nixos-config/modules/sv2/services/gitea.nix

{
  lib,
  config,
  ...
}: let
  rootDomain = "gumpling.net";
  hostDomain = rootDomain;

  adminUsername = "Bladesy";
  adminEmail = "gitea@dylanblades.net";
in {
  imports = with lib.nixosModules; [secrets];

  sops.secrets.gitea-admin-password = {
    sopsFile = lib.secrets.gitea;
    owner = config.users.users.gitea.name;
    group = config.users.users.gitea.group;
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "acme.evict519@simplelogin.com";
    certs.${hostDomain}.extraDomainNames = ["gitea.${rootDomain}"];
  };

  # Workaround for useWizard.
  systemd.services.gitea.postStart = let
    exe = lib.getExe config.services.gitea.package;
    adminPasswordFile = config.sops.secrets.gitea-admin-password.path;
  in ''
    [ "$(${exe} admin user list --admin | wc -l)" -eq 1 ] \
      && ${exe} admin user create                         \
          --admin                                         \
          --username Bladesy                              \
          --email gitea@dylanblades.net                   \
          --password "$(cat ${adminPasswordFile})"        \
      && echo "admin created"                             \
      || echo "admin already present"
  '';

  services = {
    gitea = {
      enable = true;
      /*
      Option useWizard does not work.
      useWizard = true;
      */
      appName = "Gitea";
      settings = {
        service.DISABLE_REGISTRATION = true;
        server = {
          DOMAIN = "gitea.${rootDomain}";
          ROOT_URL = "https://gitea.${rootDomain}/";
        };
        ui.DEFAULT_THEME = "gitea-dark";
      };
    };
    nginx = {
      enable = true;
      virtualHosts = {
        ${hostDomain}.enableACME = true;
        "gitea.${rootDomain}" = {
          forceSSL = true;
          useACMEHost = hostDomain;
          locations."/" = {
            proxyPass = "http://localhost:3000";
            extraConfig = ''
              client_max_body_size 512M;
              proxy_set_header Connection $http_connection;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
            '';
          };
        };
      };
    };
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      {
        directory = "/var/lib/gitea";
        user = "gitea";
        group = "gitea";
        mode = "u=rwx,g=rx,o=";
      }
    ];
  };
}