nixos-configuration/hosts/nidaros/forgejo.nix

{
  config,
  pkgs,
  lib,
  common,
  ...
}:
let
  domain = "beta.code.${common.domain}";
  passwordKey = "forgejo/admin-pass";
  runnerTokenKey = "forgejo/runner-token";
in
{
  services = {
    forgejo = {
      enable = true;
      package = pkgs.forgejo;
      database.type = "postgres";
      # Enable support for Git Large File Storage
      lfs.enable = true;

      settings = {
        server = {
          DOMAIN = domain;
          ROOT_URL = "https://${domain}/";
          HTTP_PORT = 8002;
        };
        service.DISABLE_REGISTRATION = true;
        actions = {
          ENABLED = true;
          DEFAULT_ACTIONS_URL = "github";
        };
        # TODO set up mailer
      };
    };
    gitea-actions-runner = {
      package = pkgs.forgejo-actions-runner;
      instances.default = {
        enable = true;
        name = "monolith";
        url = "https://${domain}";
        hostPackages = with pkgs; [
          bash
          coreutils
          curl
          gawk
          gitMinimal
          gnused
          nodejs
          wget
          podman
          podman-compose
        ];

        # Obtaining the path to the runner token file may differ
        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
        tokenFile = config.sops.secrets.${runnerTokenKey}.path;
        labels = [
          "docker:docker://node:22-bullseye"
          "native:host"
        ];
      };
    };
  };

  sops.secrets =
    let
      user = config.systemd.services.forgejo.serviceConfig.User;
    in
    {
      ${passwordKey}.owner = user;
      ${runnerTokenKey}.owner = user;
    };

  # Create a single admin user / update password if exists
  systemd.services.forgejo.preStart =
    let
      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
      pwd = config.sops.secrets.${passwordKey};
      user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin"
      email = "git@${common.domain}";
    in
    ''
      ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
      ## Alter an existing user. Will prompt new password on login
      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
    '';
}