New service: Forgejo

2025-10-07 22:52:54 +02:00 · 2025-10-07 22:52:54 +02:00 · 0ba7940dba
commit 0ba7940dba
parent 3947745bec
8 changed files with 190 additions and 0 deletions
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@ -50,6 +50,12 @@ in
        host = p.hosts.firefly-iii;
      };

+      forgejo.proxy = {
+        enable = true;
+        domain = p.domains.public;
+        host = p.hosts.forgejo;
+      };
+
      immich.proxy = {
        enable = true;
        domain = p.domains.public;
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -256,4 +256,15 @@ in
    # specialArgs = { };
  };

+  forgejo = nixpkgs.lib.nixosSystem {
+    pkgs = pkgs "x86_64-linux";
+    modules = [
+      nodeBaseModules
+      proxmoxModule
+      ./forgejo
+      agenix.nixosModules.default
+    ];
+    # specialArgs = { };
+  };
+
 }
--- a/hosts/deployments.nix
+++ b/hosts/deployments.nix
@ -166,6 +166,15 @@ in
    ];
  };

+  forgejo.deployment = {
+    targetHost = hosts.forgejo;
+    tags = [
+      "lxc"
+      "bacco"
+      "forgejo"
+    ];
+  };
+
  deadbeef.deployment = {
    allowLocalDeployment = true;
    targetHost = null;
--- a/hosts/forgejo/default.nix
+++ b/hosts/forgejo/default.nix
@ -0,0 +1,58 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  p = import ../parameters.nix;
+in
+{
+
+  age.secrets.scaleway-password.file = ../../secrets/scaleway-password.age;
+
+  my = {
+    utils = {
+      commons.enable = true;
+      lxc-standard.enable = true;
+    };
+
+    services.forgejo = {
+      enable = true;
+      stateDir = "/mnt/git";
+      proxy.domain = p.domains.public;
+      secrets = {
+        mailer.PASSWD = config.age.secrets.scaleway-password.path;
+      };
+      settings = {
+        service = {
+          DISABLE_REGISTRATION = true;
+        };
+        mailer = {
+          ENABLED = true;
+          PROTOCOL = "smtps";
+          SMTP_ADDR = "smtp.tem.scaleway.com";
+          SMTP_PORT = "465";
+          USER = "5cbeeec0-9c3a-441a-9772-c11e9650fcd2";
+          FROM = "git@${p.domains.public}";
+        };
+        oauth2_client = {
+          USERNAME = "openid";
+          ACCOUNT_LINKING = "auto";
+        };
+      };
+    };
+
+    networking.nas-samba-share = {
+      enable = true;
+      allowUsers = [ config.services.forgejo.user ];
+    };
+
+    virtualisation.proxmox.enable = true;
+  };
+
+  # Extra packages
+  environment.systemPackages = with pkgs; [ ];
+
+  system.stateVersion = "25.05";
+}
--- a/hosts/parameters.nix
+++ b/hosts/parameters.nix
@ -28,6 +28,7 @@ in
    firefly-iii = "firefly-iii.${private-domain}";
    paperless = "paperless.${private-domain}";
    zigbee2mqtt = "zigbee2mqtt.${private-domain}";
+    forgejo = "forgejo.${private-domain}";
  };
  email = "davide@${public-domain}";
 }
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -3,6 +3,7 @@
    ./authentik.nix
    ./dashy.nix
    ./firefly-iii.nix
+    ./forgejo.nix
    ./immich.nix
    ./media-mgr.nix
    ./nextcloud.nix
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -0,0 +1,103 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.services.forgejo;
+  httpPort = 3000;
+in
+{
+
+  options.my.services.forgejo = {
+    enable = lib.mkEnableOption "Enable Forgejo code repository";
+
+    stateDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/forgejo/media";
+      description = "Directory with Immich will store media files";
+    };
+
+    settings = lib.mkOption {
+      default = { };
+      description = ''
+        Settings for Forgejo
+      '';
+    };
+
+    secrets = lib.mkOption {
+      description = "Secrets declared ";
+      type = lib.types.submodule {
+        freeformType = with lib.types; attrsOf (attrsOf path);
+        options = { };
+      };
+      default = { };
+    };
+
+    proxy = {
+      enable = lib.mkEnableOption "Set the proxy entry for this service";
+
+      domain = lib.mkOption {
+        default = "example.com";
+        type = lib.types.str;
+        description = ''
+          The domain where Caddy is reachable
+        '';
+      };
+
+      subdomain = lib.mkOption {
+        default = "git";
+        type = lib.types.str;
+        description = ''
+          The subdomain where Immich is reachable
+        '';
+      };
+
+      host = lib.mkOption {
+        default = "localhost";
+        type = lib.types.str;
+        description = ''
+          host name where the service is running
+        '';
+      };
+
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+
+      services.forgejo = {
+        enable = true;
+        lfs.enable = true;
+        stateDir = cfg.stateDir;
+        secrets = cfg.secrets;
+        database = {
+          createDatabase = true;
+          type = "postgres";
+        };
+        settings = lib.recursiveUpdate {
+          server = {
+            DOMAIN = "git.${cfg.proxy.domain}";
+            ROOT_URL = "https://git.${cfg.proxy.domain}";
+            HTTP_PORT = httpPort;
+            SSH_PORT = 2222;
+          };
+        } cfg.settings;
+      };
+
+      networking.firewall.allowedTCPPorts = [ httpPort ];
+
+    })
+
+    (lib.mkIf cfg.proxy.enable {
+      services.caddy = with cfg.proxy; {
+        virtualHosts."${subdomain}.${domain}".extraConfig = ''
+          reverse_proxy http://${host}:${toString httpPort}
+          import cloudflare_${domain}
+        '';
+      };
+    })
+  ];
+}
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@ -20,6 +20,7 @@ rec {
    firefly-iii = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYkXjRqmuTMg56EmAx8s1M/VQojM7akF/ao+jJLYgFB";
    paperless = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRNgDyk3TuMooG4ZCv7SOgXh0ql1/1hhhng7uSnsLeK";
    zigbee2mqtt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN0z+RxfAIARVMFgtF9olJrL5lt95IoC0Mtzg0MKd3g";
+    forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0MTOCgMoAFjYDEq1gU+XBSUNNcJenoHXagOgFuP1ZN";
  };

  # Machines able to provisioning other machines