dots/modules/nixos/features/forgejo.nix

{
  config,
  lib,
  ...
}:
let
  port = 5027;
  certloc = "/var/lib/acme/fi33.buzz";
  hostname = "git.fi33.buzz";
  url = "https://git.fi33.buzz";
in
{
  services = {
    forgejo = {
      enable = true;
      dump = {
        enable = true;
        interval = "00:00";
      };
      lfs.enable = true;
      settings = {
        server = {
          # keep-sorted start
          DOMAIN = hostname;
          HTTP_PORT = port;
          ROOT_URL = url;
          SSH_PORT = lib.head config.services.openssh.ports;
          # keep-sorted end
        };
        service.DISABLE_REGISTRATION = true;
      };
      user = "git";
      group = "git";
    };

    openssh.settings.AllowUsers = [ "git" ];

    borgbackup.jobs = {
      onsite.paths = [ "/var/lib/forgejo" ];
      offsite.paths = [ "/var/lib/forgejo" ];
    };

    caddy.virtualHosts.${hostname}.extraConfig = ''
      reverse_proxy localhost:${toString port}
      tls ${certloc}/cert.pem ${certloc}/key.pem {
        protocols tls1.3
      }
    '';
  };

  users = {
    users.git = {
      home = "/var/lib/forgejo";
      useDefaultShell = true;
      group = "git";
      isSystemUser = true;
    };
    groups.git = { };
  };
}