4e9ef9dc4f
Move Caddy configuration from individual services to a shared networking.caddy module. Update service modules and system config to use the new interface. Remove redundant user definitions and old Caddy config blocks.
210 lines
5.3 KiB
Nix
210 lines
5.3 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
namespace,
|
|
...
|
|
}: let
|
|
inherit (builtins) toString;
|
|
inherit (lib) mkIf mkEnableOption mkOption;
|
|
|
|
cfg = config.${namespace}.services.development.forgejo;
|
|
domain = "git.amarth.cloud";
|
|
in {
|
|
options.${namespace}.services.development.forgejo = {
|
|
enable = mkEnableOption "Forgejo";
|
|
|
|
port = mkOption {
|
|
type = lib.types.port;
|
|
default = 5002;
|
|
example = "1234";
|
|
description = ''
|
|
Which port to bind forgejo to
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
${namespace}.services = {
|
|
persistance.postgresql.enable = true;
|
|
virtualisation.podman.enable = true;
|
|
|
|
networking.caddy = {
|
|
hosts = {
|
|
"${domain}" = ''
|
|
# import auth
|
|
|
|
# stupid dumb way to prevent the login page and go to zitadel instead
|
|
# be aware that this does not disable local login at all!
|
|
# rewrite /user/login /user/oauth2/Zitadel
|
|
|
|
reverse_proxy http://127.0.0.1:${toString cfg.port}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [forgejo];
|
|
|
|
services = {
|
|
forgejo = {
|
|
enable = true;
|
|
lfs.enable = true;
|
|
useWizard = false;
|
|
database.type = "postgres";
|
|
|
|
settings = {
|
|
DEFAULT = {
|
|
APP_NAME = "Tamin Amarth";
|
|
APP_SLOGAN = "Where code is forged";
|
|
};
|
|
|
|
server = {
|
|
DOMAIN = domain;
|
|
ROOT_URL = "https://${domain}/";
|
|
HTTP_PORT = cfg.port;
|
|
LANDING_PAGE = "explore";
|
|
};
|
|
|
|
cors = {
|
|
ENABLED = true;
|
|
ALLOW_DOMAIN = "https://*.amarth.cloud";
|
|
};
|
|
|
|
security = {
|
|
INSTALL_LOCK = true;
|
|
PASSWORD_HASH_ALGO = "argon2";
|
|
DISABLE_WEBHOOKS = true;
|
|
};
|
|
|
|
ui = {
|
|
EXPLORE_PAGING_NUM = 50;
|
|
ISSUE_PAGING_NUM = 50;
|
|
MEMBERS_PAGING_NUM = 50;
|
|
};
|
|
|
|
"ui.meta" = {
|
|
AUTHOR = "Where code is forged!";
|
|
DESCRIPTION = "Self-hosted solution for git, because FOSS is the anvil of the future";
|
|
};
|
|
|
|
admin = {
|
|
USER_DISABLED_FEATURES = "manage_gpg_keys";
|
|
EXTERNAL_USER_DISABLE_FEATURES = "manage_gpg_keys";
|
|
};
|
|
|
|
service = {
|
|
# Auth
|
|
ENABLE_BASIC_AUTHENTICATION = false;
|
|
DISABLE_REGISTRATION = false;
|
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
SHOW_REGISTRATION_BUTTON = false;
|
|
|
|
# Privacy
|
|
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
|
DEFAULT_USER_VISIBILITY = "private";
|
|
DEFAULT_ORG_VISIBILITY = "private";
|
|
|
|
# Common sense
|
|
VALID_SITE_URL_SCHEMES = "https";
|
|
};
|
|
|
|
openid = {
|
|
ENABLE_OPENID_SIGNIN = true;
|
|
ENABLE_OPENID_SIGNUP = true;
|
|
WHITELISTED_URIS = "https://auth.kruining.eu";
|
|
};
|
|
|
|
oauth2_client = {
|
|
ENABLE_AUTO_REGISTRATION = true;
|
|
UPDATE_AVATAR = true;
|
|
ACCOUNT_LINKING = "auto";
|
|
};
|
|
|
|
actions = {
|
|
ENABLED = true;
|
|
# DEFAULT_ACTIONS_URL = "https://data.forgejo.org";
|
|
};
|
|
|
|
other = {
|
|
SHOW_FOOTER_VERSION = false;
|
|
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
|
|
};
|
|
|
|
metrics = {
|
|
ENABLED = true;
|
|
};
|
|
|
|
api = {
|
|
ENABLE_SWAGGER = false;
|
|
};
|
|
|
|
mirror = {
|
|
ENABLED = true;
|
|
};
|
|
|
|
session = {
|
|
PROVIDER = "db";
|
|
COOKIE_SECURE = true;
|
|
};
|
|
|
|
mailer = {
|
|
ENABLED = true;
|
|
PROTOCOL = "smtp+starttls";
|
|
SMTP_ADDR = "black-mail.nl";
|
|
SMTP_PORT = 587;
|
|
FROM = "chris@kruining.eu";
|
|
USER = "chris@kruining.eu";
|
|
PASSWD_URI = "file:${config.sops.secrets."forgejo/email".path}";
|
|
};
|
|
};
|
|
};
|
|
|
|
openssh.settings.AllowUsers = ["forgejo"];
|
|
|
|
gitea-actions-runner = {
|
|
package = pkgs.forgejo-runner;
|
|
instances.default = {
|
|
enable = true;
|
|
name = "default";
|
|
url = "https://git.amarth.cloud";
|
|
# Obtaining the path to the runner token file may differ
|
|
# tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
|
|
tokenFile = config.sops.secrets."forgejo/action_runner_token".path;
|
|
# token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw";
|
|
labels = [
|
|
"default:docker://nixos/nix:latest"
|
|
"ubuntu:docker://ubuntu:24-bookworm"
|
|
"nix:docker://git.amarth.cloud/amarth/runners/default:latest"
|
|
];
|
|
settings = {
|
|
log.level = "info";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
users = {
|
|
users."gitea-runner" = {
|
|
isSystemUser = true;
|
|
group = "gitea-runner";
|
|
};
|
|
groups."gitea-runner" = {};
|
|
};
|
|
|
|
sops.secrets = {
|
|
"forgejo/action_runner_token" = {
|
|
owner = "gitea-runner";
|
|
group = "gitea-runner";
|
|
restartUnits = ["gitea-runner-default.service"];
|
|
};
|
|
|
|
"forgejo/email" = {
|
|
owner = "forgejo";
|
|
group = "forgejo";
|
|
key = "email/chris_kruining_eu";
|
|
restartUnits = ["forgejo.service"];
|
|
};
|
|
};
|
|
};
|
|
}
|