# Forgejo Module # Provides: Self-hosted Git service (Fork of Gitea) # # Usage: # myModules.forgejo = { # enable = true; # domain = "git.example.com"; # }; { config, lib, pkgs, ... }: let cfg = config.myModules.forgejo; in { options.myModules.forgejo = { enable = lib.mkEnableOption "Forgejo Git service"; port = lib.mkOption { type = lib.types.port; default = 3002; description = "Internal port to run Forgejo on"; }; domain = lib.mkOption { type = lib.types.str; example = "git.example.com"; description = "Public domain name for Forgejo"; }; disableRegistration = lib.mkOption { type = lib.types.bool; default = true; description = "Disable public user registration"; }; }; config = lib.mkIf cfg.enable { services.forgejo = { enable = true; database.type = "postgres"; settings = { server = { DOMAIN = cfg.domain; ROOT_URL = "https://${cfg.domain}/"; HTTP_ADDR = "127.0.0.1"; HTTP_PORT = cfg.port; SSH_PORT = 2222; START_SSH_SERVER = true; SSH_LISTEN_ADDR = "0.0.0.0"; # SSH Hardening SSH_SERVER_KEY_EXCHANGES = "sntrup761x25519-sha512,curve25519-sha256,curve25519-sha256@libssh.org"; SSH_SERVER_CIPHERS = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com"; SSH_SERVER_MACS = "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com"; }; service = { DISABLE_REGISTRATION = cfg.disableRegistration; }; session = { COOKIE_SECURE = true; }; security = { PASSWORD_COMPLEXITY = "lower,upper,digit,spec"; MIN_PASSWORD_LENGTH = 12; }; }; }; # Nginx Reverse Proxy myModules.nginx.domains."${cfg.domain}" = { port = cfg.port; extraConfig = '' client_max_body_size 512M; ''; }; # Open SSH port for Git networking.firewall.allowedTCPPorts = [ 2222 ]; # Backups (Add Forgejo data to restic if backup module is enabled) myModules.backup.paths = [ config.services.forgejo.stateDir ]; }; }