vps/hosts/git/configuration.nix

{
  inputs,
  lib,
  config,
  pkgs,
  ...
}: 

let
  sshPort = 22;
  package = pkgs.forgejo;
in
{
  imports = [
    inputs.hardware.nixosModules.common-cpu-intel
    ./hardware-configuration.nix
  ];

  time.timeZone = "America/Chicago";

  nixpkgs = {
    overlays = [
    ];
    config = {
      allowUnfree = true;
    };
    hostPlatform = lib.mkDefault "x86_64-linux";
  };

  nix = let
    flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
  in {
    settings = {
      experimental-features = "nix-command flakes";
      flake-registry = "";
      nix-path = config.nix.nixPath;
    };
    channel.enable = false;

    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
  };

  users.users = {
    root = {
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7uSjbOgWMdaEzRGlEKM7kvT7q6jnAEZPQELAH6WAEM"
      ];
    };
    rayandrew = {
      initialPassword = "mamamia";
      isNormalUser = true;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7uSjbOgWMdaEzRGlEKM7kvT7q6jnAEZPQELAH6WAEM"
      ];
      extraGroups = ["wheel"];
    };
  };

  boot = {
    tmp.cleanOnBoot = true;
    loader.grub.device = "/dev/sda";
  };
  zramSwap.enable = true;

  networking = {
    hostName = "git";
    nameservers = [ "8.8.8.8" ];
    domain = "";
    defaultGateway = "172.31.1.1";
    defaultGateway6 = {
      address = "fe80::1";
      interface = "eth0";
    };
    dhcpcd.enable = false;
    usePredictableInterfaceNames = lib.mkForce false;
    interfaces = {
      eth0 = {
        ipv4.addresses = [
          { address="5.161.178.253"; prefixLength=32; }
        ];
        ipv6.addresses = [
          { address="2a01:4ff:f0:8a0::1"; prefixLength=64; }
          { address="fe80::9400:3ff:feb7:a9ed"; prefixLength=64; }
        ];
        ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
        ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
      };
    };
    firewall.allowedTCPPorts = [
      80
      443
    ];
  };
  services.udev.extraRules = ''
    ATTR{address}=="96:00:03:b7:a9:ed", NAME="eth0"
  '';

  programs = {
    git.enable = true;
    fish = {
      enable = true;
    };
  };

  environment.systemPackages = with pkgs; [ 
    vim 
    htop
    unzip
    lsof
    package
  ];

  # Git
  services = {
    forgejo = {
      enable = true;

      package = package;

      database.type = "sqlite3";

      repositoryRoot = "/var/lib/forgejo/repositories";

      lfs.enable = true;

      dump = {
        # Is a nice feature once we have a dedicated backup storage.
        # For now it is disabled, since it delays `nixos-rebuild switch`.
        enable = false;
        backupDir = "/var/lib/forgejo/dump";
      };

      settings = {
        DEFAULT = {
          APP_NAME = "git.rs.ht";
        };
        actions = {
          ENABLED = true;
        };
        cors = {
          ALLOW_DOMAIN = config.services.forgejo.settings.server.DOMAIN;
          ENABLED = true;
          SCHEME = "https";
        };
        cron.ENABLED = true;
        "cron.delete_generated_repository_avatars".ENABLED = true;
        "cron.delete_old_actions".ENABLED = true;
        "cron.delete_old_system_notices".ENABLED = true;
        "cron.repo_health_check".TIMEOUT = "300s";
        "cron.resync_all_sshkeys" = {
          ENABLED = true;
          RUN_AT_START = true;
        };
        database = {
          LOG_SQL = false;
        };
        indexer.REPO_INDEXER_ENABLED = true;
        log = {
          LEVEL = "Info";
          DISABLE_ROUTER_LOG = true;
        };
        mailer = {
          ENABLED = false;
          FROM = "git@rs.ht";
          MAILER_TYPE = "sendmail";
          SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
          SENDMAIL_ARGS = "--";
        };
        other.SHOW_FOOTER_VERSION = false;
        picture = {
          # this also disables libravatar
          DISABLE_GRAVATAR = false;
          ENABLE_FEDERATED_AVATAR = true;
          GRAVATAR_SOURCE = "libravatar";
          REPOSITORY_AVATAR_FALLBACK = "random";
        };
        server = rec {
          DOMAIN = "git.rs.ht";
          ENABLE_GZIP = true;
          SSH_AUTHORIZED_KEYS_BACKUP = false;
          SSH_DOMAIN = DOMAIN;
          START_SSH_SERVER = sshPort != 22;
          SSH_PORT = sshPort;
          ROOT_URL = "https://${DOMAIN}/";
          HTTP_PORT = 3003;
        };
        service = {
          DISABLE_REGISTRATION = true;
          NO_REPLY_ADDRESS = "no-reply@rs.ht";
          REGISTER_EMAIL_CONFIRM = true;
          ENABLE_NOTIFY_MAIL = true;
        };
        session = {
          COOKIE_SECURE = lib.mkForce true;
          PROVIDER = "db";
          SAME_SITE = "strict";
        };
        "ssh.minimum_key_sizes" = {
          ECDSA = -1;
          RSA = 4095;
        };
        time.DEFAULT_UI_LOCATION = config.time.timeZone;
        ui = {
          DEFAULT_THEME = "arc-green";
          EXPLORE_PAGING_NUM = 25;
          FEED_PAGING_NUM = 50;
          ISSUE_PAGING_NUM = 25;
        };
      };
    };

    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts."git.rs.ht" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
      };
    };

    openssh = {
      enable = true;
      settings = {
        PermitRootLogin = "yes";
        PasswordAuthentication = false;
      };
      extraConfig = ''
        Match User forgejo 
          AllowAgentForwarding no
          AllowTcpForwarding no
          PermitTTY no
          X11Forwarding no
      '';
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "rs@rs.ht";
  }; 
  
  system.stateVersion = "24.05";
}