{ lib, config, ... }: let sshPort = 2222; dbHost = "192.168.1.211"; dbLogin = "forgejo"; in { sops.secrets.smtp2go-pwd = {owner = "forgejo";}; networking.firewall.allowedTCPPorts = [2222]; services.forgejo = { enable = true; stateDir = "/var/lib/forgejo"; settings = { service.DISABLE_REGISTRATION = true; DEFAULT.APP_NAME = "forgejo"; log.LEVEL = "Debug"; ui = { DEFAULT_THEME = "forgejo-dark"; SHOW_USER_EMAIL = true; }; actions = { ENABLED = false; DEFAULT_ACTIONS_URL = "https://code.forgejo.org"; }; server = { HTTP_PORT = 3200; DOMAIN = "git.flake.sh"; ROOT_URL = "https://git.flake.sh"; LANDING_PAGE = "/explore/repos"; START_SSH_SERVER = true; SSH_DOMAIN = "git.flake.sh"; SSH_PORT = sshPort; SSH_LISTEN_PORT = sshPort; SSH_LISTEN_HOST = "100.121.201.47"; }; "git.timeout" = { DEFAULT = 3600; MIGRATE = 3600; MIRROR = 3600; CLONE = 3600; }; session = { COOKIE_SECURE = true; }; security = { LOGIN_REMEMBER_DAYS = 14; }; database = { DB_TYPE = lib.mkForce "postgres"; HOST = "${dbHost}:5432"; NAME = dbLogin; USER = dbLogin; PASSWD = dbLogin; }; cache = { ENABLED = true; ADAPTER = lib.mkForce "redis"; HOST = "redis://:forgejo@${dbHost}:6379"; }; metrics = { ENABLED = true; ENABLED_ISSUE_BY_REPOSITORY = true; ENABLED_ISSUE_BY_LABEL = true; }; mailer = { ENABLED = true; FROM = "forgejo@flake.sh"; PROTOCOL = "smtp+starttls"; SMTP_ADDR = "mail.smtp2go.com"; SMTP_PORT = 587; USER = "forgejo-mailer"; }; }; mailerPasswordFile = config.sops.secrets.smtp2go-pwd.path; }; services.fail2ban.jails.forgejo = { settings = { filter = "forgejo"; action = ''iptables-allports''; mode = "aggressive"; maxretry = 3; findtime = 3600; bantime = 900; }; }; environment.etc = { "fail2ban/filter.d/forgejo.conf".text = '' [Definition] failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from $ journalmatch = _SYSTEMD_UNIT=forgejo.service ''; }; }