encode42.dev / nixos
Personal-use NixOS configuration
fork atom
nixos / config / server / web / forgejo.nix
at main 105 lines 1.9 kB view raw
encode42.dev Move software and package configurations to `config`
e163a950
1{ 2 hosts ? [ ], 3}: 4 5{ 6 config, 7 lib, 8 flakeLib, 9 ... 10}: 11 12{ 13 imports = [ 14 ../databases/postgresql.nix 15 ../databases/redis.nix 16 ]; 17 18 services.redis.servers.forgejo = { 19 enable = true; 20 user = "forgejo"; 21 }; 22 23 services.forgejo = { 24 enable = true; 25 26 lfs = { 27 enable = true; 28 }; 29 30 database = { 31 type = "postgres"; 32 33 socket = "/run/postgresql/"; 34 35 createDatabase = true; 36 }; 37 38 settings = { 39 service = { 40 ENABLE_CAPTCHA = true; 41 CAPTCHA_TYPE = "cfturnstile"; 42 43 DISABLE_REGISTRATION = true; 44 45 REGISTER_EMAIL_CONFIRM = true; 46 ENABLE_NOTIFY_MAIL = true; 47 48 DEFAULT_KEEP_EMAIL_PRIVATE = true; 49 }; 50 51 "repository.signing" = { 52 DEFAULT_TRUST_MODEL = "committer"; 53 }; 54 55 #camo = { 56 # ENABLED = true; 57 #}; 58 59 session = { 60 PROVIDER = "redis"; 61 PROVIDER_CONFIG = "redis+socket://${config.services.redis.servers.forgejo.unixSocket}"; 62 63 COOKIE_SECURE = true; 64 }; 65 66 queue = { 67 TYPE = "redis"; 68 CONN_STR = "redis+socket://${config.services.redis.servers.forgejo.unixSocket}"; 69 }; 70 71 cache = { 72 ADAPTER = "redis"; 73 HOST = "redis+socket://${config.services.redis.servers.forgejo.unixSocket}"; 74 }; 75 76 mailer = { 77 ENABLED = true; 78 }; 79 80 server = { 81 DISABLE_SSH = true; 82 83 PROTOCOL = "fcgi+unix"; 84 }; 85 86 "cron.update_checker" = { 87 enabled = false; 88 }; 89 }; 90 }; 91 92 # Required override for linux-hardened kernel 93 systemd.services.forgejo.serviceConfig = { 94 Type = lib.mkForce "exec"; 95 96 PrivateDevices = lib.mkForce false; 97 }; 98 99 # Caddy reverse proxy configuration 100 services.caddy.virtualHosts = flakeLib.mkProxies hosts '' 101 reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR} { 102 transport fastcgi 103 } 104 ''; 105}