From ca8f14118b5f0c20e98096958cb5a0a288f5b974 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Madeleine=20Sydney=20=C5=9Alaga?= <msyds@deertopia.net>
Date: Sat, 31 Jan 2026 16:23:04 -0700
Subject: [PATCH] feat(gitea): init

---
 hosts/deertopia/configuration.nix |  1 +
 modules/nixos/deertopia/gitea.nix | 59 +++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 modules/nixos/deertopia/gitea.nix

diff --git a/hosts/deertopia/configuration.nix b/hosts/deertopia/configuration.nix
index f748d04..a65204f 100644
--- a/hosts/deertopia/configuration.nix
+++ b/hosts/deertopia/configuration.nix
@@ -49,6 +49,7 @@
 
     deertopia = {
       authelia.enable = true;
+      gitea.enable = true;
       quiver.enable = true;
       www.enable = true;
       bepasty.enable = true;
diff --git a/modules/nixos/deertopia/gitea.nix b/modules/nixos/deertopia/gitea.nix
new file mode 100644
index 0000000..738f752
--- /dev/null
+++ b/modules/nixos/deertopia/gitea.nix
@@ -0,0 +1,59 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.gitea;
+in {
+  options.sydnix.deertopia.gitea = {
+    enable = lib.mkEnableOption "Gitea";
+  };
+
+  config = lib.mkIf cfg.enable {
+    sydnix.impermanence.directories = [
+      {
+	directory = config.services.gitea.stateDir;
+	inherit (config.services.gitea) user group;
+      }
+    ];
+
+    sydnix.deertopia.nginx.vhosts."git" = {
+      directory = null;
+      vhost = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/".extraConfig =
+          let port = builtins.toString config.services.gitea
+                      .settings.server.HTTP_PORT;
+          in ''
+            proxy_pass http://127.0.0.1:${port}/;
+          '';
+      };
+    };
+
+    users.users.git = {
+      description = "Gitea Service";
+      home = config.services.gitea.stateDir;
+      useDefaultShell = true;
+      group = config.services.gitea.group;
+      isSystemUser = true;
+    };
+
+    users.groups.git = { };
+
+    # sudo -u git gitea admin auth add-ldap --name gitea --port 3890 --bind-dn 'uid=gitea,ou=people,dc=deertopia,dc=net' --bind-password «password» --user-search-base 'ou=people,dc=deertopia,dc=net' --user-filter '(&(memberof=cn=git,ou=groups,dc=deertopia,dc=net)(|(uid=%[1]s)(mail=%[1]s)))' --username-attribute uid --firstname-attribute givenName --surname-attribute sn --email-attribute mail --avatar-attribute jpegPhoto --security-protocol unencrypted --host 127.0.0.1 --config /var/lib/gitea/custom/conf/app.ini --synchronize-users
+
+    services.gitea = {
+      enable = true;
+      user = "git";
+      group = "git";
+      settings = {
+	server = {
+	  ROOT_URL = "https://git.deertopia.net/";
+	  HTTP_PORT = 3000;
+	  DOMAIN = "deertopia.net";
+	};
+	service = {
+	  DISABLE_REGISTRATION = true;
+	};
+      };
+    };
+  };
+}