services: forgejo: move to other host with dedicated data directory
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
parent
7abca790ca
commit
30d55d5792
|
@ -18,14 +18,14 @@ creation_rules:
|
||||||
- *christoph_maui
|
- *christoph_maui
|
||||||
- *machine_tank
|
- *machine_tank
|
||||||
- *machine_fort
|
- *machine_fort
|
||||||
- path_regex: secrets/sops/(forgejo|grafana|home-assistant|navidrome|tank)\.yaml
|
- path_regex: secrets/sops/(grafana|home-assistant|navidrome|tank)\.yaml
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *christoph_trek
|
- *christoph_trek
|
||||||
- *christoph_zero
|
- *christoph_zero
|
||||||
- *christoph_maui
|
- *christoph_maui
|
||||||
- *machine_tank
|
- *machine_tank
|
||||||
- path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|vaultwarden|vikunja|wireguard|yarr)\.yaml
|
- path_regex: secrets/sops/(alertmanager|forgejo|fort|matrix-hookshot|vaultwarden|vikunja|wireguard|yarr)\.yaml
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *christoph_trek
|
- *christoph_trek
|
||||||
|
|
|
@ -20,6 +20,7 @@ in {
|
||||||
../services/alertmanager.nix
|
../services/alertmanager.nix
|
||||||
../services/conduit.nix
|
../services/conduit.nix
|
||||||
../services/fail2ban.nix
|
../services/fail2ban.nix
|
||||||
|
../services/forgejo.nix
|
||||||
../services/matrix-hookshot.nix
|
../services/matrix-hookshot.nix
|
||||||
../services/nginx.nix
|
../services/nginx.nix
|
||||||
../services/node-exporter.nix
|
../services/node-exporter.nix
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../secrets/machines/tank.nix
|
../secrets/machines/tank.nix
|
||||||
../services/forgejo.nix
|
|
||||||
../services/grafana.nix
|
../services/grafana.nix
|
||||||
../services/home-assistant.nix
|
../services/home-assistant.nix
|
||||||
../services/navidrome.nix
|
../services/navidrome.nix
|
||||||
|
|
Binary file not shown.
|
@ -11,41 +11,41 @@ sops:
|
||||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4b2hoYmJ1VElMbHdCUDh0
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibWZidXJUOGlYajhGWjQ2
|
||||||
WE9vWTJrRExYdXZYSXlxSnhZU2RQTVdLbkg4CjRxOXRIZVM4bGNWZWltYlFrREkv
|
K1JsdVNpTFJ1a0plVzNRMVJuS1NnclBkVUVvCnp2Y2JNWERpWklCY3V6VGd2c3hp
|
||||||
aDBiNE1GNmdEUWM0djdjREE4Z1U4YUEKLS0tIHhFUS9VTTQzVnZsYXRmdkNNcGE0
|
QjhXVzd6c1NCM1dmcXk1Mk9ld2xtSm8KLS0tIHh1N3ViK01uSGtoZEZPQlBWM090
|
||||||
R1B3M2RkZUVMOGxLeVBOOEdoY0ZiU0kK6IZfCAYJ+aC2lpuva8SsMQwmuo30q0Ht
|
b21MOXUvVW56VjM4dWZGQzlReG1SVzQKasO8oKBNlQa1vKOBUhZ81JyTYwEWjbrD
|
||||||
jXomy+097+ecDYE7jqU6b6MTofskwJxI5tRlz5bdwqrEzyXDdTKsEg==
|
Nx2ed8f6r7a/vl3vAtyIi3vZrKIfCije/hGgSbqch8suJ2vgswZbog==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINEgyUnlVNHVNVWEyYmww
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCS3ZqRkh5V3MvSUJqdG9s
|
||||||
TXFiRmdwYVpwY21hUU9JL0NPdXlnaEtIdHhzCmRzTXJCcDYzaEN0NWFIMUtQakEw
|
ZWFtTmx3UkZWbGxLVk5VdHRJeExMaC90MW5BCkdUVnJOR1dyM0NXMG1oQVJ4K3F6
|
||||||
L2VvUnlNZEhGNzVEUTVSLzRzRE9xNzQKLS0tIFAwbVZQWVgrSXZNMXFiYWNacmNz
|
WUZJMFRlb1k0c1dBWVptS29jbWR6VW8KLS0tIFBqYUJXZGl5c095eDVWMGlZTm1X
|
||||||
S0dQU1Uxcm83WDVYRXVxVVZTK1NDTDAKUFMD8+2DT5e0QTqW2oJjlZ4imyfWQpcT
|
STBxTFRHYWJubWk4NkYyWnVoNWg2aXMKiFRrdJylS8X+epTb2Qb0xhORC8LLciA5
|
||||||
EGycdAu6ZZ1IFfalwKChc7Q/w1IL7SoJXgfCTZ0f57GW0V4jFgG2XQ==
|
B3+yUZ058I5vL/qhTreeSoFEGkFPSM1SdYkCjhDM+ksVIBYODm6IFg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s
|
- recipient: age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMKy92ckozL0FNVWJLSTZS
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBob3pkdW80TU1KVUVTOUpw
|
||||||
ZnZoOEVwdVphNVlQY0lLMkRuS2J0a2t5OVRvCmJIcUpEZmZxWEhObUtDY3dWNVJQ
|
Um8rQ0R1T2Jxb0h4SmxhYVg2WVN5WUpuQ2kwCmQ1c01RRklhUksyRXVaLzlWQ1N4
|
||||||
dGtkOHBMdGtxcHJqSWVmOHh1cEdoQTQKLS0tIGtCRzZuMVRNU0JKdlRucUlqcjRx
|
L0hqZXBLM2UyWFgvc0w5dUd2STU0NlkKLS0tIHd4OUQ4UFpJRzg5RTMxbjFRb3Nx
|
||||||
UlRDaURJSUhFV3NaUUhabFZLZEpyZWMKj79j1LxihAnJqIye+CY7zkLv6xWmbeVN
|
S3pCdzVGRFlQUG4zY0g1TTFoZk0rOTgKxD34waFXjR0jlMXSu8pVVAxDYrutoKTE
|
||||||
V5XZwW+LxenPElnxdfiL/+4nlU1Mw9pccVhdDMWqYRVulqRqRIEsHA==
|
JUBLyrrz9HWv49B4E+RzIW4Wf3YPaaC29SXRWLWvDqKMrM2nnYAwdQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTN0FRK0cyK1h4SFFuT2RI
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4S0MvUjFoQ3h0cjUzQkk2
|
||||||
aEgwVjlPUUxzeWFTa0RDRjN4WGlEalFXYmtBCjJGWkNKaFllNGZNR25IN0VsbDVk
|
alA4R2ZHOTVidU5iYWJWK21zU3dBVWZZNXpBCnBYRUpiL0pJZnFNQzJXZGtWQmYy
|
||||||
ei9kNFozbW1pTDFXMUc4YzhZTnh6Z1UKLS0tIEtkdnUyd29wYnZWUy9udVViNmpt
|
SXc2YzdLTGx3a1ZrSWxNNUJsYnh2dzQKLS0tIG0rMGZPUEY2YTBWSTBBZGk3bzNj
|
||||||
RkdUVDRzMm92SEtrZXUvTldvVDBQN3cKCBuF/ayOc3gBveS0HaWYVG9fRHK0EtE0
|
YVMzY2xiY1FBcHZicjBrKzlUZ2FyOEUKlMvpN5grIvL9/Lwf57V96jeZjOf9SJeA
|
||||||
DF6vEy9eLhRzX2FeYHw4WHNv3nbcWLgXU/IXdkVbevenxosFPIjHKA==
|
hxHUQDqiS5R5nUP5FRWEss8rUKCzuzVP3WqEIiYePZY7tZHvcemvWg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-06-16T22:49:11Z"
|
lastmodified: "2024-08-24T11:23:27Z"
|
||||||
mac: ENC[AES256_GCM,data:3lg60+FRJrkcB4lNeQ97WtQ6AzTbboP9aq8W//pt9Co09gdNVrfDWs8o5eaj6r7ghoGu726dNvHmIdUMrp3jdtQlzjnQyPQn2VUzcR0Vrw9AqRX8RLhGouHyq1YDZyGVXdiv3S/Ju1Z/1+4+LdpyTZUaMwM05Hy2WZi4Bjup73E=,iv:wvpSqL/GZaI/nqZaY9TLMffkXP0GiNpR5JcEVO6yvM4=,tag:TDIRN0FBUx2ekMsDHNLVcw==,type:str]
|
mac: ENC[AES256_GCM,data:6WMNrzb6fcCnphhQwLV4lXNqtJp6T57jFqK6pbDYrAc5kVz7UjODNc2r0qmsEsQ4FHzjF1bLJkPqGHKdJdefWj7MHYu3ygxYiBPIoy3SwS1A8uqbywIxLFJzuoIaZ0t5Rtt4hni5eK4DKKzWyqgtgUD1WjPFiPH7unlAyowiQYM=,iv:m7pXlPv0tpoQY1OOy9jZuMXI/IpQHa1WCBWJtGO7zbU=,tag:AD3pBAa2LcI2HZkDFmCBjg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.9.0
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
let
|
let
|
||||||
cfg = config.services.forgejo;
|
cfg = config.services.forgejo;
|
||||||
fqdn = "git.${my.domain}";
|
fqdn = "git.${my.domain}";
|
||||||
|
dataDir = "/mnt/data/forgejo";
|
||||||
in {
|
in {
|
||||||
sops.secrets."forgejo/mail/host" = {
|
sops.secrets."forgejo/mail/host" = {
|
||||||
sopsFile = ../secrets/sops/forgejo.yaml;
|
sopsFile = ../secrets/sops/forgejo.yaml;
|
||||||
|
@ -18,6 +19,7 @@ in {
|
||||||
user = "git";
|
user = "git";
|
||||||
group = "git";
|
group = "git";
|
||||||
lfs.enable = true;
|
lfs.enable = true;
|
||||||
|
repositoryRoot = "${dataDir}/repositories";
|
||||||
database = {
|
database = {
|
||||||
type = "sqlite3";
|
type = "sqlite3";
|
||||||
createDatabase = true;
|
createDatabase = true;
|
||||||
|
@ -37,7 +39,10 @@ in {
|
||||||
SCHEDULE = "@every 48h";
|
SCHEDULE = "@every 48h";
|
||||||
TIMEOUT = "1h";
|
TIMEOUT = "1h";
|
||||||
};
|
};
|
||||||
git.GC_ARGS = "--prune=1.week.ago";
|
git = {
|
||||||
|
GC_ARGS = "--prune=1.week.ago";
|
||||||
|
HOME_PATH = "${config.services.forgejo.stateDir}/data/home";
|
||||||
|
};
|
||||||
cors = {
|
cors = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
ALLOW_DOMAIN = fqdn;
|
ALLOW_DOMAIN = fqdn;
|
||||||
|
@ -64,6 +69,7 @@ in {
|
||||||
HTTP_ADDR = "::1";
|
HTTP_ADDR = "::1";
|
||||||
HTTP_PORT = 3110;
|
HTTP_PORT = 3110;
|
||||||
SSH_USER = cfg.user;
|
SSH_USER = cfg.user;
|
||||||
|
APP_DATA_PATH = "${dataDir}/data";
|
||||||
};
|
};
|
||||||
repository = {
|
repository = {
|
||||||
ENABLE_PUSH_CREATE_USER = true;
|
ENABLE_PUSH_CREATE_USER = true;
|
||||||
|
@ -76,6 +82,10 @@ in {
|
||||||
PROVIDER = "db";
|
PROVIDER = "db";
|
||||||
COOKIE_SECURE = true;
|
COOKIE_SECURE = true;
|
||||||
};
|
};
|
||||||
|
storage = {
|
||||||
|
STORAGE_TYPE = "local";
|
||||||
|
PATH = "${dataDir}/data";
|
||||||
|
};
|
||||||
actions = {
|
actions = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
|
DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
|
||||||
|
@ -106,7 +116,13 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.forgejo.serviceConfig.BindPaths = [ dataDir ];
|
||||||
|
|
||||||
systemd.tmpfiles.settings."75-forgejo" = {
|
systemd.tmpfiles.settings."75-forgejo" = {
|
||||||
|
${dataDir}.d = {
|
||||||
|
inherit (cfg) user group;
|
||||||
|
mode = "0750";
|
||||||
|
};
|
||||||
"/run/forgejo-dispatch/authorized-keys"."f+" = {
|
"/run/forgejo-dispatch/authorized-keys"."f+" = {
|
||||||
# sshd_config(5): The program must be owned by root, not writable by group or others
|
# sshd_config(5): The program must be owned by root, not writable by group or others
|
||||||
mode = "0755";
|
mode = "0755";
|
||||||
|
|
Loading…
Reference in a new issue