feat(forgejo): update config to use secrets

modules/nixos/services/development/forgejo/default.nix

@@ -1,6 +1,7 @@
 { config, lib, pkgs, namespace, ... }:
 let
-  inherit (lib) mkIf mkEnableOption;
+  inherit (builtins) toString;
+  inherit (lib) mkIf mkEnableOption mkOption;
 
   cfg = config.${namespace}.services.development.forgejo;
   domain = "git.amarth.cloud";
@@ -8,6 +9,15 @@ in
 {
   options.${namespace}.services.development.forgejo = {
     enable = mkEnableOption "Forgejo";
+
+    port = mkOption {
+      type = lib.types.port;
+      default = 5002;
+      example = "1234";
+      description = ''
+        Which port to bind forgejo to
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
@@ -33,7 +43,7 @@ in
           server = {
             DOMAIN = domain;
             ROOT_URL = "https://${domain}/";
-            HTTP_PORT = 5002;
+            HTTP_PORT = cfg.port;
             LANDING_PAGE = "explore";
           };
 
@@ -83,7 +93,7 @@ in
           openid = {
             ENABLE_OPENID_SIGNIN = true;
             ENABLE_OPENID_SIGNUP = true;
-            WHITELISTED_URIS = "https://auth.amarth.cloud";
+            WHITELISTED_URIS = "https://auth.kruining.eu";
           };
 
           oauth2_client = {
@@ -102,6 +112,10 @@ in
             SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
           };
 
+          metrics = {
+            ENABLED = true;
+          };
+
           api = {
             ENABLE_SWAGGER = false;
           };
@@ -120,9 +134,9 @@ in
             PROTOCOL = "smtp+starttls";
             SMTP_ADDR = "black-mail.nl";
             SMTP_PORT = 587;
-            FROM = "info@amarth.cloud";
+            FROM = "chris@kruining.eu";
-            USER = "info@amarth.cloud";
+            USER = "chris@kruining.eu";
-            PASSWD = "__TODO_USE_SOPS__";
+            PASSWD_URI = "file:${config.sops.secrets."forgejo/email".path}";
           };
         };
       };
@@ -137,8 +151,8 @@ in
           url = "https://git.amarth.cloud";
           # Obtaining the path to the runner token file may differ
           # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
-          # tokenFile = config.age.secrets.forgejo-runner-token.path;
+          tokenFile = config.sops.secrets."forgejo/action_runner_token".path;
-          token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw";
+          # token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw";
           labels = [
             "default:docker://nixos/nix:latest"
             "ubuntu:docker://ubuntu:24-bookworm"
@@ -153,17 +167,32 @@ in
       caddy = {
         enable = true;
         virtualHosts = {
-          ${domain}.extraConfig = ''
+          "${domain}".extraConfig = ''
-            # import auth-z
+            # import auth
 
             # stupid dumb way to prevent the login page and go to zitadel instead
             # be aware that this does not disable local login at all!
             # rewrite /user/login /user/oauth2/Zitadel
 
-            reverse_proxy http://127.0.0.1:5002
+            reverse_proxy http://127.0.0.1:${toString cfg.port}
           '';
         };
       };
     };
+
+    sops.secrets = {
+      "forgejo/action_runner_token" = {
+        owner = "gitea-runner";
+        group = "gitea-runner";
+        restartUnits = [ "gitea-runner-default.service" ];
+      };
+
+      "forgejo/email" = {
+        owner = "forgejo";
+        group = "forgejo";
+        key = "email/chris_kruining_eu";
+        restartUnits = [ "forgejo.service" ];
+      };
+    };
   };
 }