Rebase to flake parts #11

modules/hosts/nix-server/_services/gitea.nix

@@ -0,0 +1,47 @@
+{ lib, ... }:
+{
+  services.gitea = {
+    enable = true;
+
+    # Migrated sqlite DB and repos; do not provision a fresh database.
+    database = {
+      type = "sqlite3";
+      createDatabase = false;
+    };
+
+    settings = {
+      server = {
+        DOMAIN = "git.chiasson.cloud";
+        HTTP_PORT = 3002;
+        ROOT_URL = "https://git.chiasson.cloud/";
+        # Clone URLs and LAN git@… -p 222 (was Docker host 222 → container 22).
+        # Port 222 is <1024 (privileged); systemd must grant CAP_NET_BIND_SERVICE below.
+        SSH_PORT = 222;
+        START_SSH_SERVER = true;
+        SSH_LISTEN_HOST = "0.0.0.0";
+        SSH_LISTEN_PORT = 222;
+      };
+
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+
+  # First boot after migration runs DB migrate + hook regen; default WatchdogSec=30 kills
+  # gitea while storage/actions init is still running. Type=notify also fails if startup
+  # is slow; PrivateUsers breaks access to migrated files owned by the real gitea uid.
+  # Port 222 is privileged (<1024); Docker mapped host 222→container 22 as root.
+  systemd.services.gitea.serviceConfig = {
+    Type = lib.mkForce "simple";
+    PrivateUsers = lib.mkForce false;
+    NoNewPrivileges = lib.mkForce false;
+    AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+    CapabilityBoundingSet = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
+    TimeoutStartSec = lib.mkForce "20min";
+    WatchdogSec = lib.mkForce 0;
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    3002
+    222
+  ];
+}