{ lib, config, ... }: { sops.secrets.forgejo_mail_password = { sopsFile = ../secrets.yaml; owner = config.services.forgejo.user; group = config.services.forgejo.group; }; satellite.cloudflared.at.git.port = config.satellite.ports.forgejo; satellite.cloudflared.at."ssh.git" = { protocol = "ssh"; port = 22; # default ssh port }; services.forgejo = { enable = true; stateDir = "/persist/state/var/lib/forgejo"; mailerPasswordFile = config.sops.secrets.forgejo_mail_password.path; dump.enable = false; # We already backup via rsync + have zfs snapshots to rollback to lfs.enable = true; # See [the cheatsheet](https://docs.gitea.com/next/administration/config-cheat-sheet) settings = { default.APP_NAME = "moonforge"; server = { DOMAIN = config.satellite.cloudflared.at.git.host; HTTP_PORT = config.satellite.cloudflared.at.git.port; ROOT_URL = config.satellite.cloudflared.at.git.url; LANDING_PAGE = "prescientmoon"; # Make my profile the landing page # START_SSH_SERVER = true; # BUILTIN_SSH_SERVER_USER = "git"; # SSH_LISTEN_PORT = config.satellite.ports.forgejo-ssh; SSH_DOMAIN = config.satellite.cloudflared.at."ssh.git".host; }; cron.ENABLED = true; service.DISABLE_REGISTRATION = true; session.COOKIE_SECURE = true; mailer = { ENABLED = true; SMTP_PORT = 465; SMTP_ADDR = "smtp.migadu.com"; USER = "git@orbit.moonythm.dev"; }; repository = { DISABLE_STARS = true; DEFAULT_REPO_UNITS = lib.strings.concatStringsSep "," [ "repo.code" ]; ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; }; }; # Clean up dumps older than a week. # The data is also saved in zfs snapshots and rsync backups, # so this is just an extra layer of safety. systemd.tmpfiles.rules = [ "d ${config.services.forgejo.stateDir}/dump - - - 7d" ]; }