{ config, ... }: let cfg = config.services.forgejo; srv = cfg.settings.server; in { sops = { defaultSopsFile = ../../secrets/restic.yaml; secrets = { "env" = { sopsFile = ../../secrets/cf-acme.yaml; }; "b2-forgejo/env" = { }; "b2-forgejo/repo" = { }; "b2-forgejo/password" = { }; }; }; security.acme = { acceptTerms = true; defaults = { email = "acme@10110110.xyz"; dnsProvider = "cloudflare"; environmentFile = config.sops.secrets."env".path; }; }; services.nginx = { enable = true; virtualHosts.${cfg.settings.server.DOMAIN} = { forceSSL = true; enableACME = true; acmeRoot = null; # use DNS locations."/" = { recommendedProxySettings = true; proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; extraConfig = '' client_max_body_size 512M; ''; }; }; }; services.forgejo = { enable = true; database.type = "sqlite3"; dump.enable = true; settings = { DEFAULT = { APP_NAME = "git.10110110.xyz"; APP_SLOGAN = "No rice, no life."; }; server = { DOMAIN = "git.10110110.xyz"; # You need to specify this to remove the port from URLs in the web UI. ROOT_URL = "https://${srv.DOMAIN}/"; HTTP_PORT = 3000; }; service.DISABLE_REGISTRATION = true; oauth2_client = { ENABLE_AUTO_REGISTRATION = true; UPDATE_AVATAR = true; }; session.COOKIE_SECURE = true; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "github"; }; }; }; services.restic.backups = { b2-forgejo = { initialize = true; environmentFile = config.sops.secrets."b2-forgejo/env".path; repositoryFile = config.sops.secrets."b2-forgejo/repo".path; passwordFile = config.sops.secrets."b2-forgejo/password".path; paths = [ "/var/lib/forgejo" ]; timerConfig = { OnCalendar = "*-*-* */6:00:00"; }; pruneOpts = [ "--keep-daily 31" "--keep-monthly 6" "--keep-yearly 2" ]; }; }; }