From 2e0e8b34a333e1125605e42bd0421bbd6b35f846 Mon Sep 17 00:00:00 2001 From: Igor Rzegocki Date: Wed, 30 Oct 2024 20:29:27 +0100 Subject: [PATCH] feat: add forgejo --- machines/deedee/configuration.nix | 1 + machines/deedee/secrets.sops.yaml | 14 +- modules/system/apps/rustdesk/default.nix | 2 +- modules/system/containers/default.nix | 1 + modules/system/containers/forgejo/app.ini | 109 ++++++++++++++++ modules/system/containers/forgejo/default.nix | 123 ++++++++++++++++++ 6 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 modules/system/containers/forgejo/app.ini create mode 100644 modules/system/containers/forgejo/default.nix diff --git a/machines/deedee/configuration.nix b/machines/deedee/configuration.nix index 1ac8f2c..2cca56c 100644 --- a/machines/deedee/configuration.nix +++ b/machines/deedee/configuration.nix @@ -159,6 +159,7 @@ _: rec { coredns.enable = true; firefoxsync.enable = true; firefly-iii.enable = true; + forgejo.enable = true; lldap.enable = true; maddy.enable = true; mail-archive.enable = true; diff --git a/machines/deedee/secrets.sops.yaml b/machines/deedee/secrets.sops.yaml index 3927fce..d59275e 100644 --- a/machines/deedee/secrets.sops.yaml +++ b/machines/deedee/secrets.sops.yaml @@ -39,6 +39,16 @@ system: env: FIREFOXSYNC__POSTGRES_PASSWORD: ENC[AES256_GCM,data:JbwOPfE0OrfplFtGrZRTlWn7z5/YA9jKH22waNIGUduHnxFfut6gWA==,iv:lex3Z+6bQWTjcQcO89Hj/wndXA13UM+sTLaq0j8Wupc=,tag:sgqbma6rLOkWN5FrwXrMVg==,type:str] FIREFOXSYNC__SECRET: ENC[AES256_GCM,data:SI7XpQKWyiIeSouvKJWCuOm2st0+OSRvsVh3T1Tqk2PDXebekYS0cA==,iv:Uor++9u+3Qbgukrqks4BVnSnRHKv7/mz5yDPbTpKS8Q=,tag:j065vbHDoTmzkKSqM2bDMw==,type:str] + forgejo: + env: + FORGEJO__cache__HOST: ENC[AES256_GCM,data:7RNWNazWNryR80TBnwUOdG05G1nYm+9OkBkZvZ2iuIsZwhYJ1v2Uc3XOH2u1jzkHQpTNEMKXL04L+4ZSz/JHoEdq+rw1cvua9g1f,iv:2DMVWOfhUJlnCj+opL46SxFRr/tokPjnhHfcTE+mfLU=,tag:lIWnR7Y3BQN8QeuQvtXkAg==,type:str] + FORGEJO__database__PASSWD: ENC[AES256_GCM,data:BjhxdkClJcuqKaQJpsLj4ev4rgFlhUmmo2XymgRzbflZeJKwlSq0UA==,iv:RJH1wi1YHSFukRgj6xlafngoP9X62IGfuQSeK2NgPlE=,tag:NWurOmoyOumNfGpLCJHBTQ==,type:str] + FORGEJO__oauth2__JWT_SECRET: ENC[AES256_GCM,data:B03IElPZRQ4qNZEjkk577mDfu/fQXbW0J8psA3OmBOfiZlZvASxCuzsTHw==,iv:dk9zmcYhvgEDnjrQQ8BYnRKRfb0ldvd1AqMCwHevSPc=,tag:9A6wWpt+hKiyY6BCaHrjeA==,type:str] + FORGEJO__queue__CONN_STR: ENC[AES256_GCM,data:WrpVSz7xQd/tjdR4EtG/MilSxs531/p/Yn1aQD7YF4vkti9SA8jhWnm8W5njBXgMaDUKLkqkOFt/3phwgVN+Yo+JR46pfMZHB3ZD,iv:2El7WH5xUozzFc0144pqc8uhf4mvUFpWGe0+bZBBG6Y=,tag:VH3Ru3b7PhNSVAcCJ8IOXw==,type:str] + FORGEJO__security__INTERNAL_TOKEN: ENC[AES256_GCM,data:HYDWGIF7xuCZRXGcehNJdLxEkCqyh9ofmjYsaGwiBj1ky/QZKNRrNHTvsJ1MwuXPOHv0ECsZfmgyMJNhYnAxV2M/G4kw/nU2dnUl9r/0jtzXef6LeaN1INN0HCIUBuHZgZCz37fjW3tG,iv:zFfcpXZ2IWqQXJruseS8ZXBF1EIK0Wum0Ay2OsDsnow=,tag:/MRJ1h5pE7xH9zqmvVG0oQ==,type:str] + FORGEJO__security__SECRET_KEY: ENC[AES256_GCM,data:uvE7nZW/5p7WrrgMPoQb3wHSIJD2LQUAcb6J6J2ODBjpYGGsqZ/syKgt4UldMxbRZZbUhgtFpifiHlyIfXJrzw==,iv:07DDGF0CiAxeQ8qEtM5P+q50KmHIYOUdgUmCNIiE+So=,tag:5O+A8AbDPNyb8YepM3EM/Q==,type:str] + FORGEJO__server__LFS_JWT_SECRET: ENC[AES256_GCM,data:mphYVMOM7lQ1qrc7fWghZF5dLJ4VqW30mDfJELH8dX1Q/O+z6t3tCw==,iv:iPdwFYPRvbR9/VmnHGajztDtA+VHhRMuaXmGYWdOBNw=,tag:pkGnUyn9AvQ10F8cmPjg7g==,type:str] + FORGEJO__session__PROVIDER_CONFIG: ENC[AES256_GCM,data:qaWz0iQzexcXRNeKVMlsVhidTeACRciCCsePxdtG34GhTRM+G/sl9CqhVhOFaUzsSxdCDgbBg6LOqF3vD7w2whiWKAY62GLumJOC,iv:dNbbOHkzYMHg+Dp93qr8kX7BDtX37owT21tveE5l75Q=,tag:NhgoC+C84dbkEObq0sBPOA==,type:str] letsencrypt: envfile: ENC[AES256_GCM,data:5sbCKlde84OLiBp8ayIveI2BDwrmnaSyXHQO+qmvbyJxvuRk1W0OOhn1izCD4jSlWOTqOdx21+ibIAj8eCUD7XEk,iv:+GjzjWgMreis9GwLzMaArFcBe9f4NM3Q/7FrjsmAibg=,tag:VFVN+RDnrala3n+ZeLCkmw==,type:str] lldap: @@ -116,8 +126,8 @@ sops: c3FoaFNzbjJubzlBckdDb2lNOUZtOGMKRbHxa1B3QAdredBMTd7W7g3kRz6l8uyV bBclsA8Gm7p+6ndV39sN+Daqm5MyggY1Prwv/Ukdd5Q+1C+XsEW6OQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-28T17:41:51Z" - mac: ENC[AES256_GCM,data:W2USP96yAxaDFl/pTcA/3Ma3ASIaU9UInCDsZ/A6TrjWl+sMAWTphfEfkNy4mh8O3YjwxNGhABLR5CjQsgYmsyfzjR5h2OOZeVlXCG0AofD8ATVZN2mtAGAaX5oyKYBZ/HllzR2z4GTC4BayJFETpGsOgLDWKo9Ebur6f5XYg5U=,iv:58Vsas7dACW7EU0Wet4uBKuT1fA4UdpEtOA+3iVVzz4=,tag:TbAT20VTvrtC1AI4S9zdyg==,type:str] + lastmodified: "2024-10-29T20:30:23Z" + mac: ENC[AES256_GCM,data:4BAQIlqHKRW+9kRWI+MsaQ8n7tkJDKeGZAo+jpbFAlDJ9UaUvAG1JFIUMArhzhBsj0K3DJWtNzqXbVRb5OpSWYppHRYCf2A9jUBM4XXFxk4qxFjM6j4riIZ5Eg0o7ZyEzQOJdNOPgfT1JVfIispnSIF3JDWxrROntrOIAEI8wzs=,iv:zeq868xX+9IB+IN8HgKIlbDhz8J4d665zaFS90tXcfw=,tag:IPYm4dN8BdkM9hlQSCEy8Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/system/apps/rustdesk/default.nix b/modules/system/apps/rustdesk/default.nix index f66d6ee..c65d501 100644 --- a/modules/system/apps/rustdesk/default.nix +++ b/modules/system/apps/rustdesk/default.nix @@ -15,7 +15,7 @@ in default = true; }; relayIP = lib.mkOption { - type = lib.types.string; + type = lib.types.str; description = "Relay IP advertised to the clients."; }; }; diff --git a/modules/system/containers/default.nix b/modules/system/containers/default.nix index 30e9d74..2c98c29 100644 --- a/modules/system/containers/default.nix +++ b/modules/system/containers/default.nix @@ -4,6 +4,7 @@ _: { ./coredns ./firefly-iii ./firefoxsync + ./forgejo ./lldap ./maddy ./mail-archive diff --git a/modules/system/containers/forgejo/app.ini b/modules/system/containers/forgejo/app.ini new file mode 100644 index 0000000..34902f6 --- /dev/null +++ b/modules/system/containers/forgejo/app.ini @@ -0,0 +1,109 @@ +APP_NAME = Forgejo: Beyond coding. We forge. +RUN_MODE = prod +RUN_USER = git + +[repository] +ROOT = /var/lib/gitea/git/repositories +DEFAULT_PRIVATE = private +DISABLE_STARS = true +DEFAULT_BRANCH = master + +[repository.upload] +TEMP_PATH = /tmp/gitea/uploads + +[repository.local] +LOCAL_COPY_PATH = /tmp/gitea/local-repo + +[badges] +ENABLED = true + +[ui] +DEFAULT_THEME = forgejo-dark + +[server] +APP_DATA_PATH = /var/lib/gitea +PROTOCOL = http +HTTP_PORT = 3000 +DISABLE_SSH = false +START_SSH_SERVER = true +BUILTIN_SSH_SERVER_USER = git +SSH_PORT = 2222 +OFFLINE_MODE = true +ENABLE_PPROF = false +LFS_START_SERVER = true + +[database] +SSL_MODE = disable +DB_TYPE = postgres +HOST = host.docker.internal +NAME = forgejo +SCHEMA = public +USER = forgejo + +[indexer] +REPO_INDEXER_ENABLED = false +ISSUE_INDEXER_TYPE = db + +[queue] +TYPE = redis + +[admin] +DISABLE_REGULAR_ORG_CREATION = false + +[security] +INSTALL_LOCK = true +REVERSE_PROXY_LIMIT = 1 +REVERSE_PROXY_AUTHENTICATION_USER = Remote-User +REVERSE_PROXY_AUTHENTICATION_EMAIL = Remote-Email +REVERSE_PROXY_TRUSTED_PROXIES = 172.16.0.0/12 + +[service] +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = true +ENABLE_NOTIFY_MAIL = true +ENABLE_REVERSE_PROXY_AUTHENTICATION = true +ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false +ENABLE_REVERSE_PROXY_EMAIL = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true + +[mailer] +ENABLED = true +PROTOCOL = smtp +SMTP_ADDR = maddy +SMTP_PORT = 25 +FORCE_TRUST_SERVER_CERT = true +SUBJECT_PREFIX = [GIT] + +[cache] +ADAPTER = redis + +[session] +PROVIDER = redis + +[picture] +DISABLE_GRAVATAR = true +ENABLE_FEDERATED_AVATAR = false +AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars +REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars + +[attachment] +ENABLED = true +MAX_SIZE = 64 +PATH = /var/lib/gitea/data/attachments + +[log] +MODE = console + +[log.console] +FLAGS = journaldflags +STDERR = true +COLORIZE = false + +[federation] +ENABLED = false + +[lfs] +PATH = /var/lib/gitea/git/lfs + +[actions] +ENABLED = false diff --git a/modules/system/containers/forgejo/default.nix b/modules/system/containers/forgejo/default.nix new file mode 100644 index 0000000..780c467 --- /dev/null +++ b/modules/system/containers/forgejo/default.nix @@ -0,0 +1,123 @@ +{ + config, + lib, + pkgs, + svc, + ... +}: +let + cfg = config.mySystemApps.forgejo; + secretEnvs = [ + "FORGEJO__cache__HOST" + "FORGEJO__database__PASSWD" + "FORGEJO__oauth2__JWT_SECRET" + "FORGEJO__queue__CONN_STR" + "FORGEJO__security__INTERNAL_TOKEN" + "FORGEJO__security__SECRET_KEY" + "FORGEJO__server__LFS_JWT_SECRET" + "FORGEJO__session__PROVIDER_CONFIG" + ]; +in +{ + options.mySystemApps.forgejo = { + enable = lib.mkEnableOption "forgejo container"; + backup = lib.mkEnableOption "postgresql and data backup" // { + default = true; + }; + dataDir = lib.mkOption { + type = lib.types.str; + description = "Path to directory containing data."; + default = "/var/lib/forgejo"; + }; + sopsSecretPrefix = lib.mkOption { + type = lib.types.str; + description = "Prefix for sops secret, under which all ENVs will be appended."; + default = "system/apps/forgejo/env"; + }; + }; + + config = lib.mkIf cfg.enable { + warnings = [ (lib.mkIf (!cfg.backup) "WARNING: Backups for forgejo are disabled!") ]; + + sops.secrets = svc.mkContainerSecretsSops { + inherit (cfg) sopsSecretPrefix; + inherit secretEnvs; + + containerName = "forgejo"; + }; + + mySystemApps.postgresql.userDatabases = [ + { + username = "forgejo"; + passwordFile = config.sops.secrets."${cfg.sopsSecretPrefix}/FORGEJO__database__PASSWD".path; + databases = [ "forgejo" ]; + } + ]; + + virtualisation.oci-containers.containers.forgejo = svc.mkContainer { + cfg = { + image = "codeberg.org/forgejo/forgejo:9.0.1-rootless@sha256:871b9ee033bbce261cb8306240f05cc902c118b40ddba2a72d8111f1ba0fe30e"; + environment = + { + FORGEJO__server__DOMAIN = "git.${config.mySystem.rootDomain}"; + FORGEJO__server__SSH_DOMAIN = "git.${config.mySystem.rootDomain}"; + FORGEJO__server__ROOT_URL = "https://git.${config.mySystem.rootDomain}"; + FORGEJO__mailer__FROM = config.mySystem.notificationSender; + FORGEJO__time__DEFAULT_UI_LOCATION = config.mySystem.time.timeZone; + } + // svc.mkContainerSecretsEnv { + inherit secretEnvs; + suffix = "__FILE"; + }; + ports = [ "2222:2222" ]; + volumes = + svc.mkContainerSecretsVolumes { + inherit (cfg) sopsSecretPrefix; + inherit secretEnvs; + } + ++ [ "${cfg.dataDir}:/var/lib/gitea" ]; + extraOptions = [ + "--mount" + "type=tmpfs,destination=/tmp,tmpfs-mode=1777" + ]; + }; + opts = { + # to expose port to host, public network must be used + allowPublic = true; + }; + }; + + services = { + nginx.virtualHosts.forgejo = svc.mkNginxVHost { + host = "git"; + proxyPass = "http://forgejo.docker:3000"; + }; + postgresqlBackup = lib.mkIf cfg.backup { databases = [ "forgejo" ]; }; + restic.backups = lib.mkIf cfg.backup ( + svc.mkRestic { + name = "forgejo"; + paths = [ cfg.dataDir ]; + } + ); + }; + + systemd.services.docker-forgejo = { + path = [ pkgs.diffutils ]; + preStart = lib.mkAfter '' + mkdir -p "${cfg.dataDir}/custom/conf" + cp ${./app.ini} "${cfg.dataDir}/custom/conf/app.ini" + chown 1000:1000 "${cfg.dataDir}" "${cfg.dataDir}/custom" "${cfg.dataDir}/custom/conf" "${cfg.dataDir}/custom/conf/app.ini" + chmod 640 "${cfg.dataDir}/custom/conf/app.ini" + + # ugly hack to fix forgejo permissions, as sops-nix doesn't allow setting direct UID/GID yet + chown -R 1000:1000 "$(dirname ${ + config.sops.secrets."${cfg.sopsSecretPrefix}/${builtins.elemAt secretEnvs 0}".path + })" + ''; + }; + + environment.persistence."${config.mySystem.impermanence.persistPath}" = + lib.mkIf config.mySystem.impermanence.enable + { directories = [ cfg.dataDir ]; }; + }; +}