phandom: add forgejo server

2024-04-06 20:38:35 -03:00 · 2024-04-06 20:38:35 -03:00 · 5edca9c2c6
parent 8de573b35c
commit 5edca9c2c6
7 changed files with 70 additions and 2 deletions
--- a/hosts/phantom/default.nix
+++ b/hosts/phantom/default.nix
@ -12,6 +12,7 @@
    ./writefreely.nix
    ./renawiki.nix
    ./email.nix
+    ./forgejo.nix
  ];

  # # Enable networking
--- a/hosts/phantom/email.nix
+++ b/hosts/phantom/email.nix
@ -9,13 +9,21 @@
  mailserver = {
    enable = true;
    fqdn = "mail.lelgenio.xyz";
-    domains = [ "lelgenio.xyz" ];
+    domains = [
+      "lelgenio.xyz"
+      "git.lelgenio.xyz"
+    ];
    certificateScheme = "acme-nginx";
+    # Create passwords with
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "lelgenio@lelgenio.xyz" = {
        hashedPassword = "$2y$05$z5s7QCXcs5uTFsfyYpwNJeWzb3RmzgWxNgcPCr0zjSytkLFF/qZmS";
        aliases = [ "postmaster@lelgenio.xyz" ];
      };
+      "noreply@git.lelgenio.xyz" = {
+        hashedPassword = "$2b$05$TmR1R7ZwXfec7yrOfeBL7u3ZtyXf0up5dEO6uMWSvb/O7LPEm.j0.";
+      };
    };
  };

--- a/hosts/phantom/forgejo.nix
+++ b/hosts/phantom/forgejo.nix
@ -0,0 +1,56 @@
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
+{
+  services.nginx = {
+    virtualHosts.${cfg.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+    };
+  };
+
+  services.openssh = {
+    authorizedKeysFiles = [
+      "${config.services.forgejo.stateDir}/.ssh/authorized_keys"
+    ];
+    # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh
+    settings.AcceptEnv = "GIT_PROTOCOL";
+  };
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      service.DISABLE_REGISTRATION = true;
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+      server = {
+        DOMAIN = "git.lelgenio.xyz";
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://${srv.DOMAIN}/";
+      };
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "mail.lelgenio.xyz";
+        FROM = "noreply@git.lelgenio.xyz";
+        USER = "noreply@git.lelgenio.xyz";
+      };
+    };
+    mailerPasswordFile = config.age.secrets.phantom-forgejo-mailer-password.path;
+  };
+
+  age.secrets.phantom-forgejo-mailer-password = {
+    file = ../../secrets/phantom-forgejo-mailer-password.age;
+    mode = "400";
+    owner = "forgejo";
+  };
+}
--- a/hosts/phantom/users.nix
+++ b/hosts/phantom/users.nix
@ -2,7 +2,7 @@
  security.rtkit.enable = true;
  services.openssh = {
    enable = true;
-    ports = [ 9022 ];
+    ports = [ 9022 22 ];
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
--- a/secrets/phantom-forgejo-mailer-password.age
+++ b/secrets/phantom-forgejo-mailer-password.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -10,4 +10,5 @@ in
  "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
  "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
  "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
+  "phantom-forgejo-mailer-password.age".publicKeys = [ main_ssh_public_key ];
 }
--- a/system/secrets.nix
+++ b/system/secrets.nix
@ -10,5 +10,7 @@
      ../secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
    secrets.monolith-nix-serve-privkey.file =
      ../secrets/monolith-nix-serve-privkey.age;
+    secrets.phantom-forgejo-mailer-password.file =
+      ../secrets/phantom-forgejo-mailer-password.age;
  };
 }