From 1af477fdd3b5355f7e3cfd65b27ec5fa6d51d169 Mon Sep 17 00:00:00 2001 From: Henri Dohmen Date: Thu, 19 Mar 2026 11:27:45 +0100 Subject: [PATCH] roam: add forgejo instance --- host/roam/git.nix | 58 +++++++++++++++++++++++- host/roam/mail.nix | 8 +++- secrets.nix | 9 ++-- secrets/roam/forgejo-mailer-password.age | 11 +++++ 4 files changed, 79 insertions(+), 7 deletions(-) create mode 100644 secrets/roam/forgejo-mailer-password.age diff --git a/host/roam/git.nix b/host/roam/git.nix index 5dda083..35b505e 100644 --- a/host/roam/git.nix +++ b/host/roam/git.nix @@ -1,9 +1,18 @@ { - pkgs, - var, + config, lib, + pkgs, + secrets, + var, ... }: + +# We have a minimal `git` user accessible via ssh with a cgit instance on onet +# at https://git.lan/. The `git` user has home at `/git` which is backed up +# using rclone (see `backup.nix`). +# Also, for collaboration, we have a forgejo instance +# at https://git.hdohmen.de/. + let gitpath = "/git"; git-config = pkgs.writeText "git-git-config" '' @@ -67,6 +76,7 @@ in services = let cgit-host = "git.lan"; + fogrejo-cfg = config.services.forgejo; in { nginx = { @@ -79,5 +89,49 @@ in nginx.virtualHost = cgit-host; gitHttpBackend.checkExportOkFiles = false; }; + + nginx = { + virtualHosts.${fogrejo-cfg.settings.server.DOMAIN} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString fogrejo-cfg.settings.server.HTTP_PORT}"; + }; + }; + + forgejo = { + enable = true; + database.type = "postgres"; + lfs.enable = true; + settings = { + server = { + DOMAIN = "git.hdohmen.de"; + ROOT_URL = "https://${fogrejo-cfg.settings.server.DOMAIN}/"; + HTTP_PORT = 3000; + }; + mailer = { + ENABLED = true; + SMTP_ADDR = "roam.hdohmen.de"; + FROM = "noreply@git.hdohmen.de"; + USER = "noreply@git.hdohmen.de"; + }; + service.DISABLE_REGISTRATION = true; + repository = { + ENABLE_PUSH_CREATE_USER = true; + ENABLE_PUSH_CREATE_ORG = true; + }; + }; + secrets = { + mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path; + }; + }; }; + + age.secrets.forgejo-mailer-password = { + file = secrets.roam."forgejo-mailer-password.age"; + mode = "400"; + owner = "forgejo"; + }; } diff --git a/host/roam/mail.nix b/host/roam/mail.nix index 29ce064..b010704 100644 --- a/host/roam/mail.nix +++ b/host/roam/mail.nix @@ -7,8 +7,14 @@ stateVersion = 3; fqdn = "roam.hdohmen.de"; x509.useACMEHost = config.mailserver.fqdn; - domains = [ "hdohmen.de" ]; + domains = [ + "hdohmen.de" + "git.hdohmen.de" + ]; loginAccounts = { + "noreply@git.hdohmen.de" = { + hashedPassword = "$2b$05$F0HyHZWL7fsu3XK4ogSxvuKDIugMiXunisfmhHGQmkiDL4aIEHOxm"; + }; "hd@hdohmen.de" = { hashedPassword = "$y$j9T$ThusPQJOPsUxfJrO6T6kN/$4hoobYwjhxSLo.f8uWg7DZu7gHtRlUt.nfiDC5xN2w2"; aliases = [ "hd@hdohmen.de" ]; diff --git a/secrets.nix b/secrets.nix index 191b729..e332476 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,12 +5,13 @@ let keys = ssh-keys.root; trusted-keys = ssh-keys.trusted-root; secrets = [ - "roam/rclone-conf" - "roam/firefox-sync-secret" - "roam/nextcloud-admin-password" "hd-password" - "tlskey" + "roam/firefox-sync-secret" + "roam/forgejo-mailer-password" "roam/mullvad-vpn-key" + "roam/nextcloud-admin-password" + "roam/rclone-conf" + "tlskey" ]; trusted-secrets = [ # Can only be decrypted by clients diff --git a/secrets/roam/forgejo-mailer-password.age b/secrets/roam/forgejo-mailer-password.age new file mode 100644 index 0000000..d26e6e1 --- /dev/null +++ b/secrets/roam/forgejo-mailer-password.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 ydxpSQ UjxIcrL3YIhUhnpVmAdVUhoANohDlV8RO+Sis98TpmY +iNv9ANH9ptR9p9XvGLq2NM0kB4a6q4ymHqlbwfRGO/Q +-> ssh-ed25519 IbE9zA CHcF/x2JlPWZFWJml+tUUDC2QE7Its4jnL9mI/LKAXU +9mTqU+ow9CrhMGxUIs5/F+LISEF/RDnlfxWcdyoUs5c +-> ssh-ed25519 gbs8eg l2znQDwG0mWS+XgN7ccc3dbdU3sszW9nLoc80lVXti4 +BTzf91AWC8LcitJlgY+X6boQZ+UkVO+QZB9gVGW/hjs +-> ssh-ed25519 FTMbvw LhUkcBvB/yuOZdFkRPyEaiedxNcZj/Fw2Cb8K5x19AM +G/2VeEQU0jS3dY7+Dv3LOAXVWLe+2LeZgeLTrM7zDKk +--- VDtjgtMTGZz8RsgNhhqb+kryLlMZrzI8EMp3c8WMtkU +‹ÐúÛ˜dØT v¤HâéÜÊ,ˆ8ÜR×›l{îæ?ý Ù´îo•¦À\½äç¬×Ð^G‡@gd³š‚ \ No newline at end of file