roam: add forgejo instance

host/roam/git.nix

@@ -1,9 +1,18 @@
 {
-  pkgs,
-  var,
+  config,
   lib,
+  pkgs,
+  secrets,
+  var,
   ...
 }:
+
+# We have a minimal `git` user accessible via ssh with a cgit instance on onet
+# at https://git.lan/. The `git` user has home at `/git` which is backed up
+# using rclone (see `backup.nix`).
+# Also, for collaboration, we have a forgejo instance
+# at https://git.hdohmen.de/.
+
 let
   gitpath = "/git";
   git-config = pkgs.writeText "git-git-config" ''
@@ -67,6 +76,7 @@ in
   services =
     let
       cgit-host = "git.lan";
+      fogrejo-cfg = config.services.forgejo;
     in
     {
       nginx = {
@@ -79,5 +89,49 @@ in
         nginx.virtualHost = cgit-host;
         gitHttpBackend.checkExportOkFiles = false;
       };
+
+      nginx = {
+        virtualHosts.${fogrejo-cfg.settings.server.DOMAIN} = {
+          forceSSL = true;
+          enableACME = true;
+          extraConfig = ''
+            client_max_body_size 512M;
+          '';
+          locations."/".proxyPass = "http://localhost:${toString fogrejo-cfg.settings.server.HTTP_PORT}";
+        };
+      };
+
+      forgejo = {
+        enable = true;
+        database.type = "postgres";
+        lfs.enable = true;
+        settings = {
+          server = {
+            DOMAIN = "git.hdohmen.de";
+            ROOT_URL = "https://${fogrejo-cfg.settings.server.DOMAIN}/";
+            HTTP_PORT = 3000;
+          };
+          mailer = {
+            ENABLED = true;
+            SMTP_ADDR = "roam.hdohmen.de";
+            FROM = "noreply@git.hdohmen.de";
+            USER = "noreply@git.hdohmen.de";
+          };
+          service.DISABLE_REGISTRATION = true;
+          repository = {
+            ENABLE_PUSH_CREATE_USER = true;
+            ENABLE_PUSH_CREATE_ORG = true;
+          };
+        };
+        secrets = {
+          mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
+        };
+      };
     };
+
+  age.secrets.forgejo-mailer-password = {
+    file = secrets.roam."forgejo-mailer-password.age";
+    mode = "400";
+    owner = "forgejo";
+  };
 }

host/roam/mail.nix

@@ -7,8 +7,14 @@
     stateVersion = 3;
     fqdn = "roam.hdohmen.de";
     x509.useACMEHost = config.mailserver.fqdn;
-    domains = [ "hdohmen.de" ];
+    domains = [
+      "hdohmen.de"
+      "git.hdohmen.de"
+    ];
     loginAccounts = {
+      "noreply@git.hdohmen.de" = {
+        hashedPassword = "$2b$05$F0HyHZWL7fsu3XK4ogSxvuKDIugMiXunisfmhHGQmkiDL4aIEHOxm";
+      };
       "hd@hdohmen.de" = {
         hashedPassword = "$y$j9T$ThusPQJOPsUxfJrO6T6kN/$4hoobYwjhxSLo.f8uWg7DZu7gHtRlUt.nfiDC5xN2w2";
         aliases = [ "hd@hdohmen.de" ];

secrets.nix

@@ -5,12 +5,13 @@ let
   keys = ssh-keys.root;
   trusted-keys = ssh-keys.trusted-root;
   secrets = [
-    "roam/rclone-conf"
-    "roam/firefox-sync-secret"
-    "roam/nextcloud-admin-password"
     "hd-password"
-    "tlskey"
+    "roam/firefox-sync-secret"
+    "roam/forgejo-mailer-password"
     "roam/mullvad-vpn-key"
+    "roam/nextcloud-admin-password"
+    "roam/rclone-conf"
+    "tlskey"
   ];
   trusted-secrets = [
     # Can only be decrypted by clients

secrets/roam/forgejo-mailer-password.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 ydxpSQ UjxIcrL3YIhUhnpVmAdVUhoANohDlV8RO+Sis98TpmY
+iNv9ANH9ptR9p9XvGLq2NM0kB4a6q4ymHqlbwfRGO/Q
+-> ssh-ed25519 IbE9zA CHcF/x2JlPWZFWJml+tUUDC2QE7Its4jnL9mI/LKAXU
+9mTqU+ow9CrhMGxUIs5/F+LISEF/RDnlfxWcdyoUs5c
+-> ssh-ed25519 gbs8eg l2znQDwG0mWS+XgN7ccc3dbdU3sszW9nLoc80lVXti4
+BTzf91AWC8LcitJlgY+X6boQZ+UkVO+QZB9gVGW/hjs
+-> ssh-ed25519 FTMbvw LhUkcBvB/yuOZdFkRPyEaiedxNcZj/Fw2Cb8K5x19AM
+G/2VeEQU0jS3dY7+Dv3LOAXVWLe+2LeZgeLTrM7zDKk
+--- VDtjgtMTGZz8RsgNhhqb+kryLlMZrzI8EMp3c8WMtkU
+‹ÐúÛ˜dØTv¤HâéÜÊ,ˆ8ÜR×›l{îæ?ý Ù´îo•¦À\½äç¬×Ð^G‡@gd³š‚