From 02c1a6d037e6869443a43ef7a779c1c9eb925f1c Mon Sep 17 00:00:00 2001
From: Barrett Ruth <br.barrettruth@gmail.com>
Date: Fri, 13 Mar 2026 11:33:25 -0400
Subject: [PATCH] feat(server): forgejo config

---
 hosts/netcup/configuration.nix          | 34 ++++++++++++++++++++++---
 hosts/netcup/hardware-configuration.nix | 24 +++++++++++++++++
 2 files changed, 55 insertions(+), 3 deletions(-)
 create mode 100644 hosts/netcup/hardware-configuration.nix

diff --git a/hosts/netcup/configuration.nix b/hosts/netcup/configuration.nix
index dd98cf3..af44c71 100644
--- a/hosts/netcup/configuration.nix
+++ b/hosts/netcup/configuration.nix
@@ -1,15 +1,25 @@
-{ pkgs, ... }:
+{ pkgs, modulesPath, ... }:
 
 {
-  imports = [ ./disk-config.nix ];
+  imports = [
+    ./disk-config.nix
+    ./hardware-configuration.nix
+    (modulesPath + "/profiles/minimal.nix")
+    (modulesPath + "/profiles/headless.nix")
+  ];
 
   boot.loader.grub = {
     enable = true;
     efiSupport = true;
     efiInstallAsRemovable = true;
     device = "nodev";
+    configurationLimit = 3;
   };
 
+  documentation.enable = false;
+  hardware.enableRedistributableFirmware = false;
+  fonts.fontconfig.enable = false;
+
   networking = {
     hostName = "netcup";
     useDHCP = false;
@@ -93,16 +103,29 @@
 
   services.forgejo = {
     enable = true;
+    user = "git";
+    group = "git";
     settings = {
       server = {
         DOMAIN = "git.barrettruth.com";
         ROOT_URL = "https://git.barrettruth.com/";
         HTTP_PORT = 3000;
+        SSH_DOMAIN = "git.barrettruth.com";
       };
       service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
     };
   };
 
+  users.users.git = {
+    isSystemUser = true;
+    home = "/var/lib/forgejo";
+    group = "git";
+    shell = "${pkgs.bash}/bin/bash";
+  };
+
+  users.groups.git = { };
+
   environment.systemPackages = with pkgs; [
     vim
     git
@@ -119,8 +142,13 @@
   nix.gc = {
     automatic = true;
     dates = "weekly";
-    options = "--delete-older-than 7d";
+    options = "--delete-older-than 3d";
   };
 
+  nix.extraOptions = ''
+    min-free = ${toString (100 * 1024 * 1024)}
+    max-free = ${toString (1024 * 1024 * 1024)}
+  '';
+
   system.stateVersion = "24.11";
 }
diff --git a/hosts/netcup/hardware-configuration.nix b/hosts/netcup/hardware-configuration.nix
new file mode 100644
index 0000000..12adf63
--- /dev/null
+++ b/hosts/netcup/hardware-configuration.nix
@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}