nixos-config/modules/system/forgejo.nix

{ config, lib, pkgs, ... }:
let
  port = 12345;
in
{
  services = {
    forgejo = {
      enable = true;
      package = pkgs.forgejo;
      lfs = {
        enable = true;
      };
      stateDir = "/mnt/git-storage";
      settings = {
        default = {
          APP_NAME = "safe harbour";
        };
        server = {
          DOMAIN = "gt.emenel.ca";
          ROOT_URL = "https://gt.emenel.ca/";
          HTTP_PORT = port;
        };
        repository = {
          DEFAULT_BRANCH = "main";
        };
        service.DISABLE_REGISTRATION = true;
        actions = {
          ENABLED = true;
          DEFAULT_ACTIONS_URL = "github";
        };
        mailer = {
          ENABLED = true;
          SMTP_ADDR = "smtp.mailgun.org";
          SMTP_PORT = 587;
          FROM = "git@gt.emenel.ca";
          USER = "git@gt.emenel.ca";
        };
      };
      secrets = {
        mailer.PASSWD =  config.sops.secrets.forgejo-smtp.path;
      };
    };

    caddy.virtualHosts."gt.emenel.ca" = {
      extraConfig = ''
        reverse_proxy http://localhost:12345 {
          header_down X-Real-IP {http.request.remote}
          header_down X-Forwarded-For {http.request.remote}
        }
        '';
    };

    # gitea-actions-runner = {
    #   package = pkgs.forgejo-actions-runner;
    #   instances.default = {
    #     enable = true;
    #     name = "monolith";
    #     url = "https://git.example.com";
    #     # Obtaining the path to the runner token file may differ
    #     # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
    #     tokenFile = config.age.secrets.forgejo-runner-token.path;
    #     labels = [
    #       "ubuntu-latest:docker://node:16-bullseye"
    #       "ubuntu-22.04:docker://node:16-bullseye"
    #       "ubuntu-20.04:docker://node:16-bullseye"
    #       "ubuntu-18.04:docker://node:16-buster"
    #       ## optionally provide native execution on the host:
    #       # "native:host"
    #     ];
    #   };
    # };
  };

  environment.systemPackages = let
    cfg = config.services.forgejo;
    forgejo-cli = pkgs.writeScriptBin "forgejo-cli" ''
      #!${pkgs.runtimeShell}
      cd ${cfg.stateDir}
      sudo=exec
      if [[ "$USER" != forgejo ]]; then
        sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} -g ${cfg.group} --preserve-env=GITEA_WORK_DIR --preserve-env=GITEA_CUSTOM'
      fi
      # Note that these variable names will change
      export GITEA_WORK_DIR=${cfg.stateDir}
      export GITEA_CUSTOM=${cfg.customDir}
      $sudo ${lib.getExe cfg.package} "$@"
  '';
  in [
    forgejo-cli
  ];

  #   sops.secrets.forgejo-emenel.owner = "forgejo";
  #   systemd.services.forgejo.preStart = let
  #     adminCmd = "${lib.getExe pkgs.forgejo} admin user";
  #     pwd = config.sops.secrets.forgejo-emenel;
  #     user = "emenel"; # Note, Forgejo doesn't allow creation of an account named "admin"
  #   in ''
  #   ${adminCmd} create --admin --email "matt@emenel.ca" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
  #   ## uncomment this line to change an admin user which was already created
  #   # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
  # '';

}