forgejo: init service

services/forgejo/default.nix

@@ -0,0 +1,97 @@
+{ pkgs, lib, config, ... }:
+
+
+let
+  cfg = config.bagel.services.forgejo;
+  inherit (lib) mkIf mkEnableOption;
+
+  domain = "git.forkos.org";
+in
+{
+  options.bagel.services.ofborg = {
+    enable = mkEnableOption "Forgejo";
+  };
+
+  config = mkIf cfg.enable {
+    services.forgejo = {
+      enable = true;
+
+      package = pkgs.callPackage ../../pkgs/forgejo { };
+
+      database = {
+        type = "postgres";
+        createDatabase = true;
+      };
+
+      lfs.enable = true;
+
+      settings = {
+        DEFAULT = {
+          APP_NAME = "ForkOS";
+        };
+
+        server = {
+          PROTOCOL = "http+unix";
+          ROOT_URL = "https://${domain}/";
+          DOMAIN = "${domain}";
+
+          BUILTIN_SSH_SERVER_USER = "git";
+          # TODO: collides with services.openssh.ports
+          SSH_PORT = 22;
+          START_SSH_SERVER = true;
+        };
+
+        session = {
+          PROVIDER = "db";
+          COOKIE_NAME = "session";
+        };
+
+        # TODO: SSO, disable registrations
+        # TODO: transactional mails
+        # TODO: redis cache instead of default in-memory
+
+        ui = {
+          SHOW_USER_EMAIL = false;
+        };
+
+        repository = {
+          # Forks in forgejo are suprisingly expensive because they are full git clones.
+          # If we do want to enable forks, we can write a small patch that disables
+          # only for repositories that are as large as nixpkgs.
+          DISABLE_FORKS = true;
+        };
+
+        packages = {
+          # Forgejo's various package registries can easily take up a lot of space.
+          # We could either store the blobs on some slower disks but larger, or even
+          # better, use an s3 bucket for it. But until we actually have a use-case for
+          # this feature, we will simply keep it disabled for now.
+          ENABLED = false;
+        };
+
+        indexer = {
+          REPO_INDEXER_REPO_TYPES = "sources,mirrors,templates"; # skip forks
+          REPO_INDEXER_ENABLED = true;
+          ISSUE_INDEXER_TYPE = "bleve";
+        };
+
+        "git.timeout" = {
+          MIGRATE = 3600; # increase from default 600 (seconds) for something as large as nixpkgs on a slow uplink
+        };
+
+        log = {
+          LEVEL = "Warn";
+        };
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts.${domain} = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
+      };
+    };
+  };
+}