gitea: enable registration behind captcha + manual approval

unfortunately gitea doesn't notify me of user applications.
so new users will want to contact me out-of-band.

cfg/services/gitea.nix

@@ -10,4 +10,60 @@
   services.gitea.rootUrl = "https://git.uninsane.org/";
   services.gitea.cookieSecure = true;
   # services.gitea.disableRegistration = true;
+
+  services.gitea.settings = {
+    server = {
+      # options: "home", "explore", "organizations", "login" or URL fragment (or full URL)
+      LANDING_PAGE = "explore";
+    };
+    service = {
+      # timeout for email approval. 5760 = 4 days
+      ACTIVE_CODE_LIVE_MINUTES = 5760;
+      REGISTER_EMAIL_CONFIRM = false;
+      REGISTER_MANUAL_CONFIRM = true;
+      # not sure what this notified on?
+      ENABLE_NOTIFY_MAIL = true;
+      # defaults to image-based captcha.
+      # also supports recaptcha (with custom URLs) or hCaptcha.
+      ENABLE_CAPTCHA = true;
+      NOREPLY_ADDRESS = "noreply.anonymous.git@uninsane.org";
+    };
+    repository = {
+      DEFAULT_BRANCH = "master";
+    };
+    other = {
+      SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+    };
+    ui = {
+      # options: "auto", "gitea", "arc-green"
+      DEFAULT_THEME = "arc-green";
+      # cache frontend assets if true
+      # USE_SERVICE_WORKER = true;
+    };
+    #"ui.meta" = ... to customize html author/description/etc
+    mailer = {
+      ENABLED = true;
+      MAILER_TYPE = "sendmail";
+      FROM = "notify.git@uninsane.org";
+      SENDMAIL_PATH = "${pkgs.postfix}/bin/sendmail";
+    };
+    time = {
+      # options: ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro, StampNano
+      # docs: https://pkg.go.dev/time#pkg-constants
+      FORMAT = "RFC3339";
+    };
+  };
+  # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
+  services.gitea.log.level = "Info";
+
+  systemd.services.gitea.serviceConfig = {
+    # nix default is AF_UNIX AF_INET AF_INET6.
+    # we need more protos for sendmail to work. i thought it only needed +AF_LOCAL, but that didn't work.
+    RestrictAddressFamilies = lib.mkForce "~";
+    # add maildrop to allow sendmail to work
+    ReadWritePaths = lib.mkForce [
+      "/var/lib/postfix/queue/maildrop"
+      "/var/lib/gitea"
+    ];
+  };
 }

cfg/users.nix

@@ -94,6 +94,8 @@
     useDefaultShell = true;
     group = "gitea";
     isSystemUser = true;
+    # sendmail access (not 100% sure if this is necessary)
+    extraGroups = [ "postdrop" ];
   };
 
   # this is required to allow pleroma to send email.

configuration.nix

@@ -4,13 +4,33 @@
 
 { config, pkgs, ... }:
 
+let
+  pkgsUnstable = import (builtins.fetchTarball {
+    # Descriptive name to make the store path easier to identify
+    name = "nixos-unstable-2022-05-05";
+    # Commit hash for master on above date (s/commits/archive and append .tar.gz)
+    # see https://github.com/NixOS/nixpkgs/commits/nixos-unstable
+    url = "https://github.com/NixOS/nixpkgs/archive/c777cdf5c564015d5f63b09cc93bef4178b19b01.tar.gz";
+    # Hash obtained using `nix-prefetch-url --unpack <url>`
+    sha256 = "0r2xhflcy5agaz4a3b8pxiyiwh32s1kl3swv73flnj1x3v69s8bm";
+  }) {};
+in
 {
   imports = [ ./cfg ];
 
   nixpkgs.overlays = [
     (self: super: {
+      #### customized packages
+      # nixos-unstable pleroma is too far out-of-date for our db
       pleroma = super.callPackage ./pkgs/pleroma { };
+      # jackett doesn't allow customization of the bind address: this will probably always be here.
       jackett = self.callPackage ./pkgs/jackett { pkgs = super; };
+
+      #### nixos-unstable packages
+      # gitea: 1.16.5 contains a fix which makes manual user approval *actually* work.
+      # https://github.com/go-gitea/gitea/pull/19119
+      # safe to remove after 1.16.5 (or 1.16.7 if we need db compat?)
+      gitea = pkgsUnstable.gitea;
     })
   ];