refactor: add hosting-01 to colmena

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-10-21 13:34:45 +02:00 · 2025-10-21 13:34:45 +02:00 · 440e1a6541
commit 440e1a6541
parent f1f8662e98
11 changed files with 155 additions and 223 deletions
--- a/hosts/servers/git/forgejo.nix
+++ b/hosts/servers/git/forgejo.nix
@ -0,0 +1,131 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
+{
+  services.forgejo = {
+    enable = true;
+
+    database = {
+      type = "postgres";
+      host = "db-01.tailnet.escapeangle.com";
+      createDatabase = false;
+    };
+
+    lfs.enable = true;
+
+    settings = {
+      server = {
+        DOMAIN = "git.escapeangle.com";
+        ROOT_URL = "https://${srv.DOMAIN}";
+        HTTP_PORT = 3000;
+        LANDING_PAGE = "explore";
+      };
+
+      ui.DEFAULT_THEME = "gitea-auto";
+
+      service = {
+        DISABLE_REGISTRATION = false;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+        SHOW_REGISTRATION_BUTTON = false;
+      };
+
+      openid = {
+        ENABLE_OPENID_SIGNIN = false;
+        ENABLE_OPENID_SIGNUP = true;
+        WHITELISTED_URIS = "auth.escapeangle.com";
+      };
+
+      storage = {
+        STORAGE_TYPE = "minio";
+        MINIO_ENDPOINT = "daf6ae2391d4d68ecf3c5af2f1540f5c.r2.cloudflarestorage.com";
+        MINIO_BUCKET = "forgejo";
+        MINIO_LOCATION = "auto";
+        MINIO_USE_SSL = true;
+        MINIO_CHECKSUM_ALGORITHM = "md5";
+      };
+
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "mail.escapeangle.com";
+        FROM = "forgejo@escapeangle.com";
+        USER = "forgejo@escapeangle.com";
+      };
+    };
+
+    secrets = {
+      storage = {
+        MINIO_ACCESS_KEY_ID = config.sops.secrets."forgejo/access-key-id".path;
+        MINIO_SECRET_ACCESS_KEY = config.sops.secrets."forgejo/secret-access-key".path;
+      };
+
+      mailer = {
+        PASSWD = config.sops.secrets."forgejo/mailer-password".path;
+      };
+    };
+  };
+
+  systemd.services.forgejo = {
+    requires = [ "tailscaled.service" ];
+
+    preStart = # bash
+      ''
+        auth="${lib.getExe config.services.forgejo.package} admin auth"
+
+        echo "Trying to find existing sso configuration for Authelia"...
+        set +e -o pipefail
+        id="$($auth list | grep "Authelia.*OAuth2" |  cut -d'	' -f1)"
+        found=$?
+        set -e +o pipefail
+
+        if [[ $found = 0 ]]; then
+          echo Found sso configuration at id=$id, updating it if needed.
+          $auth update-oauth \
+            --id       $id \
+            --name     "Authelia" \
+            --provider openidConnect \
+            --key      forgejo \
+            --secret   $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
+            --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
+        else
+          echo Did not find any sso configuration, creating one with name Authelia.
+          $auth add-oauth \
+            --name     Authelia \
+            --provider openidConnect \
+            --key      forgejo \
+            --secret   $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
+            --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
+        fi
+      '';
+  };
+
+  services.nginx.virtualHosts."git.escapeangle.com" = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      client_max_body_size 512M;
+    '';
+    locations."/" = {
+      proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+    };
+  };
+
+  sops = {
+    defaultSopsFile = ../hosting-01.yaml;
+    secrets = {
+      "forgejo/mailer-password" = {
+        owner = "forgejo";
+      };
+      "forgejo/oidc-secret" = {
+        owner = "forgejo";
+      };
+      "forgejo/access-key-id" = {
+        owner = "forgejo";
+      };
+      "forgejo/secret-access-key" = {
+        owner = "forgejo";
+      };
+    };
+  };
+}