113 lines
3.5 KiB
Nix
113 lines
3.5 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
sops-nix,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
p = config.sops.placeholder;
|
|
cfg = config.services.forgejo;
|
|
srv = cfg.settings.server;
|
|
usr = "forgejo";
|
|
group = "forgejo";
|
|
in
|
|
{
|
|
services.postgresql.ensureDatabases = [ usr ];
|
|
services.forgejo = {
|
|
enable = true;
|
|
database = {
|
|
type = "postgres";
|
|
# user = usr;
|
|
# name = usr;
|
|
};
|
|
# user = usr;
|
|
# group = group;
|
|
lfs.enable = true;
|
|
settings = {
|
|
server = {
|
|
DOMAIN = "${domain}";
|
|
ROOT_URL = "https://${srv.DOMAIN}/";
|
|
PROTOCOL = "http";
|
|
HTTP_ADDR = "localhost";
|
|
HTTP_PORT = 3001;
|
|
SSH_PORT = lib.head config.services.openssh.ports;
|
|
SSH_USER = usr;
|
|
};
|
|
repository = {
|
|
DEFAULT_PRIVATE = true;
|
|
ENABLE_PUSH_CREATE_USER = true;
|
|
};
|
|
oauth2_client = {
|
|
# Never use auto account linking with this, otherwise users cannot change
|
|
# their new user name and they could potentially overtake other users accounts
|
|
# by setting their email address to an existing account.
|
|
# With "login" linking the user must choose a non-existing username first or login
|
|
ACCOUNT_LINKING = "login";
|
|
USERNAME = "nickname";
|
|
# This does not mean that you cannot register via oauth, but just that there should
|
|
# be a confirmation dialog shown to the user before the account is actually created.
|
|
# This dialog allows changing user name and email address before creating the account.
|
|
ENABLE_AUTO_REGISTRATION = false;
|
|
REGISTER_EMAIL_CONFIRM = false;
|
|
UPDATE_AVATAR = true;
|
|
};
|
|
service = {
|
|
DISABLE_REGISTRATION = false;
|
|
SHOW_REGISTRATION_BUTTON = false;
|
|
REGISTER_EMAIL_CONFIRM = false;
|
|
};
|
|
mailer.ENABLED = false;
|
|
actions = {
|
|
ENABLED = true;
|
|
DEFAULT_ACTIONS_URL = "github";
|
|
};
|
|
};
|
|
};
|
|
|
|
sops.secrets.forgejo-admin-password.owner = usr;
|
|
systemd.services.forgejo.preStart =
|
|
let
|
|
adminCmd = "${lib.getExe cfg.package} admin user";
|
|
pwd = config.sops.secrets.forgejo-admin-password;
|
|
user = "wanderer"; # Note, Forgejo doesn't allow creation of an account named "admin"
|
|
in
|
|
''
|
|
${adminCmd} create --admin --email "wanderer@dotya.ml" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
|
|
## uncomment this line to change an admin user which was already created
|
|
# ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
|
|
'';
|
|
|
|
sops.secrets.forgejo-runner-token.owner = usr;
|
|
services.gitea-actions-runner = {
|
|
package = pkgs.forgejo-runner;
|
|
instances.default = {
|
|
enable = true;
|
|
name = "monolith";
|
|
url = "https://${domain}";
|
|
# Obtaining the path to the runner token file may differ
|
|
# tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
|
|
tokenFile = config.sops.secrets.forgejo-runner-token.path;
|
|
labels = [
|
|
"nix:docker://nixpkgs/nix:nixos-25.11-x86_64-linux"
|
|
"golang-1.25:docker://golang:1.25-alpine"
|
|
"ubuntu-latest:docker://node:16-bullseye"
|
|
"ubuntu-22.04:docker://node:16-bullseye"
|
|
## optionally provide native execution on the host:
|
|
# "native:host"
|
|
];
|
|
};
|
|
};
|
|
services.postgresqlBackup = {
|
|
enable = true;
|
|
databases = [
|
|
usr
|
|
];
|
|
compression = "zstd";
|
|
compressionLevel = 19;
|
|
};
|
|
services.openssh.settings.AllowUsers = [ usr ];
|
|
users.users."${usr}".shell = pkgs.bashNonInteractive;
|
|
}
|