lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-config/hosts/servers/git/forgejo.nix
Lander Van den Bulcke 440e1a6541
refactor: add hosting-01 to colmena 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-10-21 13:43:39 +02:00

131 lines
3.5 KiB
Nix
Raw Blame History

{ config, lib, ... }:
let
cfg = config.services.forgejo;
srv = cfg.settings.server;
in
{
services.forgejo = {
enable = true;
database = {
type = "postgres";
host = "db-01.tailnet.escapeangle.com";
createDatabase = false;
};
lfs.enable = true;
settings = {
server = {
DOMAIN = "git.escapeangle.com";
ROOT_URL = "https://${srv.DOMAIN}";
HTTP_PORT = 3000;
LANDING_PAGE = "explore";
};
ui.DEFAULT_THEME = "gitea-auto";
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.escapeangle.com";
};
storage = {
STORAGE_TYPE = "minio";
MINIO_ENDPOINT = "daf6ae2391d4d68ecf3c5af2f1540f5c.r2.cloudflarestorage.com";
MINIO_BUCKET = "forgejo";
MINIO_LOCATION = "auto";
MINIO_USE_SSL = true;
MINIO_CHECKSUM_ALGORITHM = "md5";
};
mailer = {
ENABLED = true;
SMTP_ADDR = "mail.escapeangle.com";
FROM = "forgejo@escapeangle.com";
USER = "forgejo@escapeangle.com";
};
};
secrets = {
storage = {
MINIO_ACCESS_KEY_ID = config.sops.secrets."forgejo/access-key-id".path;
MINIO_SECRET_ACCESS_KEY = config.sops.secrets."forgejo/secret-access-key".path;
};
mailer = {
PASSWD = config.sops.secrets."forgejo/mailer-password".path;
};
};
};
systemd.services.forgejo = {
requires = [ "tailscaled.service" ];
preStart = # bash
''
auth="${lib.getExe config.services.forgejo.package} admin auth"
echo "Trying to find existing sso configuration for Authelia"...
set +e -o pipefail
id="$($auth list | grep "Authelia.*OAuth2" | cut -d' ' -f1)"
found=$?
set -e +o pipefail
if [[ $found = 0 ]]; then
echo Found sso configuration at id=$id, updating it if needed.
$auth update-oauth \
--id $id \
--name "Authelia" \
--provider openidConnect \
--key forgejo \
--secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
--auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
else
echo Did not find any sso configuration, creating one with name Authelia.
$auth add-oauth \
--name Authelia \
--provider openidConnect \
--key forgejo \
--secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
--auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
fi
'';
};
services.nginx.virtualHosts."git.escapeangle.com" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/" = {
proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
};
};
sops = {
defaultSopsFile = ../hosting-01.yaml;
secrets = {
"forgejo/mailer-password" = {
owner = "forgejo";
};
"forgejo/oidc-secret" = {
owner = "forgejo";
};
"forgejo/access-key-id" = {
owner = "forgejo";
};
"forgejo/secret-access-key" = {
owner = "forgejo";
};
};
};
}
Reference in a new issue View git blame Copy permalink