modules/retired/forgejo/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

{ inputs, config, lib, pkgs, ... }:
let
  domain = "git.tdback.net";
  port = 3000;
in
{
  services.forgejo = {
    enable = true;
    package = pkgs.unstable.forgejo;
    stateDir = "/tank/forgejo";
    database.type = "postgres";
    lfs.enable = true;
    settings = {
      server = {
        DOMAIN = domain;
        ROOT_URL = "https://${domain}/";
        HTTP_PORT = port;
      };
      service.DISABLE_REGISTRATION = true;
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "https://${domain}";
      };
    };
  };

  age.secrets.forgejoAdminPass = {
    file = "${inputs.self}/secrets/forgejoAdminPass.age";
    mode = "770";
    owner = "forgejo";
    group = "forgejo";
  };

  systemd.services.forgejo.preStart =
    let
      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
      password = config.age.secrets.forgejoAdminPass.path;
      user = "tdback";
      email = "tyler@tdback.net";
    in ''
      ${adminCmd} create --admin --email ${email} --username ${user} --password "$(tr -d '\n' < ${password})" || true
    '';

  services.openssh.settings.AllowUsers = [ "forgejo" ];

  services.caddy.virtualHosts.${domain}.extraConfig = ''
    encode zstd gzip
    reverse_proxy http://localhost:${builtins.toString port}
  '';

  age.secrets.forgejoRunnerToken.file = "${inputs.self}/secrets/forgejoRunnerToken.age";
  services.gitea-actions-runner = {
    package = pkgs.unstable.forgejo-runner;
    instances.default = {
      enable = true;
      name = "monolith";
      url = "https://${domain}";
      tokenFile = config.age.secrets.forgejoRunnerToken.path;
      labels = [
        "ubuntu-latest:docker://node:20-bookworm"
        "ubuntu-22.04:docker://node:20-bookworm"
      ];
    };
  };
}