Add basic forgejo config

README.md

@@ -111,6 +111,7 @@ Most services are served over [tailscale](https://tailscale.com/), using certifi
 
 - [Actual](https://actualbudget.org/) — budgeting tool.
 - [Commafeed](https://github.com/Athou/commafeed) — rss reader
+- [Forgejo](https://forgejo.org/) — git forge
 - [Grafana](https://github.com/grafana/grafana) — pretty dashboards
 - [Homer](https://github.com/bastienwirtz/homer) — server homepage
 - [Intray](https://github.com/NorfairKing/intray) — GTD capture tool.

docs/ports.md

@@ -22,3 +22,4 @@ The idea is to always use consecutive ports, but never go back and try to recycl
 | 8416 | [redlib](../hosts/nixos/lapetus/services/redlib.nix)                        |
 | 8417 | [qbittorrent](../hosts/nixos/lapetus/services/qbittorrent.nix)              |
 | 8418 | [microbin](../hosts/nixos/lapetus/services/microbin.nix)                    |
+| 8419 | [forgejo](../hosts/nixos/lapetus/services/forgejo.nix)                      |

hosts/nixos/common/optional/services/gitea.nix

@@ -1,28 +0,0 @@
-{ lib, ... }: {
-  services.gitea = {
-    enable = true;
-    appName = "pinktea";
-    stateDir = "/persist/state/pinktea";
-    lfs.enable = true;
-
-    dump = {
-      enable = true;
-      type = "tar.gz";
-    };
-
-    # See [the cheatsheet](https://docs.gitea.com/next/administration/config-cheat-sheet)
-    settings = {
-      session.COOKIE_SECURE = false; # TODO: set to true when serving over https
-      repository = {
-        DISABLED_REPO_UNITS = "";
-        DEFAULT_REPO_UNITS = lib.strings.concatStringsSep "," [
-          "repo.code"
-          "repo.releases"
-          "repo.issues"
-          "repo.pulls"
-        ];
-        DISABLE_STARS = true;
-      };
-    };
-  };
-}

hosts/nixos/lapetus/default.nix

@@ -23,6 +23,7 @@
     ./services/jellyfin.nix
     ./services/qbittorrent.nix
     ./services/microbin.nix
+    ./services/forgejo.nix
     # ./services/ddclient.nix
     ./filesystems
     ./hardware

hosts/nixos/lapetus/secrets.example.yaml

@@ -11,3 +11,4 @@ cloudflare_tunnel_credentials: |
 microbin_env: |
     MICROBIN_ADMIN_PASSWORD=...
     MICROBIN_UPLOAD_PASSWORD=...
+forgejo_mail_password: ...

hosts/nixos/lapetus/secrets.yaml

@@ -5,6 +5,7 @@ grafana_discord_webhook: ENC[AES256_GCM,data:y17UjlnfNmtvim9REkop4abcU6BX0P5JnJY
 invidious_hmac_key: ENC[AES256_GCM,data:eN3NNPYUSfPNnVz3aZK7IrnzoBA=,iv:eHEiB/TKL0W6TdWpXADCxEdhhGwUPwOLph2RjwTECh0=,tag:P5m6Uw8JkKVegQ840talPQ==,type:str]
 cloudflare_tunnel_credentials: ENC[AES256_GCM,data:XuXXzhGdxYsF1ik2g7yS2wbaI08/AF60P8CnIhjJlMd+jRk36QovuBRRjkfV8BjOg0K+2b4yNHT/nS/ZSV6eorj4sbczw6D+p7LxrQfeVqqhXWyCjbJwQTTDFU9XB2xUohmmC1PJ1/nwShfn1LocPxgwWQiNpqwhTJroojzqxTHUBzCuAMmcZ7jwvd0SlDpZIszhbTQoLRzedRZpCdoNnWTc,iv:2oBLU3SvNUwJ2OYfCmyKiocUw9zU+yixO+tY/AE9sxc=,tag:T3v+MII+kDzomiAQJ0zUdg==,type:str]
 microbin_env: ENC[AES256_GCM,data:nxiE9GIvEb0xgqomDdMyy2UtG25pt7h+6JUZkAgIejZbJfsKfpIJcG02WJoj07I2VeTtN10Wd8IbrW9QEt64mLzlG7hqJN0Uwq8bjL1j5IaK,iv:pCWmF52MhMfZtdtMsL7wwt+KB33E/UPNtXzkiJ7NOWE=,tag:79e0u2yyRYckivY85hLqpg==,type:str]
+forgejo_mail_password: ENC[AES256_GCM,data:linrpmA8b+8e1+tWNl0=,iv:Mk7suPq0Jt960Zl9s2jj3SSAKt4t8Lv4eKdIo0o8JbE=,tag:TZ0qGJIVSFSUt/0cqamvdw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -29,8 +30,8 @@ sops:
             RHZ6alYrUU5BZ2xlMkdGR1dWRG5aeGMKJdsdtVZ6Mk9Vo3a+tS+rzAgaF2wpH+8U
             lWhA+c0Kbe8EJT8hm7Vr8PqBmElz4V9AnXSCTp7D+Cu4pfWsHopLUQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-10T18:21:41Z"
+    lastmodified: "2024-05-10T22:27:23Z"
-    mac: ENC[AES256_GCM,data:JbRf7sVZLNiIR2vy0+Et7PqpZIvxYa8ZbqLUNNUzjilfIxaRcwRTjbV+IryGOXBve1rJoK9I6Y4dnaQOM/YpddNO2Nxb4PKGcgnQc6v4wrHfHBFZJVo7Teyy6jFfxBYCu0DOqIzBeQg7YLs29PpVoOjxjXDLLFfCK1WAlng+Af8=,iv:2yIV0h3jp/JTPhWjfRLI+Nd8kkIheePIKOf6u59wWiw=,tag:eHswLPB7oDJ98jqnJv2V6g==,type:str]
+    mac: ENC[AES256_GCM,data:pH8KM1JvO6OK1yGNT90kPfd7+zoUnyoTNfWhCXHBERzLmxHuI8VopCGfgxqYtjyBE4yYAIsRpzJBMPKSnazoL9EBWB+uoSE3UNXMgwTBK/Oq+aW1Bj7akOfCiR9U8yzgfqI7ReAtbioOVO3K/RlgCzpNFdfvToKwm7tUFrektB8=,iv:ltMnlbzIQumavl96q76sv9iYf4IgKrLS2yRZQ1xb83o=,tag:1PILpbzUR7LXaiuukrH3bw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

hosts/nixos/lapetus/services/forgejo.nix

@@ -0,0 +1,52 @@
+{ lib, config, ... }:
+let
+  port = 8419;
+  host = "git.moonythm.dev";
+in
+{
+  sops.secrets.forgejo_mail_password.sopsFile = ../secrets.yaml;
+  satellite.cloudflared.targets.${host}.port = port;
+
+  services.forgejo = {
+    enable = true;
+    appName = "moonforge";
+    stateDir = "/persist/state/var/lib/forgejo";
+    mailerPasswordFile = config.sops.secrets.forgejo_mail_password.path;
+
+    dump = {
+      enable = true;
+      type = "tar.gz";
+    };
+
+    lfs.enable = true;
+
+    # See [the cheatsheet](https://docs.gitea.com/next/administration/config-cheat-sheet)
+    settings = {
+      session.COOKIE_SECURE = true;
+      server = {
+        DOMAIN = host;
+        HTTP_PORT = port;
+        ROOT_URL = "https://${host}";
+        LANDING_PAGE = "prescientmoon"; # Make my profile the landing page
+      };
+
+      cron.ENABLED = true;
+      # service.DISABLE_REGISTRATION = true;
+
+      mailer = {
+        ENABLED = true;
+        SMTP_PORT = 465;
+        SMTP_ADDR = "smtp.migadu.com";
+        USER = "git";
+      };
+
+      repository = {
+        DISABLE_STARS = true;
+        DISABLED_REPO_UNITS = "";
+        DEFAULT_REPO_UNITS = lib.strings.concatStringsSep "," [
+          "repo.code"
+        ];
+      };
+    };
+  };
+}

hosts/nixos/lapetus/services/homer.nix

@@ -63,6 +63,58 @@ in
             ];
           }
           # }}}
+          # {{{ External
+          {
+            name = "External";
+            icon = fa "arrow-up-right-from-square";
+            items = [
+              {
+                name = "Tailscale";
+                subtitle = "Access this homelab from anywhere";
+                logo = icon "tailscale.png";
+                url = "https://tailscale.com/";
+              }
+              {
+                name = "Dotfiles";
+                subtitle = "Configuration for all my machines";
+                logo = icon "github.png";
+                url = "https://github.com/mateiadrielrafael/everything-nix";
+              }
+              {
+                name = "Cloudflare";
+                subtitle = "Domain management";
+                logo = icon "cloudflare.png";
+                url = "https://dash.cloudflare.com/761d3e81b3e42551e33c4b73274ecc82/moonythm.dev/";
+              }
+            ];
+          }
+          # }}}
+          # {{{ Productivity
+          {
+            name = "Productivity";
+            icon = fa "rocket";
+            items = [
+              {
+                name = "Intray";
+                subtitle = "GTD capture tool";
+                icon = fa "inbox";
+                url = "https://intray.moonythm.dev";
+              }
+              {
+                name = "Smos";
+                subtitle = "A comprehensive self-management system.";
+                icon = fa "cubes-stacked";
+                url = "https://smos.moonythm.dev";
+              }
+              {
+                name = "Actual";
+                subtitle = "Budgeting tool";
+                logo = icon "actual.png";
+                url = "https://actual.moonythm.dev";
+              }
+            ];
+          }
+          # }}}
           # {{{ Pillars
           {
             name = "Tooling";
@@ -92,31 +144,11 @@ in
                 logo = icon "microbin.png";
                 url = "https://cal.moonythm.dev";
               }
-            ];
-          }
-          # }}}
-          # {{{ Productivity
               {
-            name = "Productivity";
+                name = "Forgejo";
-            icon = fa "rocket";
+                subtitle = "Git forge";
-            items = [
+                logo = icon "forgejo.svg";
-              {
+                url = "https://git.moonythm.dev";
-                name = "Intray";
-                subtitle = "GTD capture tool";
-                icon = fa "inbox";
-                url = "https://intray.moonythm.dev";
-              }
-              {
-                name = "Smos";
-                subtitle = "A comprehensive self-management system.";
-                icon = fa "cubes-stacked";
-                url = "https://smos.moonythm.dev";
-              }
-              {
-                name = "Actual";
-                subtitle = "Budgeting tool";
-                logo = icon "actual.png";
-                url = "https://actual.moonythm.dev";
               }
             ];
           }
@@ -165,32 +197,6 @@ in
             ];
           }
           # }}}
-          # {{{ External
-          {
-            name = "External";
-            icon = fa "arrow-up-right-from-square";
-            items = [
-              {
-                name = "Tailscale";
-                subtitle = "Access this homelab from anywhere";
-                logo = icon "tailscale.png";
-                url = "https://tailscale.com/";
-              }
-              {
-                name = "Dotfiles";
-                subtitle = "Configuration for all my machines";
-                logo = icon "github.png";
-                url = "https://github.com/mateiadrielrafael/everything-nix";
-              }
-              {
-                name = "Cloudflare";
-                subtitle = "Domain management";
-                logo = icon "cloudflare.png";
-                url = "https://dash.cloudflare.com/761d3e81b3e42551e33c4b73274ecc82/moonythm.dev/";
-              }
-            ];
-          }
-          # }}}
         ];
       };
     });

hosts/nixos/lapetus/services/microbin.nix

@@ -7,9 +7,7 @@ in
   imports = [ ./cloudflared.nix ];
 
   sops.secrets.microbin_env.sopsFile = ../secrets.yaml;
-
+  satellite.cloudflared.targets.${host}.port = port;
-  services.cloudflared.tunnels =
-    config.satellite.cloudflared.proxy host;
 
   services.microbin = {
     enable = true;

hosts/nixos/tethys/default.nix

@@ -16,6 +16,7 @@
     ./hardware
     ./boot.nix
     ./services/syncthing.nix
+    ./services/forgejo.nix
   ];
   # }}}
 

modules/nixos/cloudflared.nix

@@ -5,18 +5,33 @@ in
   options.satellite.cloudflared = {
     tunnel = lib.mkOption {
       type = lib.types.string;
-      description = "Cloudflare tunnel id to use for the `satellite.cloudflared.proxy` helper";
+      description = "Cloudflare tunnel id to use for the `satellite.cloudflared.targets` helper";
     };
 
-    proxy = lib.mkOption {
+    targets = lib.mkOption {
-      type = lib.types.functionTo lib.types.anything;
+      description = "List of hosts to set up ingress rules for";
-      description = "Helper function for generating a quick proxy config";
+      default = { };
+      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
+        options = {
+          port = lib.mkOption {
+            type = lib.types.port;
+            description = "Localhost port to point the tunnel at";
+          };
+
+          host = lib.mkOption {
+            default = name;
+            type = lib.types.string;
+            description = "Host to direct traffic from";
+          };
+        };
+      }));
     };
   };
 
-  config.satellite.cloudflared.proxy = from: {
+  config.services.cloudflared.tunnels.${cfg.tunnel}.ingress = lib.attrsets.mapAttrs'
-    ${cfg.tunnel} = {
+    (_: { port, host }: {
-      ingress.${from} = "http://localhost:8418";
+      name = host;
-    };
+      value = "http://localhost:${toString port}";
-  };
+    })
+    cfg.targets;
 }

scripts/dns/dns.txt

@@ -13,7 +13,9 @@ actual             IN CNAME  lapetus
 api.intray         IN CNAME  lapetus
 api.smos           IN CNAME  lapetus
 cal                IN CNAME  lapetus
+diptime            IN CNAME  lapetus
 docs.smos          IN CNAME  lapetus
+git                IN CNAME  lapetus
 grafana            IN CNAME  lapetus
 intray             IN CNAME  lapetus
 irc                IN CNAME  lapetus
@@ -28,7 +30,6 @@ search             IN CNAME  lapetus
 smos               IN CNAME  lapetus
 warden             IN CNAME  lapetus
 yt                 IN CNAME  lapetus
-diptime            IN CNAME  lapetus
 *.irc              IN CNAME  irc
 
 ; Tunnel used by lapetus