infrastructure/hosts/carbon/services/forgejo.nix

{ pkgs, config, ... }:
{
  services.forgejo = {
    enable = true;
    settings = {
      server = {
        DOMAIN = "git.4o1x5.dev";
        ROOT_URL = "https://git.${config.networking.domain}/";
        DISABLE_SSH = true;
      };
      service.DISABLE_REGISTRATION = true;
      DEFAULT.APP_NAME = "2005's git server";
      actions.ENABLED = true;
    };
    database = {
      type = "postgres";
      createDatabase = true;
    };
  };

  services.nginx = {
    virtualHosts = {
      "git.${config.networking.domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = " http://127.0.0.1:3000";
        };
        extraConfig = ''
          client_max_body_size 8192M;
          access_log /var/log/nginx/$server_name-access.log json_analytics;
        '';
      };
    };
  };

  services.gitea-actions-runner.instances = {
    root = {
      enable = true;
      url = "http://127.0.0.1:3000";
      tokenFile = config.age.secrets.forgejo-runner.path;
      settings = {
        container = {
          # TODO fix: networking
          # instead of using host, create a subnet that cannot contact other server on my network to avoid being haxxed
          network = "host";
        };
      };
      labels = [
        "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
      ];
      name = config.networking.hostName;
    };
  };
}