services: forgejo: move to other host with dedicated data directory

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2024-08-24 13:23:40 +02:00 · 2024-08-24 13:23:40 +02:00 · 30d55d5792
parent 7abca790ca
commit 30d55d5792
6 changed files with 44 additions and 28 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -18,14 +18,14 @@ creation_rules:
          - *christoph_maui
          - *machine_tank
          - *machine_fort
-  - path_regex: secrets/sops/(forgejo|grafana|home-assistant|navidrome|tank)\.yaml
+  - path_regex: secrets/sops/(grafana|home-assistant|navidrome|tank)\.yaml
    key_groups:
      - age:
          - *christoph_trek
          - *christoph_zero
          - *christoph_maui
          - *machine_tank
-  - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|vaultwarden|vikunja|wireguard|yarr)\.yaml
+  - path_regex: secrets/sops/(alertmanager|forgejo|fort|matrix-hookshot|vaultwarden|vikunja|wireguard|yarr)\.yaml
    key_groups:
      - age:
          - *christoph_trek
--- a/machines/fort.nix
+++ b/machines/fort.nix
@ -20,6 +20,7 @@ in {
    ../services/alertmanager.nix
    ../services/conduit.nix
    ../services/fail2ban.nix
+    ../services/forgejo.nix
    ../services/matrix-hookshot.nix
    ../services/nginx.nix
    ../services/node-exporter.nix
--- a/machines/tank.nix
+++ b/machines/tank.nix
@ -3,7 +3,6 @@
 {
  imports = [
    ../secrets/machines/tank.nix
-    ../services/forgejo.nix
    ../services/grafana.nix
    ../services/home-assistant.nix
    ../services/navidrome.nix
--- a/secrets/machines/fort.nix
+++ b/secrets/machines/fort.nix
--- a/secrets/sops/forgejo.yaml
+++ b/secrets/sops/forgejo.yaml
@ -11,41 +11,41 @@ sops:
        - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4b2hoYmJ1VElMbHdCUDh0
-            WE9vWTJrRExYdXZYSXlxSnhZU2RQTVdLbkg4CjRxOXRIZVM4bGNWZWltYlFrREkv
-            aDBiNE1GNmdEUWM0djdjREE4Z1U4YUEKLS0tIHhFUS9VTTQzVnZsYXRmdkNNcGE0
-            R1B3M2RkZUVMOGxLeVBOOEdoY0ZiU0kK6IZfCAYJ+aC2lpuva8SsMQwmuo30q0Ht
-            jXomy+097+ecDYE7jqU6b6MTofskwJxI5tRlz5bdwqrEzyXDdTKsEg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibWZidXJUOGlYajhGWjQ2
+            K1JsdVNpTFJ1a0plVzNRMVJuS1NnclBkVUVvCnp2Y2JNWERpWklCY3V6VGd2c3hp
+            QjhXVzd6c1NCM1dmcXk1Mk9ld2xtSm8KLS0tIHh1N3ViK01uSGtoZEZPQlBWM090
+            b21MOXUvVW56VjM4dWZGQzlReG1SVzQKasO8oKBNlQa1vKOBUhZ81JyTYwEWjbrD
+            Nx2ed8f6r7a/vl3vAtyIi3vZrKIfCije/hGgSbqch8suJ2vgswZbog==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINEgyUnlVNHVNVWEyYmww
-            TXFiRmdwYVpwY21hUU9JL0NPdXlnaEtIdHhzCmRzTXJCcDYzaEN0NWFIMUtQakEw
-            L2VvUnlNZEhGNzVEUTVSLzRzRE9xNzQKLS0tIFAwbVZQWVgrSXZNMXFiYWNacmNz
-            S0dQU1Uxcm83WDVYRXVxVVZTK1NDTDAKUFMD8+2DT5e0QTqW2oJjlZ4imyfWQpcT
-            EGycdAu6ZZ1IFfalwKChc7Q/w1IL7SoJXgfCTZ0f57GW0V4jFgG2XQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCS3ZqRkh5V3MvSUJqdG9s
+            ZWFtTmx3UkZWbGxLVk5VdHRJeExMaC90MW5BCkdUVnJOR1dyM0NXMG1oQVJ4K3F6
+            WUZJMFRlb1k0c1dBWVptS29jbWR6VW8KLS0tIFBqYUJXZGl5c095eDVWMGlZTm1X
+            STBxTFRHYWJubWk4NkYyWnVoNWg2aXMKiFRrdJylS8X+epTb2Qb0xhORC8LLciA5
+            B3+yUZ058I5vL/qhTreeSoFEGkFPSM1SdYkCjhDM+ksVIBYODm6IFg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMKy92ckozL0FNVWJLSTZS
-            ZnZoOEVwdVphNVlQY0lLMkRuS2J0a2t5OVRvCmJIcUpEZmZxWEhObUtDY3dWNVJQ
-            dGtkOHBMdGtxcHJqSWVmOHh1cEdoQTQKLS0tIGtCRzZuMVRNU0JKdlRucUlqcjRx
-            UlRDaURJSUhFV3NaUUhabFZLZEpyZWMKj79j1LxihAnJqIye+CY7zkLv6xWmbeVN
-            V5XZwW+LxenPElnxdfiL/+4nlU1Mw9pccVhdDMWqYRVulqRqRIEsHA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBob3pkdW80TU1KVUVTOUpw
+            Um8rQ0R1T2Jxb0h4SmxhYVg2WVN5WUpuQ2kwCmQ1c01RRklhUksyRXVaLzlWQ1N4
+            L0hqZXBLM2UyWFgvc0w5dUd2STU0NlkKLS0tIHd4OUQ4UFpJRzg5RTMxbjFRb3Nx
+            S3pCdzVGRFlQUG4zY0g1TTFoZk0rOTgKxD34waFXjR0jlMXSu8pVVAxDYrutoKTE
+            JUBLyrrz9HWv49B4E+RzIW4Wf3YPaaC29SXRWLWvDqKMrM2nnYAwdQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
+        - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTN0FRK0cyK1h4SFFuT2RI
-            aEgwVjlPUUxzeWFTa0RDRjN4WGlEalFXYmtBCjJGWkNKaFllNGZNR25IN0VsbDVk
-            ei9kNFozbW1pTDFXMUc4YzhZTnh6Z1UKLS0tIEtkdnUyd29wYnZWUy9udVViNmpt
-            RkdUVDRzMm92SEtrZXUvTldvVDBQN3cKCBuF/ayOc3gBveS0HaWYVG9fRHK0EtE0
-            DF6vEy9eLhRzX2FeYHw4WHNv3nbcWLgXU/IXdkVbevenxosFPIjHKA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4S0MvUjFoQ3h0cjUzQkk2
+            alA4R2ZHOTVidU5iYWJWK21zU3dBVWZZNXpBCnBYRUpiL0pJZnFNQzJXZGtWQmYy
+            SXc2YzdLTGx3a1ZrSWxNNUJsYnh2dzQKLS0tIG0rMGZPUEY2YTBWSTBBZGk3bzNj
+            YVMzY2xiY1FBcHZicjBrKzlUZ2FyOEUKlMvpN5grIvL9/Lwf57V96jeZjOf9SJeA
+            hxHUQDqiS5R5nUP5FRWEss8rUKCzuzVP3WqEIiYePZY7tZHvcemvWg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-16T22:49:11Z"
-    mac: ENC[AES256_GCM,data:3lg60+FRJrkcB4lNeQ97WtQ6AzTbboP9aq8W//pt9Co09gdNVrfDWs8o5eaj6r7ghoGu726dNvHmIdUMrp3jdtQlzjnQyPQn2VUzcR0Vrw9AqRX8RLhGouHyq1YDZyGVXdiv3S/Ju1Z/1+4+LdpyTZUaMwM05Hy2WZi4Bjup73E=,iv:wvpSqL/GZaI/nqZaY9TLMffkXP0GiNpR5JcEVO6yvM4=,tag:TDIRN0FBUx2ekMsDHNLVcw==,type:str]
+    lastmodified: "2024-08-24T11:23:27Z"
+    mac: ENC[AES256_GCM,data:6WMNrzb6fcCnphhQwLV4lXNqtJp6T57jFqK6pbDYrAc5kVz7UjODNc2r0qmsEsQ4FHzjF1bLJkPqGHKdJdefWj7MHYu3ygxYiBPIoy3SwS1A8uqbywIxLFJzuoIaZ0t5Rtt4hni5eK4DKKzWyqgtgUD1WjPFiPH7unlAyowiQYM=,iv:m7pXlPv0tpoQY1OOy9jZuMXI/IpQHa1WCBWJtGO7zbU=,tag:AD3pBAa2LcI2HZkDFmCBjg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -3,6 +3,7 @@
 let
  cfg = config.services.forgejo;
  fqdn = "git.${my.domain}";
+  dataDir = "/mnt/data/forgejo";
 in {
  sops.secrets."forgejo/mail/host" = {
    sopsFile = ../secrets/sops/forgejo.yaml;
@ -18,6 +19,7 @@ in {
    user = "git";
    group = "git";
    lfs.enable = true;
+    repositoryRoot = "${dataDir}/repositories";
    database = {
      type = "sqlite3";
      createDatabase = true;
@ -37,7 +39,10 @@ in {
        SCHEDULE = "@every 48h";
        TIMEOUT = "1h";
      };
-      git.GC_ARGS = "--prune=1.week.ago";
+      git = {
+        GC_ARGS = "--prune=1.week.ago";
+        HOME_PATH = "${config.services.forgejo.stateDir}/data/home";
+      };
      cors = {
        ENABLED = true;
        ALLOW_DOMAIN = fqdn;
@ -64,6 +69,7 @@ in {
        HTTP_ADDR = "::1";
        HTTP_PORT = 3110;
        SSH_USER = cfg.user;
+        APP_DATA_PATH = "${dataDir}/data";
      };
      repository = {
        ENABLE_PUSH_CREATE_USER = true;
@ -76,6 +82,10 @@ in {
        PROVIDER = "db";
        COOKIE_SECURE = true;
      };
+      storage = {
+        STORAGE_TYPE = "local";
+        PATH = "${dataDir}/data";
+      };
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
@ -106,7 +116,13 @@ in {
    };
  };

+  systemd.services.forgejo.serviceConfig.BindPaths = [ dataDir ];
+
  systemd.tmpfiles.settings."75-forgejo" = {
+    ${dataDir}.d = {
+      inherit (cfg) user group;
+      mode = "0750";
+    };
    "/run/forgejo-dispatch/authorized-keys"."f+" = {
      # sshd_config(5): The program must be owned by root, not writable by group or others
      mode = "0755";