From cb4b3793a3465100e3367a9191b27e3e30ec99f3 Mon Sep 17 00:00:00 2001
From: Fabian Montero <fabian@posixlycorrect.com>
Date: Tue, 28 Jan 2025 15:49:35 -0600
Subject: [PATCH] add forgejo module

---
 nixos/default.nix                  |  1 +
 nixos/services/default.nix         | 10 ++++
 nixos/services/forgejo/default.nix | 91 ++++++++++++++++++++++++++++++
 3 files changed, 102 insertions(+)
 create mode 100644 nixos/services/default.nix
 create mode 100644 nixos/services/forgejo/default.nix

diff --git a/nixos/default.nix b/nixos/default.nix
index 2440c30..e2637ac 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -6,5 +6,6 @@
 }: {
   imports = [
     ./trash
+    ./services
   ];
 }
diff --git a/nixos/services/default.nix b/nixos/services/default.nix
new file mode 100644
index 0000000..36b456a
--- /dev/null
+++ b/nixos/services/default.nix
@@ -0,0 +1,10 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./forgejo
+  ];
+}
diff --git a/nixos/services/forgejo/default.nix b/nixos/services/forgejo/default.nix
new file mode 100644
index 0000000..b6fd1e7
--- /dev/null
+++ b/nixos/services/forgejo/default.nix
@@ -0,0 +1,91 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.options.trivium.services.forgejo;
+in {
+  options.trivium.services.forgejo = {
+    enable = mkEnableOption "forgejo settings";
+
+    fail2ban = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable fail2ban jail for failed authentication attempt, invalid credentials, attempted access of unknown user.";
+    };
+
+    virtualHost = mkOption {
+      type = types.string;
+      description = "Virtualhost to use for nginx's reverse proxy. Usually something likge git.<your server>.com";
+    };
+
+    appName = mkOption {
+      type = types.string;
+      description = "You guess what this does";
+    };
+
+    disableRegistration = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Turn this off just to create the first admin account.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
+    services = {
+      nginx = {
+        virtualHosts."${cfg.virtualHost}" = {
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 128;
+          '';
+          locations."/".proxyPass = "http://localhost:9170";
+        };
+      };
+
+      fail2ban.jails.gitea.settings = mkIf cfg.fail2ban {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
+      forgejo = {
+        enable = true;
+        lfs.enable = true;
+        useWizard = false;
+        settings = {
+          general.APP_NAME = "${cfg.appName}";
+          ui.DEFAULT_THEME = "forgejo-dark";
+          server = {
+            DOMAIN = "${cfg.virtualHost}";
+            ROOT_URL = "https://${cfg.virtualHost}";
+            HTTP_PORT = 9170;
+            LANDING_PAGE = "explore";
+          };
+
+          service.DISABLE_REGISTRATION = ${cfg.disableRegistration};
+
+          actions = {
+            ENABLED = true;
+          };
+          mailer = {
+            ENABLED = false;
+          };
+        };
+      };
+    };
+  };
+}