feat: add forgejo #25
94
hosts/nachtigall/apps/forgejo.nix
Normal file
94
hosts/nachtigall/apps/forgejo.nix
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
self,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
age.secrets.forgejo-database-password = {
|
||||||
|
file = "${self}/secrets/forgejo-database-password.age";
|
||||||
|
mode = "600";
|
||||||
|
owner = "gitea";
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets.forgejo-mailer-password = {
|
||||||
|
file = "${self}/secrets/forgejo-mailer-password.age";
|
||||||
|
mode = "600";
|
||||||
|
owner = "gitea";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."git.pub.solar" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
locations."/user/login".extraConfig = ''
|
||||||
|
return 302 /user/oauth2/keycloak;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations."/".proxyPass = "http://localhost:3000";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.gitea = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.forgejo;
|
||||||
|
appName = "pub.solar git server";
|
||||||
|
database = {
|
||||||
|
type = "postgres";
|
||||||
|
passwordFile = config.age.secrets.forgejo-database-password.path;
|
||||||
|
};
|
||||||
|
stateDir = "/var/lib/forgejo";
|
||||||
|
lfs.enable = true;
|
||||||
|
mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
ROOT_URL = "https://git.pub.solar";
|
||||||
|
DOMAIN = "git.pub.solar";
|
||||||
|
HTTP_ADDR = "127.0.0.1";
|
||||||
|
HTTP_PORT = 3000;
|
||||||
|
};
|
||||||
|
mailer = {
|
||||||
|
ENABLED = true;
|
||||||
|
PROTOCOL = "smtps";
|
||||||
|
SMTP_ADDR = "mx2.greenbaum.cloud";
|
||||||
|
SMTP_PORT = 465;
|
||||||
|
FROM = ''"pub.solar git server" <forgejo@pub.solar>'';
|
||||||
|
USER = "admins@pub.solar";
|
||||||
|
};
|
||||||
|
"repository.signing" = {
|
||||||
|
SIGNING_KEY = "default";
|
||||||
|
MERGES = "always";
|
||||||
|
};
|
||||||
|
openid = {
|
||||||
|
ENABLE_OPENID_SIGNIN = true;
|
||||||
|
ENABLE_OPENID_SIGNUP = true;
|
||||||
|
};
|
||||||
|
# uncomment after initial deployment, first user is admin user
|
||||||
|
# required to setup SSO (oauth openid-connect, keycloak auth provider)
|
||||||
|
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
||||||
|
service.ENABLE_NOTIFY_MAIL = true;
|
||||||
|
session.COOKIE_SECURE = lib.mkForce true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
|
||||||
|
# Required for gitea server side gpg signatures
|
||||||
|
# configured/setup manually in:
|
||||||
|
# /var/lib/gitea/data/home/.gitconfig
|
||||||
|
# /var/lib/gitea/data/home/.gnupg/
|
||||||
|
# sudo su gitea
|
||||||
|
# export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
|
||||||
|
# gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
|
||||||
|
# TODO: implement declarative GPG key generation and
|
||||||
|
# gitea gitconfig
|
||||||
|
programs.gnupg.agent = {
|
||||||
|
enable = true;
|
||||||
|
pinentryFlavor = "curses";
|
||||||
|
};
|
||||||
|
# Required to make gpg work without a graphical environment?
|
||||||
|
# otherwise generating a new gpg key fails with this error:
|
||||||
|
# gpg: agent_genkey failed: No pinentry
|
||||||
|
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
|
||||||
|
environment.variables = {
|
||||||
|
GPG_TTY = "$(tty)";
|
||||||
|
};
|
||||||
|
}
|
|
@ -17,5 +17,6 @@
|
||||||
./apps/mastodon.nix
|
./apps/mastodon.nix
|
||||||
./apps/opensearch.nix
|
./apps/opensearch.nix
|
||||||
./apps/postgresql.nix
|
./apps/postgresql.nix
|
||||||
|
./apps/forgejo.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
27
secrets/forgejo-database-password.age
Normal file
27
secrets/forgejo-database-password.age
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 iDKjwg RIy4MC1iLzjOVc1ENd8Hic3b6yVsey1jGKKfpH5QznI
|
||||||
|
jCdBc7BcfAa0/BxN40P9neRJcRyz/mbXCHkQZ98MjqI
|
||||||
|
-> ssh-ed25519 uYcDNw bmxhArWdUbbC2zCb1FQmtz5UXBKM9nYdGnmRQNVjsiY
|
||||||
|
IUsRWcBZf2HJpibhqaqBUGTaOTL865Y2ZR2ZM8Ocmr0
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
XuCHi1ekeI+EG3JpNpze/XZWImIFHd4itCzjxApHINBdUqRA7yqVq1k557GcXU3S
|
||||||
|
dSW4Li2yQaGTDfWYbks5gyOxHjJ75mQ+McnzROdMuMTNYYpTs5CDmGUKDs7Fp86l
|
||||||
|
/YLfoo/hYd7/sKObJLSC/STEk/ObAxDNIe2eEK+esbAlBC0Lym9mi/vtuY8WzWAY
|
||||||
|
dsPvGk6497ap5lcZiLiJRChqumYSoTryKAMAvfiTtytcNCFh7hWnw5DFKcA/vlkx
|
||||||
|
cGDrM99itWtEO01oWA6SAVL6JfpWyjpQZqEKt3f3U0xsJbLUXEEiH+kUWpros6Nk
|
||||||
|
PJKVR2mcW3DiBKpR2QJDIkXJ5tUWzDn9Dgw54NniF2D91xs3MzQuvScrfb+/XR6H
|
||||||
|
Xc9BiytdOP/WW3PnvAu2jfMzXJlmlUJTQTWYRZs5tp8daKFN7MP3cIMwx/r+qc+o
|
||||||
|
JbqFxOewnNO0hEwfwYPCFnMEam8rmRmU8GI1RiBAGpQbBv02ihX4U5eWuLXrpmHK
|
||||||
|
0VOgkesWsAOHpV+tRJ3cxA8t/pjIWmN0nccRz+qz/1Ec6O5circBneVBgJow/MKh
|
||||||
|
M0f0b+HPr+ld0z4FA7rDESGhgQHEsyU9UUWU8U++Mdh64c/mRMCnYokoemve0w1G
|
||||||
|
9cJjR0rcknDgo+KQutinh3pTqbvYrtfP4iuzWBd8LV8
|
||||||
|
-> ssh-ed25519 YFSOsg m6r2ew7bjrpbA0QMs7O5MhSm0UpKCWHEJTlwm384MxI
|
||||||
|
a/mnaNz14aFuZCtcq46ANVydKRJw0e61N5e+kGGkuYQ
|
||||||
|
-> ssh-ed25519 iHV63A MQu2VYkY/Cs5bhYe95wpdlpLfe/lHwhk60WA9EgN3wc
|
||||||
|
gbZyVF9l0W8+BO59ddsZ7c+VgzdPkNbq9U9oG0Kjebo
|
||||||
|
-> ssh-ed25519 BVsyTA XWMWR2qUI1KFhcZxGgxuWOq+DLrTwHvEpI7xee/GD3I
|
||||||
|
jVckHGgjXWlz0kvad6EDZ1vDrXGjBM2dxT5qJswX2Kc
|
||||||
|
-> W},tK-grease
|
||||||
|
4P6Gr7nsS9raE/XVkCkDawtWkS7a3o7r7tXe9w
|
||||||
|
--- de3b3x+RtRpsIBf3Sh72AydLgEHUcGeRvoDE0rPFZ2o
|
||||||
|
ZË8æö¾€pM£¿Aúʨ$Ë[’ùÙËó¥Ÿ<C2A5>‚<íøýt£ÊIOr›Öq™½oÛñ»ácÐeî,œ;MK_¯©¦ž3-Ó<>íߘõÀ§£é\RQ&ÀžGá’·®ÅR}
|
27
secrets/forgejo-mailer-password.age
Normal file
27
secrets/forgejo-mailer-password.age
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 iDKjwg qOInns0pyNkaFNGoodX1QrRCSRDL5ncmJWSyDxCo7Rc
|
||||||
|
8mJO69rBO8IaVRYG94hidY6MU7UEn+ENejdHOkzn7h8
|
||||||
|
-> ssh-ed25519 uYcDNw FdZ8Z50hcHrRVuBC7HPnVPNdnJgyudepe/smnTkcmzg
|
||||||
|
ELojSvwv3K6YVLXEAmjoQxt5szvs68oRZ9fZ+QcaVEU
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
cbDwTYbZf9SZJ4SmjdBD7hSWMZWi87KUbAHTS2snWi1wjf0m5KngbdlWVcTOgwE5
|
||||||
|
Gnn1m9cZKx6z7s/AUsPRRQizoYsUY91osPmc7lNVZ8mjJ6ztLhX1JhAy3PobmxDi
|
||||||
|
BI3WsZtMpL+JihSE1DfJ05dkY/tWYZu/yXDmaig/E54YsuyXeATikm/IzxbSXDDT
|
||||||
|
crSOE2YVS0+GjhEfJft6ckw9YdbzqjoXwdutrzQWdivvXU17xH11cM3xC579OUNF
|
||||||
|
c+EobYRjCfzsk27vFGxieV+0mAmJSM5V5mBQ9VBaqDiZ43gI5enCIVJIkK36f4P3
|
||||||
|
lt9PQ9UmWJ8RPQis+Aaq5Ld5y8aVho16BQjCqDzsRoFTalVNYa5ElrB2nuJPYQIw
|
||||||
|
DV9Hj3R2wG4IZSIEq5WnLtk7Gda2x4VlfdlMhGXixPJ0xjYKWg8Sj0qlmCAVqqEc
|
||||||
|
QyWpVFEu1ogk8Gw2jQK6TvrxUT94UAyEBwqBbumqaB3JfsnDaxbFlLG1wWr10nXh
|
||||||
|
axplDvM7tuU5RvjPGSwUezkryfn8SjEod+04rQRLhe9JMD5C33JBI1p5JNi2ZAB/
|
||||||
|
SyujIVCh+DRzq9IjMYCgCYmYp5P7pJlk+GZCeeMSbvf2d45mX1P2D6PrCm8uSL8m
|
||||||
|
Fw7mOliDyBGPizpQ2lOJaL1q4A5KGjAaRVuRJSaNlBg
|
||||||
|
-> ssh-ed25519 YFSOsg c3VN03glwExVKBi83ftg6jNZ2Yzx4PGmRiQOpgQl9AI
|
||||||
|
sKrGt7U5XwNkyydwmXBxPvHwKloY6V/mn+5ipq2GYZo
|
||||||
|
-> ssh-ed25519 iHV63A mH5q5q6ZPlddNsil1NjVLcT2gIxh+PlhA6JT9HBD/VE
|
||||||
|
O9OxtyCtIhNMFMUPCyPL4ycT75t/g1nvli6XXVifXGo
|
||||||
|
-> ssh-ed25519 BVsyTA iPdUjSRVamrCzUJVhpzMyUhyxHisRofkKswvCb/qUCo
|
||||||
|
Z5UOndKbp5GPIzxB4xsNlGqC30dnMx557n07NkS3aOk
|
||||||
|
-> fqFqA!-grease >^roC?oN
|
||||||
|
kKQNtgmcdmj4h1fFB4Fse21BfLrq73SdIZ/cyD1qxBR8VUtIPReLpiYJSm30Eg
|
||||||
|
--- mUQvto08o1xaSIbSE+zi9IPCIuZZF5G9xlwKUApylMY
|
||||||
|
6M€£ú‡‚ÆçU܈GWR"*#¶BwøK`ÈÀÈŒtèsoga‘3ržœñ_ÃT9š™
|
|
@ -34,4 +34,8 @@ in {
|
||||||
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
|
|
||||||
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
|
|
||||||
|
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
|
|
||||||
|
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue