forgejo up and running with pocket id

flake.lock

@@ -387,11 +387,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1762177792,
+        "lastModified": 1762540987,
-        "narHash": "sha256-8m/oUyPw4RgctZXY/LVLBIRdQDVPoR3jK5mTGeA+7IY=",
+        "narHash": "sha256-SqE+KPd8N9Fef7u7lOXMayI6VB7lflop7KIwPg0jui4=",
         "ref": "refs/heads/master",
-        "rev": "d56e91ea1ec05faff82c5f9be18bdb33c5a4fc15",
+        "rev": "9e68e5dfdad75a5be8e95efce24d9b4708589dd2",
-        "revCount": 146,
+        "revCount": 148,
         "type": "git",
         "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets"
       },

hosts/nixos/HandlerOne/default.nix

@@ -58,6 +58,7 @@
       "modules/services/ollama/proxy.nix" # Just host the proxy path back to Parzival
       "modules/services/netbox"
       "modules/services/matrix"
+      "modules/services/forgejo"
       "modules/services/flamesites"
     ])
   ];

modules/services/forgejo/default.nix

@@ -1,8 +1,27 @@
+{ inputs, config, ... }:
+let
+  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
+in
 {
   services.caddy.virtualHosts."git.wanderingcrow.net".extraConfig = ''
     reverse_proxy http://localhost:3000
   '';
 
+  sops.secrets = {
+    "forgejo/mailer/server" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "forgejo/mailer/port" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "forgejo/mailer/user" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "forgejo/mailer/pass" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+  };
+
   services.forgejo = {
     enable = true;
     lfs.enable = true;
@@ -17,11 +36,27 @@
         HTTP_PORT = 3000;
       };
       service = {
-        DISABLE_REGISTRATION = false;
+        REGISTER_EMAIL_CONFIRM = true;
+        ENABLE_NOTIFY_MAIL = true;
+        # I want to offload account security to OIDC provider
+        REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = false;
+        ENABLE_INTERNAL_SIGNIN = false;
+        EMAIL_DOMAIN_BLOCK_DISPOSABLE = true;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = true;
+        WHITELISTED_URIS = "auth.wanderingcrow.net";
       };
-      actions = {
+      mailer = {
         ENABLED = true;
-        DEFAULT_ACTIONS_URL = "github";
+      };
+    };
+    secrets = {
+      mailer = {
+        SMTP_ADDR = config.sops.secrets."forgejo/mailer/server".path;
+        SMTP_PORT = config.sops.secrets."forgejo/mailer/port".path;
+        USER = config.sops.secrets."forgejo/mailer/user".path;
+        PASSWD = config.sops.secrets."forgejo/mailer/pass".path;
       };
     };
   };