{ abs, pkgs, config, ... }@inputs: let UID = 1125; context = pkgs.copyPathToStore ./image; in { users.users.forgejo = { isNormalUser = true; uid = UID; }; services.postgresql.ensureUsers = [ { name = "forgejo"; ensureDBOwnership = true; } ]; services.postgresql.ensureDatabases = [ "forgejo" ]; desu.postgresql.ensurePasswords.forgejo = "forgejo"; systemd.services.docker-forgejo.serviceConfig.ExecStartPre = [ (pkgs.writeShellScript "build-forgejo" '' docker build -t local/forgejo ${context} '') ]; virtualisation.oci-containers.containers.forgejo = { image = "local/forgejo"; # we use a custom entrypoint to set the uid and then drop privileges, # because forgejo expects the running user to have username "git" :woozy: # (and their root image is too bloated for my taste) volumes = [ "/etc/localtime:/etc/localtime:ro" "/etc/timezone:/etc/timezone:ro" ]; user = "${builtins.toString UID}"; extraOptions = [ "--group-add=${builtins.toString config.users.groups.geesefs.gid}" "--mount=type=bind,source=/srv/forgejo/data,target=/var/lib/gitea" ]; ports = [ "2222:2222" ]; }; systemd.services.docker-forgejo.after = [ "postgresql.service" "gocryptfs.service" ]; systemd.services.forgejo-clear-actions-logs = { serviceConfig = { Type = "oneshot"; User = "forgejo"; ExecStart = "${pkgs.nodejs_22}/bin/nodejs ${./clear-actions-logs.mjs}"; }; startAt = "03:00"; }; systemd.tmpfiles.rules = [ "d /srv/forgejo/repos 0700 ${builtins.toString UID} ${builtins.toString UID} -" ]; services.nginx.virtualHosts."git.stupid.fish" = { forceSSL = true; useACMEHost = "stupid.fish"; locations."/" = { proxyPass = "http://forgejo.docker:3000$request_uri"; proxyWebsockets = true; extraConfig = '' client_max_body_size 1g; proxy_read_timeout 120s; proxy_send_timeout 120s; ''; }; }; networking.firewall.allowedTCPPorts = [ 2222 ]; }