feat(nix): add forgejo module and enable for server

nix/manifest.nix

@@ -64,8 +64,15 @@
             postgresql.enable = true;
           };
           web-apps = {
-            librechat.enable = true;
+            librechat = {
-            librechat.domain = "chat.bwfiq.com";
+              enable = true;
+              domain = "chat.bwfiq.com";
+            };
+            forgejo = {
+              enable = true;
+              domain = "git.rrv.sh";
+              openFirewall = true;
+            };
           };
         };
       };

nix/modules/server/web-apps/forgejo.nix

@@ -0,0 +1,47 @@
+{ lib, config, ... }:
+let
+  inherit (lib.lists) singleton optional;
+  inherit (config.flake.lib.options) mkPortOption;
+  inherit (config.flake.lib.services) mkWebApp;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    let
+      cfg = config.server.web-apps.forgejo;
+      upstreamCfg = config.services.forgejo;
+    in
+    mkWebApp {
+      inherit config;
+      name = "forgejo";
+      defaultPort = 3000;
+      persistDirs = singleton {
+        directory = upstreamCfg.stateDir;
+        inherit (upstreamCfg) user group;
+      };
+      extraOptions = {
+        sshPort = mkPortOption 2222;
+      };
+      extraConfig = {
+        networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.sshPort;
+        services.forgejo = {
+          enable = true;
+          settings = {
+            server = {
+              DOMAIN = cfg.domain;
+              ROOT_URL = "https://${cfg.domain}/";
+              HTTP_PORT = cfg.port;
+              START_SSH_SERVER = true;
+              SSH_PORT = cfg.sshPort;
+            };
+            repository = {
+              USE_COMPAT_SSH_URI = false;
+              ENABLE_PUSH_CREATE_USER = true;
+              ENABLE_PUSH_CREATE_ORG = true;
+            };
+            "repository.signing".FORMAT = "ssh";
+          };
+        };
+      };
+    };
+}