{ config, pkgs, lib, common, ... }: let domain = "beta.code.${common.domain}"; passwordKey = "forgejo/admin-pass"; runnerTokenKey = "forgejo/runner-token"; in { services = { forgejo = { enable = true; package = pkgs.forgejo; database.type = "postgres"; # Enable support for Git Large File Storage lfs.enable = true; settings = { server = { DOMAIN = domain; ROOT_URL = "https://${domain}/"; HTTP_PORT = 8002; }; service.DISABLE_REGISTRATION = true; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "github"; }; # TODO set up mailer }; }; gitea-actions-runner = { package = pkgs.forgejo-actions-runner; instances.default = { enable = true; name = "monolith"; url = "https://${domain}"; hostPackages = with pkgs; [ bash coreutils curl gawk gitMinimal gnused nodejs wget podman podman-compose ]; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd tokenFile = config.sops.secrets.${runnerTokenKey}.path; labels = [ "docker:docker://node:22-bullseye" "native:host" ]; }; }; }; sops.secrets = let user = config.systemd.services.forgejo.serviceConfig.User; in { ${passwordKey}.owner = user; ${runnerTokenKey}.owner = user; }; # Create a single admin user / update password if exists systemd.services.forgejo.preStart = let adminCmd = "${lib.getExe config.services.forgejo.package} admin user"; pwd = config.sops.secrets.${passwordKey}; user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin" email = "git@${common.domain}"; in '' ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true ## Alter an existing user. Will prompt new password on login # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true ''; }