flakes/containers/citrine/configuration.nix

{ config, fqdn, lib, ... }: {
  system.stateVersion = "25.11";
  networking.firewall.allowedTCPPorts = [ 22 3000 ];
  networking.firewall.allowedUDPPorts = [ 22 3000 ];

  systemd.tmpfiles.rules = [
    "L+ /persist/forgejo/custom/templates - - - - ${./templates}"
  ];

  services.forgejo = {
    enable = true;
    lfs.enable = true;
    settings = {
      DEFAULT.APP_NAME = "Garden";
      server = {
        DOMAIN = fqdn;
        ROOT_URL = "https://${fqdn}/";
        HTTP_PORT = 3000;
        START_SSH_SERVER = true;
        BUILTIN_SSH_SERVER_USER = "git";
        SSH_DOMAIN = "git.lava.moe";
        SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";
      };
      ui = lib.mkForce {
        DEFAULT_THEME = "catppuccin-maroon-auto";
        THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [
          "catppuccin-pink"
          "catppuccin-maroon"
          "catppuccin-flamingo"
          "catppuccin-rosewater"
          "forgejo"
          "gitea"
        ];
      };
      api.ENABLE_SWAGGER = false;
      other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
      service.DISABLE_REGISTRATION = true;
    };
    stateDir = "/persist/forgejo";
  };

  systemd.services.forgejo.serviceConfig = {
    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
    CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
    PrivateUsers = lib.mkForce false;
  };

  catppuccin.forgejo.enable = true;

  environment.systemPackages = [ config.services.forgejo.package ];
}
containers: clean up domain names 2026-03-17 17:01:15 +11:00			`{ config, fqdn, lib, ... }: {`
containers/citrine: init 2026-03-16 00:48:51 +11:00			`system.stateVersion = "25.11";`
containers/citrine: fix forwarding 2026-03-16 16:07:08 +11:00			`networking.firewall.allowedTCPPorts = [ 22 3000 ];`
			`networking.firewall.allowedUDPPorts = [ 22 3000 ];`
containers/citrine: init 2026-03-16 00:48:51 +11:00
containers/citrine: customise homepage and disable registrations 2026-03-16 02:04:31 +11:00			`systemd.tmpfiles.rules = [`
			`"L+ /persist/forgejo/custom/templates - - - - ${./templates}"`
			`];`

containers/citrine: init 2026-03-16 00:48:51 +11:00			`services.forgejo = {`
			`enable = true;`
			`lfs.enable = true;`
			`settings = {`
containers/citrine: customise homepage and disable registrations 2026-03-16 02:04:31 +11:00			`DEFAULT.APP_NAME = "Garden";`
containers/citrine: init 2026-03-16 00:48:51 +11:00			`server = {`
containers: clean up domain names 2026-03-17 17:01:15 +11:00			`DOMAIN = fqdn;`
			`ROOT_URL = "https://${fqdn}/";`
containers/citrine: init 2026-03-16 00:48:51 +11:00			`HTTP_PORT = 3000;`
containers/citrine: fix forwarding 2026-03-16 16:07:08 +11:00			`START_SSH_SERVER = true;`
			`BUILTIN_SSH_SERVER_USER = "git";`
			`SSH_DOMAIN = "git.lava.moe";`
containers/citrine: use pq kex algorithms for ssh 2026-03-16 16:36:46 +11:00			`SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";`
containers/citrine: init 2026-03-16 00:48:51 +11:00			`};`
containers/citrine: catppuccin theming 2026-03-16 02:32:09 +11:00			`ui = lib.mkForce {`
			`DEFAULT_THEME = "catppuccin-maroon-auto";`
			`THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [`
			`"catppuccin-pink"`
			`"catppuccin-maroon"`
			`"catppuccin-flamingo"`
			`"catppuccin-rosewater"`
			`"forgejo"`
			`"gitea"`
			`];`
			`};`
			`api.ENABLE_SWAGGER = false;`
			`other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;`
containers/citrine: customise homepage and disable registrations 2026-03-16 02:04:31 +11:00			`service.DISABLE_REGISTRATION = true;`
containers/citrine: init 2026-03-16 00:48:51 +11:00			`};`
			`stateDir = "/persist/forgejo";`
			`};`
containers/citrine: add cli to packages 2026-03-16 01:02:28 +11:00
containers/citrine: fix forwarding 2026-03-16 16:07:08 +11:00			`systemd.services.forgejo.serviceConfig = {`
			`AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];`
			`CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];`
			`PrivateUsers = lib.mkForce false;`
			`};`

containers/citrine: catppuccin theming 2026-03-16 02:32:09 +11:00			`catppuccin.forgejo.enable = true;`

containers/citrine: add cli to packages 2026-03-16 01:02:28 +11:00			`environment.systemPackages = [ config.services.forgejo.package ];`
containers/citrine: init 2026-03-16 00:48:51 +11:00			`}`