feat: add forgejo

deedee-ops · Oct 30, 2024 · 2e0e8b3 · 2e0e8b3
1 parent 769b32b
commit 2e0e8b3
Show file tree

Hide file tree

Showing 6 changed files with 247 additions and 3 deletions.
diff --git a/machines/deedee/configuration.nix b/machines/deedee/configuration.nix
@@ -159,6 +159,7 @@ _: rec {
     coredns.enable = true;
     firefoxsync.enable = true;
     firefly-iii.enable = true;
+    forgejo.enable = true;
     lldap.enable = true;
     maddy.enable = true;
     mail-archive.enable = true;

diff --git a/machines/deedee/secrets.sops.yaml b/machines/deedee/secrets.sops.yaml
@@ -39,6 +39,16 @@ system:
             env:
                 FIREFOXSYNC__POSTGRES_PASSWORD: ENC[AES256_GCM,data:JbwOPfE0OrfplFtGrZRTlWn7z5/YA9jKH22waNIGUduHnxFfut6gWA==,iv:lex3Z+6bQWTjcQcO89Hj/wndXA13UM+sTLaq0j8Wupc=,tag:sgqbma6rLOkWN5FrwXrMVg==,type:str]
                 FIREFOXSYNC__SECRET: ENC[AES256_GCM,data:SI7XpQKWyiIeSouvKJWCuOm2st0+OSRvsVh3T1Tqk2PDXebekYS0cA==,iv:Uor++9u+3Qbgukrqks4BVnSnRHKv7/mz5yDPbTpKS8Q=,tag:j065vbHDoTmzkKSqM2bDMw==,type:str]
+        forgejo:
+            env:
+                FORGEJO__cache__HOST: ENC[AES256_GCM,data:7RNWNazWNryR80TBnwUOdG05G1nYm+9OkBkZvZ2iuIsZwhYJ1v2Uc3XOH2u1jzkHQpTNEMKXL04L+4ZSz/JHoEdq+rw1cvua9g1f,iv:2DMVWOfhUJlnCj+opL46SxFRr/tokPjnhHfcTE+mfLU=,tag:lIWnR7Y3BQN8QeuQvtXkAg==,type:str]
+                FORGEJO__database__PASSWD: ENC[AES256_GCM,data:BjhxdkClJcuqKaQJpsLj4ev4rgFlhUmmo2XymgRzbflZeJKwlSq0UA==,iv:RJH1wi1YHSFukRgj6xlafngoP9X62IGfuQSeK2NgPlE=,tag:NWurOmoyOumNfGpLCJHBTQ==,type:str]
+                FORGEJO__oauth2__JWT_SECRET: ENC[AES256_GCM,data:B03IElPZRQ4qNZEjkk577mDfu/fQXbW0J8psA3OmBOfiZlZvASxCuzsTHw==,iv:dk9zmcYhvgEDnjrQQ8BYnRKRfb0ldvd1AqMCwHevSPc=,tag:9A6wWpt+hKiyY6BCaHrjeA==,type:str]
+                FORGEJO__queue__CONN_STR: ENC[AES256_GCM,data:WrpVSz7xQd/tjdR4EtG/MilSxs531/p/Yn1aQD7YF4vkti9SA8jhWnm8W5njBXgMaDUKLkqkOFt/3phwgVN+Yo+JR46pfMZHB3ZD,iv:2El7WH5xUozzFc0144pqc8uhf4mvUFpWGe0+bZBBG6Y=,tag:VH3Ru3b7PhNSVAcCJ8IOXw==,type:str]
+                FORGEJO__security__INTERNAL_TOKEN: ENC[AES256_GCM,data:HYDWGIF7xuCZRXGcehNJdLxEkCqyh9ofmjYsaGwiBj1ky/QZKNRrNHTvsJ1MwuXPOHv0ECsZfmgyMJNhYnAxV2M/G4kw/nU2dnUl9r/0jtzXef6LeaN1INN0HCIUBuHZgZCz37fjW3tG,iv:zFfcpXZ2IWqQXJruseS8ZXBF1EIK0Wum0Ay2OsDsnow=,tag:/MRJ1h5pE7xH9zqmvVG0oQ==,type:str]
+                FORGEJO__security__SECRET_KEY: ENC[AES256_GCM,data:uvE7nZW/5p7WrrgMPoQb3wHSIJD2LQUAcb6J6J2ODBjpYGGsqZ/syKgt4UldMxbRZZbUhgtFpifiHlyIfXJrzw==,iv:07DDGF0CiAxeQ8qEtM5P+q50KmHIYOUdgUmCNIiE+So=,tag:5O+A8AbDPNyb8YepM3EM/Q==,type:str]
+                FORGEJO__server__LFS_JWT_SECRET: ENC[AES256_GCM,data:mphYVMOM7lQ1qrc7fWghZF5dLJ4VqW30mDfJELH8dX1Q/O+z6t3tCw==,iv:iPdwFYPRvbR9/VmnHGajztDtA+VHhRMuaXmGYWdOBNw=,tag:pkGnUyn9AvQ10F8cmPjg7g==,type:str]
+                FORGEJO__session__PROVIDER_CONFIG: ENC[AES256_GCM,data:qaWz0iQzexcXRNeKVMlsVhidTeACRciCCsePxdtG34GhTRM+G/sl9CqhVhOFaUzsSxdCDgbBg6LOqF3vD7w2whiWKAY62GLumJOC,iv:dNbbOHkzYMHg+Dp93qr8kX7BDtX37owT21tveE5l75Q=,tag:NhgoC+C84dbkEObq0sBPOA==,type:str]
         letsencrypt:
             envfile: ENC[AES256_GCM,data:5sbCKlde84OLiBp8ayIveI2BDwrmnaSyXHQO+qmvbyJxvuRk1W0OOhn1izCD4jSlWOTqOdx21+ibIAj8eCUD7XEk,iv:+GjzjWgMreis9GwLzMaArFcBe9f4NM3Q/7FrjsmAibg=,tag:VFVN+RDnrala3n+ZeLCkmw==,type:str]
         lldap:
@@ -116,8 +126,8 @@ sops:
             c3FoaFNzbjJubzlBckdDb2lNOUZtOGMKRbHxa1B3QAdredBMTd7W7g3kRz6l8uyV
             bBclsA8Gm7p+6ndV39sN+Daqm5MyggY1Prwv/Ukdd5Q+1C+XsEW6OQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-28T17:41:51Z"
-    mac: ENC[AES256_GCM,data:W2USP96yAxaDFl/pTcA/3Ma3ASIaU9UInCDsZ/A6TrjWl+sMAWTphfEfkNy4mh8O3YjwxNGhABLR5CjQsgYmsyfzjR5h2OOZeVlXCG0AofD8ATVZN2mtAGAaX5oyKYBZ/HllzR2z4GTC4BayJFETpGsOgLDWKo9Ebur6f5XYg5U=,iv:58Vsas7dACW7EU0Wet4uBKuT1fA4UdpEtOA+3iVVzz4=,tag:TbAT20VTvrtC1AI4S9zdyg==,type:str]
+    lastmodified: "2024-10-29T20:30:23Z"
+    mac: ENC[AES256_GCM,data:4BAQIlqHKRW+9kRWI+MsaQ8n7tkJDKeGZAo+jpbFAlDJ9UaUvAG1JFIUMArhzhBsj0K3DJWtNzqXbVRb5OpSWYppHRYCf2A9jUBM4XXFxk4qxFjM6j4riIZ5Eg0o7ZyEzQOJdNOPgfT1JVfIispnSIF3JDWxrROntrOIAEI8wzs=,iv:zeq868xX+9IB+IN8HgKIlbDhz8J4d665zaFS90tXcfw=,tag:IPYm4dN8BdkM9hlQSCEy8Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/modules/system/apps/rustdesk/default.nix b/modules/system/apps/rustdesk/default.nix
@@ -15,7 +15,7 @@ in
       default = true;
     };
     relayIP = lib.mkOption {
-      type = lib.types.string;
+      type = lib.types.str;
       description = "Relay IP advertised to the clients.";
     };
   };

diff --git a/modules/system/containers/default.nix b/modules/system/containers/default.nix
@@ -4,6 +4,7 @@ _: {
     ./coredns
     ./firefly-iii
     ./firefoxsync
+    ./forgejo
     ./lldap
     ./maddy
     ./mail-archive

diff --git a/modules/system/containers/forgejo/app.ini b/modules/system/containers/forgejo/app.ini
@@ -0,0 +1,109 @@
+APP_NAME = Forgejo: Beyond coding. We forge.
+RUN_MODE = prod
+RUN_USER = git
+
+[repository]
+ROOT = /var/lib/gitea/git/repositories
+DEFAULT_PRIVATE = private
+DISABLE_STARS = true
+DEFAULT_BRANCH = master
+
+[repository.upload]
+TEMP_PATH = /tmp/gitea/uploads
+
+[repository.local]
+LOCAL_COPY_PATH = /tmp/gitea/local-repo
+
+[badges]
+ENABLED = true
+
+[ui]
+DEFAULT_THEME = forgejo-dark
+
+[server]
+APP_DATA_PATH = /var/lib/gitea
+PROTOCOL = http
+HTTP_PORT = 3000
+DISABLE_SSH = false
+START_SSH_SERVER = true
+BUILTIN_SSH_SERVER_USER = git
+SSH_PORT = 2222
+OFFLINE_MODE = true
+ENABLE_PPROF = false
+LFS_START_SERVER = true
+
+[database]
+SSL_MODE = disable
+DB_TYPE = postgres
+HOST = host.docker.internal
+NAME = forgejo
+SCHEMA = public
+USER = forgejo
+
+[indexer]
+REPO_INDEXER_ENABLED = false
+ISSUE_INDEXER_TYPE = db
+
+[queue]
+TYPE = redis
+
+[admin]
+DISABLE_REGULAR_ORG_CREATION = false
+
+[security]
+INSTALL_LOCK = true
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_AUTHENTICATION_USER = Remote-User
+REVERSE_PROXY_AUTHENTICATION_EMAIL = Remote-Email
+REVERSE_PROXY_TRUSTED_PROXIES = 172.16.0.0/12
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = true
+ENABLE_NOTIFY_MAIL = true
+ENABLE_REVERSE_PROXY_AUTHENTICATION = true
+ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
+ENABLE_REVERSE_PROXY_EMAIL = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+
+[mailer]
+ENABLED = true
+PROTOCOL = smtp
+SMTP_ADDR = maddy
+SMTP_PORT = 25
+FORCE_TRUST_SERVER_CERT = true
+SUBJECT_PREFIX = [GIT]
+
+[cache]
+ADAPTER = redis
+
+[session]
+PROVIDER = redis
+
+[picture]
+DISABLE_GRAVATAR = true
+ENABLE_FEDERATED_AVATAR = false
+AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars
+
+[attachment]
+ENABLED = true
+MAX_SIZE = 64
+PATH = /var/lib/gitea/data/attachments
+
+[log]
+MODE = console
+
+[log.console]
+FLAGS = journaldflags
+STDERR = true
+COLORIZE = false
+
+[federation]
+ENABLED = false
+
+[lfs]
+PATH = /var/lib/gitea/git/lfs
+
+[actions]
+ENABLED = false
diff --git a/modules/system/containers/forgejo/default.nix b/modules/system/containers/forgejo/default.nix
@@ -0,0 +1,123 @@
+{
+  config,
+  lib,
+  pkgs,
+  svc,
+  ...
+}:
+let
+  cfg = config.mySystemApps.forgejo;
+  secretEnvs = [
+    "FORGEJO__cache__HOST"
+    "FORGEJO__database__PASSWD"
+    "FORGEJO__oauth2__JWT_SECRET"
+    "FORGEJO__queue__CONN_STR"
+    "FORGEJO__security__INTERNAL_TOKEN"
+    "FORGEJO__security__SECRET_KEY"
+    "FORGEJO__server__LFS_JWT_SECRET"
+    "FORGEJO__session__PROVIDER_CONFIG"
+  ];
+in
+{
+  options.mySystemApps.forgejo = {
+    enable = lib.mkEnableOption "forgejo container";
+    backup = lib.mkEnableOption "postgresql and data backup" // {
+      default = true;
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      description = "Path to directory containing data.";
+      default = "/var/lib/forgejo";
+    };
+    sopsSecretPrefix = lib.mkOption {
+      type = lib.types.str;
+      description = "Prefix for sops secret, under which all ENVs will be appended.";
+      default = "system/apps/forgejo/env";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    warnings = [ (lib.mkIf (!cfg.backup) "WARNING: Backups for forgejo are disabled!") ];
+
+    sops.secrets = svc.mkContainerSecretsSops {
+      inherit (cfg) sopsSecretPrefix;
+      inherit secretEnvs;
+
+      containerName = "forgejo";
+    };
+
+    mySystemApps.postgresql.userDatabases = [
+      {
+        username = "forgejo";
+        passwordFile = config.sops.secrets."${cfg.sopsSecretPrefix}/FORGEJO__database__PASSWD".path;
+        databases = [ "forgejo" ];
+      }
+    ];
+
+    virtualisation.oci-containers.containers.forgejo = svc.mkContainer {
+      cfg = {
+        image = "codeberg.org/forgejo/forgejo:9.0.1-rootless@sha256:871b9ee033bbce261cb8306240f05cc902c118b40ddba2a72d8111f1ba0fe30e";
+        environment =
+          {
+            FORGEJO__server__DOMAIN = "git.${config.mySystem.rootDomain}";
+            FORGEJO__server__SSH_DOMAIN = "git.${config.mySystem.rootDomain}";
+            FORGEJO__server__ROOT_URL = "https://git.${config.mySystem.rootDomain}";
+            FORGEJO__mailer__FROM = config.mySystem.notificationSender;
+            FORGEJO__time__DEFAULT_UI_LOCATION = config.mySystem.time.timeZone;
+          }
+          // svc.mkContainerSecretsEnv {
+            inherit secretEnvs;
+            suffix = "__FILE";
+          };
+        ports = [ "2222:2222" ];
+        volumes =
+          svc.mkContainerSecretsVolumes {
+            inherit (cfg) sopsSecretPrefix;
+            inherit secretEnvs;
+          }
+          ++ [ "${cfg.dataDir}:/var/lib/gitea" ];
+        extraOptions = [
+          "--mount"
+          "type=tmpfs,destination=/tmp,tmpfs-mode=1777"
+        ];
+      };
+      opts = {
+        # to expose port to host, public network must be used
+        allowPublic = true;
+      };
+    };
+
+    services = {
+      nginx.virtualHosts.forgejo = svc.mkNginxVHost {
+        host = "git";
+        proxyPass = "http://forgejo.docker:3000";
+      };
+      postgresqlBackup = lib.mkIf cfg.backup { databases = [ "forgejo" ]; };
+      restic.backups = lib.mkIf cfg.backup (
+        svc.mkRestic {
+          name = "forgejo";
+          paths = [ cfg.dataDir ];
+        }
+      );
+    };
+
+    systemd.services.docker-forgejo = {
+      path = [ pkgs.diffutils ];
+      preStart = lib.mkAfter ''
+        mkdir -p "${cfg.dataDir}/custom/conf"
+        cp ${./app.ini} "${cfg.dataDir}/custom/conf/app.ini"
+        chown 1000:1000 "${cfg.dataDir}" "${cfg.dataDir}/custom" "${cfg.dataDir}/custom/conf" "${cfg.dataDir}/custom/conf/app.ini"
+        chmod 640 "${cfg.dataDir}/custom/conf/app.ini"
+
+        # ugly hack to fix forgejo permissions, as sops-nix doesn't allow setting direct UID/GID yet
+        chown -R 1000:1000 "$(dirname ${
+          config.sops.secrets."${cfg.sopsSecretPrefix}/${builtins.elemAt secretEnvs 0}".path
+        })"
+      '';
+    };
+
+    environment.persistence."${config.mySystem.impermanence.persistPath}" =
+      lib.mkIf config.mySystem.impermanence.enable
+        { directories = [ cfg.dataDir ]; };
+  };
+}