{ config, lib, pkgs, ... }: { services.gitea = { enable = true; package = pkgs.unstable.gitea; database = { type = "postgres"; passwordFile = config.age.secrets."services/gitea/password-database".path; }; lfs.enable = true; appName = "winston's gitea"; settings = { actions.ENABLED = true; indexer = with config.services.elasticsearch; let indexer = "elasticsearch"; conn = "http://${listenAddress}:${toString port}"; in { ISSUE_INDEXER_CONN_STR = conn; ISSUE_INDEXER_TYPE = indexer; REPO_INDEXER_CONN_STR = conn; REPO_INDEXER_ENABLED = true; REPO_INDEXER_TYPE = indexer; }; repository = { ENABLE_PUSH_CREATE_USER = true; }; server = rec { DOMAIN = "git.winston.sh"; HTTP_ADDR = "127.0.0.1"; HTTP_PORT = 12492; ROOT_URL = "https://${DOMAIN}/"; }; service.DISABLE_REGISTRATION = true; session = { COOKIE_SECURE = true; SAME_SITE = "strict"; }; "ui.meta" = { AUTHOR = "nekowinston"; DESCRIPTION = "winston's gitea instance"; }; other = { SHOW_FOOTER_VERSION = false; SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; SHOW_FOOTER_BRANDING = false; }; }; }; systemd.services.gitea.preStart = let inherit (config.services.gitea) stateDir; in lib.mkAfter '' chmod u+w -R ${stateDir}/custom/**/* # apply customizations cp -Rf ${./gitea}/* ${stateDir}/custom chmod u-w -R ${stateDir}/custom/**/* ''; networking.firewall.allowedTCPPorts = [22]; age.secrets."services/gitea/password-database".owner = "gitea"; services.elasticsearch.enable = true; services.nginx.virtualHosts.${config.services.gitea.settings.server.DOMAIN} = { forceSSL = true; enableACME = false; useACMEHost = "winston.sh"; locations."/" = with config.services.gitea.settings.server; { extraConfig = "client_max_body_size 512M;"; proxyPass = "http://${HTTP_ADDR}:${toString HTTP_PORT}"; }; }; }