New service: Forgejo

2025-10-07 22:52:54 +02:00 · 2025-10-07 22:52:54 +02:00 · 0ba7940dba
commit 0ba7940dba
parent 3947745bec
8 changed files with 190 additions and 0 deletions
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@ -50,6 +50,12 @@ in
        host = p.hosts.firefly-iii;
      };
      forgejo.proxy = {
        enable = true;
        domain = p.domains.public;
        host = p.hosts.forgejo;
      };
      immich.proxy = {
        enable = true;
        domain = p.domains.public;
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -256,4 +256,15 @@ in
    # specialArgs = { };
  };
  forgejo = nixpkgs.lib.nixosSystem {
    pkgs = pkgs "x86_64-linux";
    modules = [
      nodeBaseModules
      proxmoxModule
      ./forgejo
      agenix.nixosModules.default
    ];
    # specialArgs = { };
  };
 }
--- a/hosts/deployments.nix
+++ b/hosts/deployments.nix
@ -166,6 +166,15 @@ in
    ];
  };
  forgejo.deployment = {
    targetHost = hosts.forgejo;
    tags = [
      "lxc"
      "bacco"
      "forgejo"
    ];
  };
  deadbeef.deployment = {
    allowLocalDeployment = true;
    targetHost = null;
--- a/hosts/forgejo/default.nix
+++ b/hosts/forgejo/default.nix
@ -0,0 +1,58 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  p = import ../parameters.nix;
 in
 {
  age.secrets.scaleway-password.file = ../../secrets/scaleway-password.age;
  my = {
    utils = {
      commons.enable = true;
      lxc-standard.enable = true;
    };
    services.forgejo = {
      enable = true;
      stateDir = "/mnt/git";
      proxy.domain = p.domains.public;
      secrets = {
        mailer.PASSWD = config.age.secrets.scaleway-password.path;
      };
      settings = {
        service = {
          DISABLE_REGISTRATION = true;
        };
        mailer = {
          ENABLED = true;
          PROTOCOL = "smtps";
          SMTP_ADDR = "smtp.tem.scaleway.com";
          SMTP_PORT = "465";
          USER = "5cbeeec0-9c3a-441a-9772-c11e9650fcd2";
          FROM = "git@${p.domains.public}";
        };
        oauth2_client = {
          USERNAME = "openid";
          ACCOUNT_LINKING = "auto";
        };
      };
    };
    networking.nas-samba-share = {
      enable = true;
      allowUsers = [ config.services.forgejo.user ];
    };
    virtualisation.proxmox.enable = true;
  };
  # Extra packages
  environment.systemPackages = with pkgs; [ ];
  system.stateVersion = "25.05";
 }
--- a/hosts/parameters.nix
+++ b/hosts/parameters.nix
@ -28,6 +28,7 @@ in
    firefly-iii = "firefly-iii.${private-domain}";
    paperless = "paperless.${private-domain}";
    zigbee2mqtt = "zigbee2mqtt.${private-domain}";
    forgejo = "forgejo.${private-domain}";
  };
  email = "davide@${public-domain}";
 }
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -3,6 +3,7 @@
    ./authentik.nix
    ./dashy.nix
    ./firefly-iii.nix
    ./forgejo.nix
    ./immich.nix
    ./media-mgr.nix
    ./nextcloud.nix
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -0,0 +1,103 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 let
  cfg = config.my.services.forgejo;
  httpPort = 3000;
 in
 {
  options.my.services.forgejo = {
    enable = lib.mkEnableOption "Enable Forgejo code repository";
    stateDir = lib.mkOption {
      type = lib.types.path;
      default = "/var/lib/forgejo/media";
      description = "Directory with Immich will store media files";
    };
    settings = lib.mkOption {
      default = { };
      description = ''
        Settings for Forgejo
      '';
    };
    secrets = lib.mkOption {
      description = "Secrets declared ";
      type = lib.types.submodule {
        freeformType = with lib.types; attrsOf (attrsOf path);
        options = { };
      };
      default = { };
    };
    proxy = {
      enable = lib.mkEnableOption "Set the proxy entry for this service";
      domain = lib.mkOption {
        default = "example.com";
        type = lib.types.str;
        description = ''
          The domain where Caddy is reachable
        '';
      };
      subdomain = lib.mkOption {
        default = "git";
        type = lib.types.str;
        description = ''
          The subdomain where Immich is reachable
        '';
      };
      host = lib.mkOption {
        default = "localhost";
        type = lib.types.str;
        description = ''
          host name where the service is running
        '';
      };
    };
  };
  config = lib.mkMerge [
    (lib.mkIf cfg.enable {
      services.forgejo = {
        enable = true;
        lfs.enable = true;
        stateDir = cfg.stateDir;
        secrets = cfg.secrets;
        database = {
          createDatabase = true;
          type = "postgres";
        };
        settings = lib.recursiveUpdate {
          server = {
            DOMAIN = "git.${cfg.proxy.domain}";
            ROOT_URL = "https://git.${cfg.proxy.domain}";
            HTTP_PORT = httpPort;
            SSH_PORT = 2222;
          };
        } cfg.settings;
      };
      networking.firewall.allowedTCPPorts = [ httpPort ];
    })
    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."${subdomain}.${domain}".extraConfig = ''
          reverse_proxy http://${host}:${toString httpPort}
          import cloudflare_${domain}
        '';
      };
    })
  ];
 }
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@ -20,6 +20,7 @@ rec {
    firefly-iii = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYkXjRqmuTMg56EmAx8s1M/VQojM7akF/ao+jJLYgFB";
    paperless = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRNgDyk3TuMooG4ZCv7SOgXh0ql1/1hhhng7uSnsLeK";
    zigbee2mqtt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN0z+RxfAIARVMFgtF9olJrL5lt95IoC0Mtzg0MKd3g";
    forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0MTOCgMoAFjYDEq1gU+XBSUNNcJenoHXagOgFuP1ZN";
  };
  # Machines able to provisioning other machines