From 2351971fd40e6195644e5ae0f524d6ebe7a2d823 Mon Sep 17 00:00:00 2001
From: Joakim Repomaa <joakim.repomaa@mocoapp.com>
Date: Fri, 20 Feb 2026 15:31:57 +0200
Subject: [PATCH] freun.dev: add gitea

---
 hosts/freun-dev/secrets.nix      |   2 +
 hosts/freun-dev/services.nix     |  20 +++++++++
 modules/services/default.nix     |   1 +
 modules/services/gitea.nix       |  71 +++++++++++++++++++++++++++++++
 secrets/gitea-actions-runner.age |  10 +++++
 secrets/gitea.age                | Bin 0 -> 485 bytes
 secrets/secrets.nix              |   2 +
 7 files changed, 106 insertions(+)
 create mode 100644 modules/services/gitea.nix
 create mode 100644 secrets/gitea-actions-runner.age
 create mode 100644 secrets/gitea.age

diff --git a/hosts/freun-dev/secrets.nix b/hosts/freun-dev/secrets.nix
index 393df1a..27dd5e9 100644
--- a/hosts/freun-dev/secrets.nix
+++ b/hosts/freun-dev/secrets.nix
@@ -30,6 +30,8 @@
           "hetzner"
           "actual"
           "voidauth"
+          "gitea"
+          "gitea-actions-runner"
         ]
     )
     // {
diff --git a/hosts/freun-dev/services.nix b/hosts/freun-dev/services.nix
index ba5ff09..a016c81 100644
--- a/hosts/freun-dev/services.nix
+++ b/hosts/freun-dev/services.nix
@@ -439,6 +439,26 @@ in
       };
     };
 
+    gitea = {
+      enable = true;
+      subdomain = "git";
+      secrets = secrets.gitea.path;
+    };
+
+    gitea-actions-runner.instances = {
+      default = {
+        enable = true;
+        name = config.networking.domain;
+        labels = [
+          "linux_arm64"
+          "ubuntu-latest:docker://node:16-bullseye"
+        ];
+        tokenFile = secrets.gitea-actions-runner.path;
+        url = "https://${config.services.gitea.subdomain}.${config.networking.domain}";
+        settings.container.network = "bridge";
+      };
+    };
+
     webserver = {
       acme.dnsChallenge = true;
       tailscaleAuth.expectedTailnet = "tempel-vibes.ts.net";
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 28e5bc2..35d3074 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -30,5 +30,6 @@
     ./nqptp.nix
     ./actual.nix
     ./voidauth.nix
+    ./gitea.nix
   ];
 }
diff --git a/modules/services/gitea.nix b/modules/services/gitea.nix
new file mode 100644
index 0000000..352f90f
--- /dev/null
+++ b/modules/services/gitea.nix
@@ -0,0 +1,71 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.services.gitea;
+  fqdn = "${cfg.subdomain}.${config.networking.domain}";
+in
+{
+  options.services.gitea = {
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+    };
+    secrets = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.gitea = {
+      database = {
+        type = "postgres";
+        socket = "/run/postgresql";
+      };
+      settings = {
+        server = {
+          ROOT_URL = "https://${fqdn}/";
+          HTTP_ADDR = "127.0.0.1";
+          HTTP_PORT = 3008;
+          SSH_DOMAIN = fqdn;
+          SSH_PORT = 2222;
+          SSH_LISTEN_PORT = 2222;
+          START_SSH_SERVER = true;
+        };
+        service = {
+          DISABLE_REGISTRATION = false;
+        };
+        mailer = {
+          ENABLED = true;
+        };
+      };
+    };
+
+    services = {
+      webserver = {
+        enable = lib.mkDefault true;
+        vHosts.${fqdn}.locations."/".proxyPort = 3008;
+      };
+      postgresql = {
+        enable = lib.mkDefault true;
+        ensureDatabases = [ "gitea" ];
+        ensureUsers = [
+          {
+            name = "gitea";
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+    };
+
+    systemd.services.gitea = {
+      serviceConfig = lib.mkIf (cfg.secrets != null) {
+        EnvironmentFile = cfg.secrets;
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ 2222 ];
+  };
+}
diff --git a/secrets/gitea-actions-runner.age b/secrets/gitea-actions-runner.age
new file mode 100644
index 0000000..ec0bd8c
--- /dev/null
+++ b/secrets/gitea-actions-runner.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA WJ1gfKrLBMmFANdArq8g8PQNbUIl+vVtyxTq+bKx93c
+JFB9WXTK8/7HRfDRzTIzIpDHHc226YCPfUCqbBQ5N1Y
+-> ssh-ed25519 DFiohQ /5FxHaCm+0wGlQ2ZziKYTmD5AWjmoA5PTys3VSOluSU
+l6C6LhUaxw/dIUkyzw7pl2vREV7Bzy/FvbM+J6gFzZQ
+-> ssh-ed25519 PT7ffg B/mz/9eslfI+VEfEPfT4TWyvLTryDZRjSGxM3x2sQQE
+qIQUE4103ilhAhNxekvb3fPYeqZCZ3NGwzfZReMXiU4
+--- HzN/P0+Xj3Ep+LthjWEpKKDbjlXkPTtamWIPl9IQ6Ec
+C ¨ÇPœÞºãìQ½[&E"ñTQfë|NÃ!ÅÿÅú#³ZŸ:¼€ïr7È:ùóZè´£Fisˆ€(ãÊÉƒ~È0>
+Œ°ZâŠÁk’
\ No newline at end of file
diff --git a/secrets/gitea.age b/secrets/gitea.age
new file mode 100644
index 0000000000000000000000000000000000000000..2a71a6f60661fec3fa0e67c07598949642ea76ca
GIT binary patch
literal 485
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#V=&cTCT&
zh%j~Z4^8t6aWxNd$qNk4arUmtHt;K~%<}a0a4|463=8$mEa!4hF7VC`HOUK2^@=bs
zE)6!S$SBv2OifHq2`Wynj0h}CiZBdvs!A&lH$k_}#Vs>GBT&I5BS_n@NWaK9t-!}Q
zBquQ4Da6b_*C0F1HQdYG)7?KLIkl`L*({<k%z!H@%ETa2JFO_cprkl2$Un$CSlgo{
z#M|9G%q6ihCAl)wC@9(0C@?%XvKZaAfDrSvv~&fp)UxpMLhZ8LaC6UOeWPFxvlO#}
z+^9frC#TAM7v}(9m%^M7v#RXU;CwFa{Pdg(egC{fLw(1{T*Kr{<I<Aw45!?Ju-xRL
z9MAlmjMN|>^CG{*d{-`AU0sC~vkJ%JphRE)@JPqVpe(b3GFMmqvao`*43n%#-@Fhn
zqk_=jFdwrle-kb-xe45Rr;8Ok+-pypuWY@lG&O1dr<;8`f988Le7pT*Q=94+yXVXP
zKk4fJ=R89q#p{<=1M9YvR*tv-mjs9iUY&2m$kuSq)gUbTeZrw_e^TBp>PUL%0su9z
Btd0Nx

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2ee7eb0..a7e4426 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -42,4 +42,6 @@ in
   "actual.age".publicKeys = users ++ [ freun-dev ];
   "voidauth.age".publicKeys = users ++ [ freun-dev ];
   "context7.age".publicKeys = users ++ [ radish ];
+  "gitea.age".publicKeys = users ++ [ freun-dev ];
+  "gitea-actions-runner.age".publicKeys = users ++ [ freun-dev ];
 }