197 lines
5.4 KiB
Nix
197 lines
5.4 KiB
Nix
{ config, lib, my, pkgs, secrets, ... }:
|
|
|
|
let
|
|
cfg = config.services.forgejo;
|
|
fqdn = "git.${my.domain}";
|
|
dataDir = "/mnt/data/forgejo";
|
|
in {
|
|
sops.secrets = {
|
|
"forgejo/mail/host" = {
|
|
sopsFile = ../secrets/sops/forgejo.yaml;
|
|
restartUnits = [ "forgejo.service" ];
|
|
};
|
|
"forgejo/mail/password" = {
|
|
sopsFile = ../secrets/sops/forgejo.yaml;
|
|
restartUnits = [ "forgejo.service" ];
|
|
};
|
|
"forgejo/secret-key" = {
|
|
sopsFile = ../secrets/sops/forgejo.yaml;
|
|
restartUnits = [ "forgejo.service" ];
|
|
};
|
|
};
|
|
|
|
services.forgejo = {
|
|
enable = true;
|
|
user = "git";
|
|
group = "git";
|
|
lfs.enable = true;
|
|
repositoryRoot = "${dataDir}/repositories";
|
|
database = {
|
|
type = "sqlite3";
|
|
createDatabase = true;
|
|
};
|
|
# https://forgejo.org/docs/latest/admin/config-cheat-sheet/
|
|
settings = {
|
|
DEFAULT.APP_NAME = fqdn;
|
|
admin.USER_DISABLED_FEATURES = "deletion";
|
|
api.ENABLE_SWAGGER = false;
|
|
cron = {
|
|
ENABLE = true;
|
|
RUN_AT_START = true;
|
|
};
|
|
"cron.repo_health_check".TIMEOUT = "600s"; # 10 min
|
|
"cron.git_gc_repos" = {
|
|
ENABLED = true;
|
|
RUN_AT_START = true;
|
|
SCHEDULE = "@every 48h";
|
|
TIMEOUT = "1h";
|
|
};
|
|
"cron.delete_old_actions" = {
|
|
ENABLED = true;
|
|
RUN_AT_START = true;
|
|
SCHEDULE = "@every 168h"; # 1 week
|
|
OLDER_THAN = "4380h"; # half a year
|
|
};
|
|
"cron.archive_cleanup" = {
|
|
SCHEDULE = "@every 2h";
|
|
OLDER_THAN = "6h";
|
|
};
|
|
git = {
|
|
GC_ARGS = "--prune=1.week.ago";
|
|
HOME_PATH = "${config.services.forgejo.stateDir}/data/home";
|
|
};
|
|
cache = {
|
|
ADAPTER = "twoqueue";
|
|
HOST = ''{"size":100, "recent_ratio":0.25, "ghost_ratio":0.5}'';
|
|
};
|
|
cors = {
|
|
ENABLED = true;
|
|
ALLOW_DOMAIN = fqdn;
|
|
};
|
|
mailer = {
|
|
ENABLED = true;
|
|
FROM = "noreply@${my.domain}";
|
|
PROTOCOL = "smtps";
|
|
SMTP_PORT = 465;
|
|
USER = "noreply@${my.domain}";
|
|
};
|
|
service = {
|
|
ENABLE_CAPTCHA = false;
|
|
ENABLE_BASIC_AUTHENTICATION = false;
|
|
ENABLE_NOTIFY_MAIL = true;
|
|
DISABLE_REGISTRATION = true;
|
|
DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
|
|
VALID_SITE_URL_SCHEMES = "https";
|
|
};
|
|
server = {
|
|
PROTOCOL = "http";
|
|
DOMAIN = fqdn;
|
|
ROOT_URL = "https://${fqdn}";
|
|
HTTP_ADDR = "::1";
|
|
HTTP_PORT = 3110;
|
|
SSH_USER = cfg.user;
|
|
APP_DATA_PATH = "${dataDir}/data";
|
|
};
|
|
repository = {
|
|
ENABLE_PUSH_CREATE_USER = true;
|
|
ENABLE_PUSH_CREATE_ORG = false;
|
|
PREFERRED_LICENSES = "MIT,GPL-3.0,LGPL-3.0";
|
|
};
|
|
security.INSTALL_LOCK = true;
|
|
indexer.REPO_INDEXER_ENABLED = true;
|
|
session = {
|
|
PROVIDER = "db";
|
|
COOKIE_SECURE = true;
|
|
};
|
|
storage = {
|
|
STORAGE_TYPE = "local";
|
|
PATH = "${dataDir}/data";
|
|
};
|
|
actions = {
|
|
ENABLED = true;
|
|
DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
|
|
};
|
|
"ssh.minimum_key_sizes" = {
|
|
RSA = -1;
|
|
DSA = -1;
|
|
};
|
|
"repository.pull-request".DEFAULT_MERGE_STYLE = "rebase";
|
|
"ui.meta" = {
|
|
AUTHOR = "Christoph Heiss";
|
|
DESCRIPTION = "Christoph Heiss' git forge, powered by Forgejo.";
|
|
KEYWORDS = "git,forge,forgejo,c8h4,christoph,heiss";
|
|
};
|
|
other = {
|
|
SHOW_FOOTER_VERSION = false;
|
|
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
|
|
};
|
|
};
|
|
secrets = {
|
|
mailer = {
|
|
SMTP_ADDR = secrets."forgejo/mail/host".path;
|
|
PASSWD = secrets."forgejo/mail/password".path;
|
|
};
|
|
security.SECRET_KEY = lib.mkForce secrets."forgejo/secret-key".path;
|
|
};
|
|
dump = {
|
|
enable = true;
|
|
backupDir = "/var/backup/forgejo";
|
|
interval = "04:15";
|
|
type = "tar.zst";
|
|
file = "forgejo-dump"; # by default, timestamp is included
|
|
};
|
|
};
|
|
|
|
systemd.services.forgejo.serviceConfig.BindPaths = [ dataDir ];
|
|
|
|
systemd.tmpfiles.settings."75-forgejo" = {
|
|
${dataDir}.d = {
|
|
inherit (cfg) user group;
|
|
mode = "0750";
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts.${fqdn} =
|
|
let inherit (config.services.forgejo.settings.server) HTTP_ADDR HTTP_PORT;
|
|
in {
|
|
forceSSL = true;
|
|
useACMEHost = my.domain;
|
|
kTLS = true;
|
|
locations."/" = {
|
|
proxyPass = "http://[${HTTP_ADDR}]:${toString HTTP_PORT}";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
client_max_body_size 256M;
|
|
'';
|
|
};
|
|
};
|
|
|
|
users.groups.${cfg.group} = { };
|
|
users.users.${cfg.user} = {
|
|
inherit (cfg) group;
|
|
createHome = false;
|
|
home = config.services.forgejo.stateDir;
|
|
isSystemUser = true;
|
|
shell = pkgs.bash;
|
|
packages = with pkgs; [ forgejo ];
|
|
extraGroups = [ "restic-backup" ];
|
|
};
|
|
|
|
services.openssh.settings.AllowUsers = [ cfg.user ];
|
|
|
|
services.restic.backups.forgejo = {
|
|
environmentFile = secrets."restic/rest-env".path;
|
|
initialize = true;
|
|
repository =
|
|
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
|
|
passwordFile = secrets."restic/repo-password".path;
|
|
inherit (config.services.forgejo) user;
|
|
paths = [ "/var/backup/forgejo" ];
|
|
timerConfig.OnCalendar = "*-*-* 5:30:00"; # daily at 05:30
|
|
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
|
name = "forgejo";
|
|
inherit pkgs secrets;
|
|
};
|
|
};
|
|
}
|