{ config, lib, pkgs, ... }: let inherit (lib) getExe; in { config = { custom.cifs-mounts = [ "forgejo" ]; services.forgejo = { enable = true; # Use cutting edge instead of lts package = pkgs.forgejo; repositoryRoot = "/mnt/storage/forgejo/repositories"; lfs = { enable = true; contentDir = "/mnt/storage/forgejo/lfs"; }; settings = { service.DISABLE_REGISTRATION = true; server = { ROOT_URL = "https://git.xinyang.life/"; START_SSH_SERVER = false; SSH_USER = config.services.forgejo.user; SSH_DOMAIN = "ssh.xinyang.life"; SSH_PORT = 22; LFS_MAX_FILE_SIZE = 10737418240; LANDING_PAGE = "/explore/repos"; }; repository = { ENABLE_PUSH_CREATE_USER = true; }; service = { ENABLE_BASIC_AUTHENTICATION = false; }; oauth2 = { ENABLED = false; # Disable forgejo as oauth2 provider }; oauth2_client = { ACCOUNT_LINKING = "auto"; USERNAME = "email"; ENABLE_AUTO_REGISTRATION = true; UPDATE_AVATAR = false; OPENID_CONNECT_SCOPES = "openid profile email groups"; }; other = { SHOW_FOOTER_VERSION = false; }; }; }; systemd.services.forgejo = { serviceConfig = { EnvironmentFile = config.sops.secrets."forgejo/env".path; ExecStartPost = '' ${getExe config.services.forgejo.package} admin auth update-oauth \ --id 1 \ --name kanidm \ --provider openidConnect \ --key forgejo \ --secret $CLIENT_SECRET \ --icon-url https://auth.xinyang.life/pkg/img/favicon.png \ --group-claim-name forgejo_role --admin-group Admin ''; }; }; users.users.git = { isSystemUser = true; useDefaultShell = true; group = "git"; extraGroups = [ "forgejo" ]; }; users.groups.git = { }; services.caddy.enable = true; services.caddy.virtualHosts."https://git.xinyang.life:443".extraConfig = '' reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} ''; }; }