From 0ba7940dba22bc348d3a02b46ebcd9dd83b6e317 Mon Sep 17 00:00:00 2001
From: pazpi <davide@pasetto.me>
Date: Tue, 7 Oct 2025 22:52:54 +0200
Subject: [PATCH] New service: Forgejo

---
 hosts/caddy/default.nix      |   6 ++
 hosts/default.nix            |  11 ++++
 hosts/deployments.nix        |   9 +++
 hosts/forgejo/default.nix    |  58 ++++++++++++++++++++
 hosts/parameters.nix         |   1 +
 modules/services/default.nix |   1 +
 modules/services/forgejo.nix | 103 +++++++++++++++++++++++++++++++++++
 ssh-keys.nix                 |   1 +
 8 files changed, 190 insertions(+)
 create mode 100644 hosts/forgejo/default.nix
 create mode 100644 modules/services/forgejo.nix

diff --git a/hosts/caddy/default.nix b/hosts/caddy/default.nix
index 444ca9e..5203067 100644
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@@ -50,6 +50,12 @@ in
         host = p.hosts.firefly-iii;
       };
 
+      forgejo.proxy = {
+        enable = true;
+        domain = p.domains.public;
+        host = p.hosts.forgejo;
+      };
+
       immich.proxy = {
         enable = true;
         domain = p.domains.public;
diff --git a/hosts/default.nix b/hosts/default.nix
index ee00f60..2d9d391 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -256,4 +256,15 @@ in
     # specialArgs = { };
   };
 
+  forgejo = nixpkgs.lib.nixosSystem {
+    pkgs = pkgs "x86_64-linux";
+    modules = [
+      nodeBaseModules
+      proxmoxModule
+      ./forgejo
+      agenix.nixosModules.default
+    ];
+    # specialArgs = { };
+  };
+
 }
diff --git a/hosts/deployments.nix b/hosts/deployments.nix
index 5de76a4..f1adba7 100644
--- a/hosts/deployments.nix
+++ b/hosts/deployments.nix
@@ -166,6 +166,15 @@ in
     ];
   };
 
+  forgejo.deployment = {
+    targetHost = hosts.forgejo;
+    tags = [
+      "lxc"
+      "bacco"
+      "forgejo"
+    ];
+  };
+
   deadbeef.deployment = {
     allowLocalDeployment = true;
     targetHost = null;
diff --git a/hosts/forgejo/default.nix b/hosts/forgejo/default.nix
new file mode 100644
index 0000000..4a61323
--- /dev/null
+++ b/hosts/forgejo/default.nix
@@ -0,0 +1,58 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  p = import ../parameters.nix;
+in
+{
+
+  age.secrets.scaleway-password.file = ../../secrets/scaleway-password.age;
+
+  my = {
+    utils = {
+      commons.enable = true;
+      lxc-standard.enable = true;
+    };
+
+    services.forgejo = {
+      enable = true;
+      stateDir = "/mnt/git";
+      proxy.domain = p.domains.public;
+      secrets = {
+        mailer.PASSWD = config.age.secrets.scaleway-password.path;
+      };
+      settings = {
+        service = {
+          DISABLE_REGISTRATION = true;
+        };
+        mailer = {
+          ENABLED = true;
+          PROTOCOL = "smtps";
+          SMTP_ADDR = "smtp.tem.scaleway.com";
+          SMTP_PORT = "465";
+          USER = "5cbeeec0-9c3a-441a-9772-c11e9650fcd2";
+          FROM = "git@${p.domains.public}";
+        };
+        oauth2_client = {
+          USERNAME = "openid";
+          ACCOUNT_LINKING = "auto";
+        };
+      };
+    };
+
+    networking.nas-samba-share = {
+      enable = true;
+      allowUsers = [ config.services.forgejo.user ];
+    };
+
+    virtualisation.proxmox.enable = true;
+  };
+
+  # Extra packages
+  environment.systemPackages = with pkgs; [ ];
+
+  system.stateVersion = "25.05";
+}
diff --git a/hosts/parameters.nix b/hosts/parameters.nix
index fd504cf..1aae9c2 100644
--- a/hosts/parameters.nix
+++ b/hosts/parameters.nix
@@ -28,6 +28,7 @@ in
     firefly-iii = "firefly-iii.${private-domain}";
     paperless = "paperless.${private-domain}";
     zigbee2mqtt = "zigbee2mqtt.${private-domain}";
+    forgejo = "forgejo.${private-domain}";
   };
   email = "davide@${public-domain}";
 }
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 897ac6f..e72c071 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -3,6 +3,7 @@
     ./authentik.nix
     ./dashy.nix
     ./firefly-iii.nix
+    ./forgejo.nix
     ./immich.nix
     ./media-mgr.nix
     ./nextcloud.nix
diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix
new file mode 100644
index 0000000..e18123b
--- /dev/null
+++ b/modules/services/forgejo.nix
@@ -0,0 +1,103 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.services.forgejo;
+  httpPort = 3000;
+in
+{
+
+  options.my.services.forgejo = {
+    enable = lib.mkEnableOption "Enable Forgejo code repository";
+
+    stateDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/forgejo/media";
+      description = "Directory with Immich will store media files";
+    };
+
+    settings = lib.mkOption {
+      default = { };
+      description = ''
+        Settings for Forgejo
+      '';
+    };
+
+    secrets = lib.mkOption {
+      description = "Secrets declared ";
+      type = lib.types.submodule {
+        freeformType = with lib.types; attrsOf (attrsOf path);
+        options = { };
+      };
+      default = { };
+    };
+
+    proxy = {
+      enable = lib.mkEnableOption "Set the proxy entry for this service";
+
+      domain = lib.mkOption {
+        default = "example.com";
+        type = lib.types.str;
+        description = ''
+          The domain where Caddy is reachable
+        '';
+      };
+
+      subdomain = lib.mkOption {
+        default = "git";
+        type = lib.types.str;
+        description = ''
+          The subdomain where Immich is reachable
+        '';
+      };
+
+      host = lib.mkOption {
+        default = "localhost";
+        type = lib.types.str;
+        description = ''
+          host name where the service is running
+        '';
+      };
+
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+
+      services.forgejo = {
+        enable = true;
+        lfs.enable = true;
+        stateDir = cfg.stateDir;
+        secrets = cfg.secrets;
+        database = {
+          createDatabase = true;
+          type = "postgres";
+        };
+        settings = lib.recursiveUpdate {
+          server = {
+            DOMAIN = "git.${cfg.proxy.domain}";
+            ROOT_URL = "https://git.${cfg.proxy.domain}";
+            HTTP_PORT = httpPort;
+            SSH_PORT = 2222;
+          };
+        } cfg.settings;
+      };
+
+      networking.firewall.allowedTCPPorts = [ httpPort ];
+
+    })
+
+    (lib.mkIf cfg.proxy.enable {
+      services.caddy = with cfg.proxy; {
+        virtualHosts."${subdomain}.${domain}".extraConfig = ''
+          reverse_proxy http://${host}:${toString httpPort}
+          import cloudflare_${domain}
+        '';
+      };
+    })
+  ];
+}
diff --git a/ssh-keys.nix b/ssh-keys.nix
index 7101283..a743c97 100644
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@@ -20,6 +20,7 @@ rec {
     firefly-iii = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYkXjRqmuTMg56EmAx8s1M/VQojM7akF/ao+jJLYgFB";
     paperless = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRNgDyk3TuMooG4ZCv7SOgXh0ql1/1hhhng7uSnsLeK";
     zigbee2mqtt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN0z+RxfAIARVMFgtF9olJrL5lt95IoC0Mtzg0MKd3g";
+    forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0MTOCgMoAFjYDEq1gU+XBSUNNcJenoHXagOgFuP1ZN";
   };
 
   # Machines able to provisioning other machines