feat: reenable forgejo

2024-09-11 22:31:55 +02:00 · 2024-09-11 22:31:55 +02:00 · 66aa57dec1
commit 66aa57dec1
parent e493705ecd
8 changed files with 137 additions and 4 deletions
--- a/config/secrets/secrets.nix
+++ b/config/secrets/secrets.nix
@ -13,8 +13,9 @@ in {

  "services/freshrss/admin-credentials.age".publicKeys = default;

-  "services/gitea/password-database.age".publicKeys = default;
-  "services/gitea/runner-token.age".publicKeys = default;
+  "services/forgejo/password-database.age".publicKeys = default;
+  "services/forgejo/minio-secretkey.age".publicKeys = default;
+  "services/forgejo/runner-token.age".publicKeys = default;

  "services/gitlab/dbFile.age".publicKeys = default;
  "services/gitlab/jwsFile.age".publicKeys = default;
--- a/config/secrets/services/forgejo/minio-secretkey.age
+++ b/config/secrets/services/forgejo/minio-secretkey.age
--- a/config/secrets/services/forgejo/password-database.age
+++ b/config/secrets/services/forgejo/password-database.age
--- a/config/secrets/services/forgejo/runner-token.age
+++ b/config/secrets/services/forgejo/runner-token.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA Axyxw6yFxClxeHvsS5nS0w9/YD5MkbK1AAgqbAlz85qd
+GHjgR0ctkcVdPWHzS8xyFxyNHxuOacgixFe6E1r1lKU
+-> ssh-ed25519 zj2A2A +O2Xjj34aQ5jTARybR9cpq3Ro9IPL+mFGsxVp0pl9QI
+NNqM6218WachtLLzMSVpuw2Kyhc9Dw+2kEw6g7paBFU
+--- 2O+aeC+Zzm33AltLmctxn4flFnYMYHpJkiG+1dGJUGU
+W<EFBFBD>g¥&<L v[<1C>îm¬Vá¼óÅáDGZîîIó©}H¥ÛfÚ/8ew¼åæf „3D<33>kÏˆÊ·UÕhJFSfbå°ÎNÃÖ˜7	³u\	
--- a/config/secrets/services/gitea/runner-token.age
+++ b/config/secrets/services/gitea/runner-token.age
--- a/config/services/default.nix
+++ b/config/services/default.nix
@ -3,6 +3,7 @@
    ./attic.nix
    ./atuin.nix
    ./containers.nix
+    ./forgejo.nix
    ./freshrss.nix
    ./minio.nix
    ./monitoring.nix
--- a/config/services/forgejo.nix
+++ b/config/services/forgejo.nix
@ -0,0 +1,124 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}: let
+  modules = ["services/misc/forgejo.nix" "services/continuous-integration/gitea-actions-runner.nix"];
+  pkgsUnstable = inputs.nixpkgs-unstable.legacyPackages.${pkgs.stdenv.system};
+in {
+  # swap out stable for unstable modules
+  disabledModules = modules;
+  imports =
+    builtins.map (v: "${inputs.nixpkgs-unstable}/nixos/modules/${v}")
+    modules;
+
+  age.secrets = {
+    "services/forgejo/minio-secretkey".owner = config.services.forgejo.user;
+    "services/forgejo/password-database".owner = config.services.forgejo.user;
+  };
+
+  # forgejo ssh
+  networking.firewall.allowedTCPPorts = [22];
+
+  # indexer
+  services.elasticsearch.enable = true;
+
+  services.forgejo = {
+    enable = true;
+
+    package = pkgsUnstable.forgejo;
+
+    database = {
+      type = "postgres";
+      passwordFile = config.age.secrets."services/forgejo/password-database".path;
+    };
+
+    lfs.enable = true;
+
+    secrets = {
+      storage = {
+        MINIO_SECRET_ACCESS_KEY = config.age.secrets."services/forgejo/minio-secretkey".path;
+      };
+    };
+
+    settings = {
+      DEFAULT.APP_NAME = "winston's forgejo";
+
+      indexer = with config.services.elasticsearch; let
+        indexer = "elasticsearch";
+        conn = "http://${listenAddress}:${toString port}";
+      in {
+        REPO_INDEXER_ENABLED = true;
+        REPO_INDEXER_CONN_STR = conn;
+        REPO_INDEXER_TYPE = indexer;
+        ISSUE_INDEXER_CONN_STR = conn;
+        ISSUE_INDEXER_TYPE = indexer;
+      };
+
+      repository.ENABLE_PUSH_CREATE_USER = true;
+
+      server = rec {
+        DOMAIN = "code.winston.sh";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 12492;
+        ROOT_URL = "https://${DOMAIN}/";
+        OFFLINE_MODE = false;
+      };
+
+      session = {
+        COOKIE_NAME = "forgejo-session";
+        COOKIE_SECURE = true;
+        SAME_SITE = "strict";
+      };
+
+      storage = {
+        STORAGE_TYPE = "minio";
+
+        SERVE_DIRECT = true;
+        MINIO_ENDPOINT = "s3.winston.sh";
+
+        MINIO_ACCESS_KEY_ID = "forgejo";
+
+        MINIO_BUCKET = "forgejo";
+        MINIO_LOCATION = "eu-central-1";
+        MINIO_USE_SSL = true;
+      };
+
+      "ui.meta".AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
+
+      other = {
+        SHOW_FOOTER_VERSION = false;
+        SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+        SHOW_FOOTER_POWERED_BY = false;
+      };
+    };
+  };
+
+  virtualisation.podman.enable = true;
+  services.gitea-actions-runner = {
+    package = pkgsUnstable.forgejo-runner;
+    instances.main = {
+      enable = true;
+      name = "main";
+      url = config.services.forgejo.settings.server.ROOT_URL;
+      tokenFile = config.age.secrets."services/forgejo/runner-token".path;
+      labels = ["ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"];
+      settings.container = {
+        network = "host";
+        options = "--add-host=forgejo.winston.sh:host-gateway";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+    forceSSL = true;
+    enableACME = false;
+    useACMEHost = "winston.sh";
+
+    locations."/" = with config.services.forgejo.settings.server; {
+      extraConfig = "client_max_body_size 512M;";
+      proxyPass = "http://${HTTP_ADDR}:${toString HTTP_PORT}";
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -274,8 +274,8 @@
        "steam-fetcher": "steam-fetcher"
      },
      "locked": {
-        "lastModified": 1725985161,
-        "narHash": "sha256-3E+tLNNlRyTlViudgYv8PvJOZdr3tsZrZ459eGff8sg=",
+        "lastModified": 1726069190,
+        "narHash": "sha256-UYnjgHSIjxdbRBxpVwvQ5IX5TVfRmgVZsGvwvRHeuPc=",
        "path": "/home/winston/satisfactory-flake",
        "type": "path"
      },