ { inherit httpPort; containerPort = httpPort; } { containerPort = sshPort; hostPort = sshPort; } ]; bindMounts = { "${path}" = { hostPath = "${path}"; isReadOnly = false; }; "${mailgunSmtpPasswordPath}" = { hostPath = "${mailgunSmtpPasswordPath}"; isReadOnly = true; }; }; config = { config, pkgs, lib, ... }: { system.stateVersion = "23.11"; users = users // { mutableUsers = false; allowNoPasswordLogin = true; }; disabledModules = ["services/misc/gitea.nix"]; imports = ["${unstable}/nixos/modules/services/misc/gitea.nix"]; services.gitea = { enable = true; inherit package; stateDir = path; user = systemUserName; mailerPasswordFile = mailgunSmtpPasswordPath; lfs.enable = true; database.type = "sqlite3"; settings = { service.DISABLE_REGISTRATION = true; security.INSTALL_LOCK = true; oauth2.ENABLE = false; log.LEVEL = "Info"; actions.ENABLED = true; "git.timeout" = { DEFAULT = 600; MIGRATE = 3600; MIRROR = 3600; CLONE = 600; PULL = 600; GC = 600; }; "cron".ENABLED = true; "cron.git_gc_repos".ENABLED = true; "cron.delete_old_actions".ENABLED = true; "cron.delete_old_system_notices".ENABLED = true; "cron.gc_lfs".ENABLED = true; server = { ROOT_URL = baseurl; DOMAIN = domain; START_SSH_SERVER = true; SSH_PORT = sshPort; HTTP_PORT = httpPort; SSH_LISTEN_PORT = sshPort; DISABLE_SSH = false; }; mailer = { ENABLED = true; FROM = "git.cyplo.dev "; PROTOCOL = "smtps"; SMTP_ADDR = "smtp.eu.mailgun.org"; SMTP_PORT = 465; USER = "postmaster@${emailDomain}"; }; }; }; }; }; }