diff --git a/.sops.yaml b/.sops.yaml index fa5e0f2..3ff5dc4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -18,14 +18,14 @@ creation_rules: - *christoph_maui - *machine_tank - *machine_fort - - path_regex: secrets/sops/(forgejo|grafana|home-assistant|navidrome|tank)\.yaml + - path_regex: secrets/sops/(grafana|home-assistant|navidrome|tank)\.yaml key_groups: - age: - *christoph_trek - *christoph_zero - *christoph_maui - *machine_tank - - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|vaultwarden|vikunja|wireguard|yarr)\.yaml + - path_regex: secrets/sops/(alertmanager|forgejo|fort|matrix-hookshot|vaultwarden|vikunja|wireguard|yarr)\.yaml key_groups: - age: - *christoph_trek diff --git a/machines/fort.nix b/machines/fort.nix index 759885d..51e0d10 100644 --- a/machines/fort.nix +++ b/machines/fort.nix @@ -20,6 +20,7 @@ in { ../services/alertmanager.nix ../services/conduit.nix ../services/fail2ban.nix + ../services/forgejo.nix ../services/matrix-hookshot.nix ../services/nginx.nix ../services/node-exporter.nix diff --git a/machines/tank.nix b/machines/tank.nix index 32e29a9..6efd293 100644 --- a/machines/tank.nix +++ b/machines/tank.nix @@ -3,7 +3,6 @@ { imports = [ ../secrets/machines/tank.nix - ../services/forgejo.nix ../services/grafana.nix ../services/home-assistant.nix ../services/navidrome.nix diff --git a/secrets/machines/fort.nix b/secrets/machines/fort.nix index e30df5b..88d4d8c 100644 Binary files a/secrets/machines/fort.nix and b/secrets/machines/fort.nix differ diff --git a/secrets/sops/forgejo.yaml b/secrets/sops/forgejo.yaml index b2e4a43..d3fbe35 100644 --- a/secrets/sops/forgejo.yaml +++ b/secrets/sops/forgejo.yaml @@ -11,41 +11,41 @@ sops: - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4b2hoYmJ1VElMbHdCUDh0 - WE9vWTJrRExYdXZYSXlxSnhZU2RQTVdLbkg4CjRxOXRIZVM4bGNWZWltYlFrREkv - aDBiNE1GNmdEUWM0djdjREE4Z1U4YUEKLS0tIHhFUS9VTTQzVnZsYXRmdkNNcGE0 - R1B3M2RkZUVMOGxLeVBOOEdoY0ZiU0kK6IZfCAYJ+aC2lpuva8SsMQwmuo30q0Ht - jXomy+097+ecDYE7jqU6b6MTofskwJxI5tRlz5bdwqrEzyXDdTKsEg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibWZidXJUOGlYajhGWjQ2 + K1JsdVNpTFJ1a0plVzNRMVJuS1NnclBkVUVvCnp2Y2JNWERpWklCY3V6VGd2c3hp + QjhXVzd6c1NCM1dmcXk1Mk9ld2xtSm8KLS0tIHh1N3ViK01uSGtoZEZPQlBWM090 + b21MOXUvVW56VjM4dWZGQzlReG1SVzQKasO8oKBNlQa1vKOBUhZ81JyTYwEWjbrD + Nx2ed8f6r7a/vl3vAtyIi3vZrKIfCije/hGgSbqch8suJ2vgswZbog== -----END AGE ENCRYPTED FILE----- - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINEgyUnlVNHVNVWEyYmww - TXFiRmdwYVpwY21hUU9JL0NPdXlnaEtIdHhzCmRzTXJCcDYzaEN0NWFIMUtQakEw - L2VvUnlNZEhGNzVEUTVSLzRzRE9xNzQKLS0tIFAwbVZQWVgrSXZNMXFiYWNacmNz - S0dQU1Uxcm83WDVYRXVxVVZTK1NDTDAKUFMD8+2DT5e0QTqW2oJjlZ4imyfWQpcT - EGycdAu6ZZ1IFfalwKChc7Q/w1IL7SoJXgfCTZ0f57GW0V4jFgG2XQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCS3ZqRkh5V3MvSUJqdG9s + ZWFtTmx3UkZWbGxLVk5VdHRJeExMaC90MW5BCkdUVnJOR1dyM0NXMG1oQVJ4K3F6 + WUZJMFRlb1k0c1dBWVptS29jbWR6VW8KLS0tIFBqYUJXZGl5c095eDVWMGlZTm1X + STBxTFRHYWJubWk4NkYyWnVoNWg2aXMKiFRrdJylS8X+epTb2Qb0xhORC8LLciA5 + B3+yUZ058I5vL/qhTreeSoFEGkFPSM1SdYkCjhDM+ksVIBYODm6IFg== -----END AGE ENCRYPTED FILE----- - recipient: age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMKy92ckozL0FNVWJLSTZS - ZnZoOEVwdVphNVlQY0lLMkRuS2J0a2t5OVRvCmJIcUpEZmZxWEhObUtDY3dWNVJQ - dGtkOHBMdGtxcHJqSWVmOHh1cEdoQTQKLS0tIGtCRzZuMVRNU0JKdlRucUlqcjRx - UlRDaURJSUhFV3NaUUhabFZLZEpyZWMKj79j1LxihAnJqIye+CY7zkLv6xWmbeVN - V5XZwW+LxenPElnxdfiL/+4nlU1Mw9pccVhdDMWqYRVulqRqRIEsHA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBob3pkdW80TU1KVUVTOUpw + Um8rQ0R1T2Jxb0h4SmxhYVg2WVN5WUpuQ2kwCmQ1c01RRklhUksyRXVaLzlWQ1N4 + L0hqZXBLM2UyWFgvc0w5dUd2STU0NlkKLS0tIHd4OUQ4UFpJRzg5RTMxbjFRb3Nx + S3pCdzVGRFlQUG4zY0g1TTFoZk0rOTgKxD34waFXjR0jlMXSu8pVVAxDYrutoKTE + JUBLyrrz9HWv49B4E+RzIW4Wf3YPaaC29SXRWLWvDqKMrM2nnYAwdQ== -----END AGE ENCRYPTED FILE----- - - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTN0FRK0cyK1h4SFFuT2RI - aEgwVjlPUUxzeWFTa0RDRjN4WGlEalFXYmtBCjJGWkNKaFllNGZNR25IN0VsbDVk - ei9kNFozbW1pTDFXMUc4YzhZTnh6Z1UKLS0tIEtkdnUyd29wYnZWUy9udVViNmpt - RkdUVDRzMm92SEtrZXUvTldvVDBQN3cKCBuF/ayOc3gBveS0HaWYVG9fRHK0EtE0 - DF6vEy9eLhRzX2FeYHw4WHNv3nbcWLgXU/IXdkVbevenxosFPIjHKA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4S0MvUjFoQ3h0cjUzQkk2 + alA4R2ZHOTVidU5iYWJWK21zU3dBVWZZNXpBCnBYRUpiL0pJZnFNQzJXZGtWQmYy + SXc2YzdLTGx3a1ZrSWxNNUJsYnh2dzQKLS0tIG0rMGZPUEY2YTBWSTBBZGk3bzNj + YVMzY2xiY1FBcHZicjBrKzlUZ2FyOEUKlMvpN5grIvL9/Lwf57V96jeZjOf9SJeA + hxHUQDqiS5R5nUP5FRWEss8rUKCzuzVP3WqEIiYePZY7tZHvcemvWg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-16T22:49:11Z" - mac: ENC[AES256_GCM,data:3lg60+FRJrkcB4lNeQ97WtQ6AzTbboP9aq8W//pt9Co09gdNVrfDWs8o5eaj6r7ghoGu726dNvHmIdUMrp3jdtQlzjnQyPQn2VUzcR0Vrw9AqRX8RLhGouHyq1YDZyGVXdiv3S/Ju1Z/1+4+LdpyTZUaMwM05Hy2WZi4Bjup73E=,iv:wvpSqL/GZaI/nqZaY9TLMffkXP0GiNpR5JcEVO6yvM4=,tag:TDIRN0FBUx2ekMsDHNLVcw==,type:str] + lastmodified: "2024-08-24T11:23:27Z" + mac: ENC[AES256_GCM,data:6WMNrzb6fcCnphhQwLV4lXNqtJp6T57jFqK6pbDYrAc5kVz7UjODNc2r0qmsEsQ4FHzjF1bLJkPqGHKdJdefWj7MHYu3ygxYiBPIoy3SwS1A8uqbywIxLFJzuoIaZ0t5Rtt4hni5eK4DKKzWyqgtgUD1WjPFiPH7unlAyowiQYM=,iv:m7pXlPv0tpoQY1OOy9jZuMXI/IpQHa1WCBWJtGO7zbU=,tag:AD3pBAa2LcI2HZkDFmCBjg==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/services/forgejo.nix b/services/forgejo.nix index 88d8c72..9dd7d5b 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -3,6 +3,7 @@ let cfg = config.services.forgejo; fqdn = "git.${my.domain}"; + dataDir = "/mnt/data/forgejo"; in { sops.secrets."forgejo/mail/host" = { sopsFile = ../secrets/sops/forgejo.yaml; @@ -18,6 +19,7 @@ in { user = "git"; group = "git"; lfs.enable = true; + repositoryRoot = "${dataDir}/repositories"; database = { type = "sqlite3"; createDatabase = true; @@ -37,7 +39,10 @@ in { SCHEDULE = "@every 48h"; TIMEOUT = "1h"; }; - git.GC_ARGS = "--prune=1.week.ago"; + git = { + GC_ARGS = "--prune=1.week.ago"; + HOME_PATH = "${config.services.forgejo.stateDir}/data/home"; + }; cors = { ENABLED = true; ALLOW_DOMAIN = fqdn; @@ -64,6 +69,7 @@ in { HTTP_ADDR = "::1"; HTTP_PORT = 3110; SSH_USER = cfg.user; + APP_DATA_PATH = "${dataDir}/data"; }; repository = { ENABLE_PUSH_CREATE_USER = true; @@ -76,6 +82,10 @@ in { PROVIDER = "db"; COOKIE_SECURE = true; }; + storage = { + STORAGE_TYPE = "local"; + PATH = "${dataDir}/data"; + }; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "https://code.forgejo.org"; @@ -106,7 +116,13 @@ in { }; }; + systemd.services.forgejo.serviceConfig.BindPaths = [ dataDir ]; + systemd.tmpfiles.settings."75-forgejo" = { + ${dataDir}.d = { + inherit (cfg) user group; + mode = "0750"; + }; "/run/forgejo-dispatch/authorized-keys"."f+" = { # sshd_config(5): The program must be owned by root, not writable by group or others mode = "0755";