{ config, lib, self, ... }: let unit = "gitea"; cfg = config.server.services.${unit}; domain = "${cfg.subdomain}.${config.server.infra.www.url}"; in { config = lib.mkIf cfg.enable { age.secrets.giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age"; server.infra = { fail2ban.jails.unit = { serviceName = "${unit}"; failRegex = '' .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from ''; }; postgresql.databases = [ {database = unit;} ]; }; services = { cloudflared = { enable = true; tunnels.${cfg.cloudflared.tunnelId} = { credentialsFile = cfg.cloudflared.credentialsFile; default = "http_status:404"; ingress."${domain}".service = "http://localhost:${toString cfg.port}"; }; }; gitea = { enable = true; appName = "cnix code forge"; database = { type = "postgres"; socket = "/run/postgresql"; name = "gitea"; user = "gitea"; createDatabase = false; }; lfs.enable = true; settings = { cors = { ENABLED = true; SCHEME = "https"; ALLOW_DOMAIN = domain; }; log.MODE = "console"; mailer = { ENABLED = false; MAILER_TYPE = "sendmail"; FROM = "noreply+adam@cnst.dev"; SENDMAIL_PATH = "/run/wrappers/bin/sendmail"; }; picture.DISABLE_GRAVATAR = true; repository = { DEFAULT_BRANCH = "main"; DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true; }; indexer.REPO_INDEXER_ENABLED = true; oauth2_client = { ENABLE_AUTO_REGISTRATION = true; ACCOUNT_LINKING = "auto"; }; server = { DOMAIN = domain; LANDING_PAGE = "explore"; HTTP_PORT = cfg.port; ROOT_URL = "https://${domain}/"; }; security.DISABLE_GIT_HOOKS = false; service.DISABLE_REGISTRATION = true; session.COOKIE_SECURE = true; }; }; }; }; }