From c2f5e22bc636e89d8da423a92787b96cc4752d37 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Tue, 4 Mar 2025 05:20:49 +0100 Subject: [PATCH] Add Forgejo --- .envrc | 2 +- modules/default.nix | 1 + modules/forgejo.nix | 68 ++++++++++++++++++++++++++++++++++++++++++ modules/postgresql.nix | 11 +++++++ profiles/hel.nix | 3 ++ secrets.enc.yml | 10 ++++--- terraform/dns.tf | 8 +++++ 7 files changed, 98 insertions(+), 5 deletions(-) create mode 100644 modules/forgejo.nix diff --git a/.envrc b/.envrc index 9eed314..91ff861 100644 --- a/.envrc +++ b/.envrc @@ -1,3 +1,3 @@ use flake -export TF_HTTP_PASSWORD=`sops -d --extract '["gitlab"]["password"]' secrets.enc.yml` \ No newline at end of file +export TF_HTTP_PASSWORD=`sops -d --extract '["gitlab"]["token"]' secrets.enc.yml` diff --git a/modules/default.nix b/modules/default.nix index 8c7a92d..0f7b98b 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -23,5 +23,6 @@ ./postgresql.nix ./foundryvtt.nix ./immich.nix + ./forgejo.nix ]; } diff --git a/modules/forgejo.nix b/modules/forgejo.nix new file mode 100644 index 0000000..3391c1c --- /dev/null +++ b/modules/forgejo.nix @@ -0,0 +1,68 @@ +{ config, lib, ... }: +with lib; +let + cfg = config.custom.services.forgejo; + domain = "forge.froidmont.org"; +in +{ + options.custom.services.forgejo = { + enable = mkEnableOption "forgejo"; + }; + + config = mkIf cfg.enable { + sops.secrets = { + forgejoDbPassword = { + owner = config.users.users.forgejo.name; + key = "forgejo/db_password"; + restartUnits = [ "forgejo.service" ]; + }; + }; + + services.forgejo = { + enable = true; + stateDir = "/nix/var/data/forgejo"; + database = { + createDatabase = false; + type = "postgres"; + host = "127.0.0.1"; + name = "forgejo"; + user = "forgejo"; + passwordFile = config.sops.secrets.forgejoDbPassword.path; + }; + settings = { + server = { + PROTOCOL = "http+unix"; + DOMAIN = domain; + ROOT_URL = "https://${domain}/"; + }; + session = { + COOKIE_SECURE = true; + }; + DEFAULT = { + RUN_MODE = "prod"; + }; + mailer = { + ENABLED = true; + PROTOCOL = "sendmail"; + FROM = "noreply@froidmont.org"; + SENDMAIL_PATH = "/run/wrappers/bin/sendmail"; + SENDMAIL_ARGS = "--"; + }; + service = { + DISABLE_REGISTRATION = true; + }; + }; + }; + + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}"; + extraConfig = '' + client_max_body_size 512M; + ''; + }; + }; + }; +} diff --git a/modules/postgresql.nix b/modules/postgresql.nix index 9d0d302..af41fff 100644 --- a/modules/postgresql.nix +++ b/modules/postgresql.nix @@ -23,6 +23,7 @@ in root_as_others root nextcloud root_as_others root roundcube root_as_others root immich + root_as_others root forgejo ''; authentication = '' local all postgres peer @@ -52,6 +53,11 @@ in key = "immich/db_password"; restartUnits = [ "postgresql-setup.service" ]; }; + forgejoDbPasswordPg = { + owner = config.services.postgresql.superUser; + key = "forgejo/db_password"; + restartUnits = [ "postgresql-setup.service" ]; + }; }; systemd.services.postgresql-setup = @@ -76,16 +82,19 @@ in PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'immich'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "immich"' + PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'forgejo'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "forgejo"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'immich'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "immich" OWNER "immich"' + PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'forgejo'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "forgejo" OWNER "forgejo"' PSQL -tAc "ALTER ROLE synapse LOGIN" PSQL -tAc "ALTER ROLE nextcloud LOGIN" PSQL -tAc "ALTER ROLE roundcube LOGIN" PSQL -tAc "ALTER ROLE immich LOGIN" + PSQL -tAc "ALTER ROLE forgejo LOGIN" synapse_password="$(<'${config.sops.secrets.synapseDbPasswordPg.path}')" PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" @@ -95,6 +104,8 @@ in PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'" immich_password="$(<'${config.sops.secrets.immichDbPasswordPg.path}')" PSQL -tAc "ALTER ROLE immich WITH PASSWORD '$immich_password'" + forgejo_password="$(<'${config.sops.secrets.forgejoDbPasswordPg.path}')" + PSQL -tAc "ALTER ROLE forgejo WITH PASSWORD '$forgejo_password'" ''; serviceConfig = { diff --git a/profiles/hel.nix b/profiles/hel.nix index 8209204..8ba739b 100644 --- a/profiles/hel.nix +++ b/profiles/hel.nix @@ -229,6 +229,7 @@ grafana.enable = true; monitoring-exporters.enable = true; immich.enable = true; + forgejo.enable = true; backup-job = { enable = true; @@ -257,6 +258,8 @@ ${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp ${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp ${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp + ${config.services.postgresql.package}/bin/pg_dump -U immich immich > /nix/var/data/postgresql/immich.dmp + ${config.services.postgresql.package}/bin/pg_dump -U forgejo forgejo > /nix/var/data/postgresql/forgejo.dmp ${pkgs.podman}/bin/podman exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql ${pkgs.systemd}/bin/systemctl stop jellyfin.service ${pkgs.systemd}/bin/systemctl stop container@torrents diff --git a/secrets.enc.yml b/secrets.enc.yml index e20cda0..1fd28ab 100644 --- a/secrets.enc.yml +++ b/secrets.enc.yml @@ -6,7 +6,7 @@ grafana: nix: cache_secret_key: ENC[AES256_GCM,data:L5HJ6TRpKVJRM0GVc9pztflyHitK1n6l56vyxbkuRbT5ZPjq8qJnUwD7sVrqYdtEUr1VA+q3Tf021u/PjK4He2hAHKEGWwviel5YBl4dZE/pSgzONP2e2NkE5USWxigyivdFfz8Apix+0Rpq,iv:cQcmGijhZmAwW9kCLbeISBYGkXa9w9IZsLDNaKqiOyg=,tag:jIEMfXjjnWNs1yC8d7RHxQ==,type:str] gitlab: - password: ENC[AES256_GCM,data:ellmwJv7zasbAD3hzAkSSJ4Z9qHqmlernG0=,iv:czXgy9wnDHLSrzefL+nKfbPm6DhZwpNARkUxNsBDHzM=,tag:NYXTjgaUAvOOeJlGe5fchQ==,type:str] + token: ENC[AES256_GCM,data:zZ77gaLg2/YDc5BmKvO1AzwzY6JM7cBwyCk=,iv:kb6+lyRxnH5KifLG49t3XA5jDAgjQFiYUnE0YyAdla0=,tag:umVKw3x3MPII3IqIUmAmIQ==,type:str] runner_registration_config: storage1: ENC[AES256_GCM,data:rYaKEZaJEIXTgLCrSGw7IqahrEBrD6cpwf+dB1C1mrUn395PcZ7A/er5765WKTuaFHsOUyZ7Lsj1fDl1bzbr1xnhkPE3/gCJFy7OLg==,iv:WCz4mEJO6BZbeAPhccfoMI3EYh1Kil40AWj6sU1bR9s=,tag:+DqVtAZpt288S7HAoZKcEw==,type:str] hel1: ENC[AES256_GCM,data:wP7WidQ+w7V/Dk5eKOg2bO1ZQaTvRMwPK0nadncDZNMsZnU8OcfS3KDDufvZPO33oWd0LfjxqNPikppqOt9T00uO2JoTek8KOzQ75iSwZA==,iv:iEn76embp30/CVyqtOoTNvo0xo8QTZ2hW6wCkwkOM28=,tag:6d/IbI2YnSbZDksfxUlkbw==,type:str] @@ -23,6 +23,8 @@ roundcube: immich: db_password: ENC[AES256_GCM,data:hIsMf271x+0jRgTJB4hP1ijEkly55pb5EPmQ2tQ7gsadMv+DiACK84bcIJR+erMcCTdsK5dLe/97+KqM,iv:ls5yQp3pwckCGY5IRuoSF2I/vlf9Fm5w4I26Go8UIjw=,tag:3+Unwrq3VSaEsrEZL0nZ9A==,type:str] secrets_file: ENC[AES256_GCM,data:+dP8FSS1i0ZYc1vi2yuGup5ekI5OiswB19dl9BBEErWu4/Oc0lQqBzG8kg+7S78DhnUhW8zJONJm5vhriBVklNZpa0wr2oHs,iv:KYxZ5KtitI1QIRunrFQExj0chRddlSx39rJ5epa50oI=,tag:JJXbPHBQhHH2+yLvoQ5AHg==,type:str] +forgejo: + db_password: ENC[AES256_GCM,data:BF4i0b02LfMdKptyK5yi0iB800Ng6PbPcwjzZNaLUJub51Q1YxIHxBl/6rCnugqZkM/lTwjWp+ZdZiyz,iv:OMgBO8wbpgCicvE/tRvu4xee76ZEuBUYsrbcFG4wQQI=,tag:OgaaEgho6yxnqNi20BUqbQ==,type:str] murmur.env: ENC[AES256_GCM,data:bErJrzpPRrBhUeW113qt9xbJWsrxiI8YIibZ3l0=,iv:2dIlmdLKB+nktQ4/O1W3xtfcCRowW9MkxncDiDpZyck=,tag:3UkSGVKV00385iZ66rHOpw==,type:str] transmission: rpc_config.json: ENC[AES256_GCM,data:2dXn4De3RilQpOOtqjZQILJ7+/t8ipQHLiNuYdbQQRZC4fya0l9MLyGRuqfqeBu1B07VYSDMImV/5BZ+5ygCLk2JjhLn8NzbM3IRWg==,iv:SWqUCobb1+MzISjOTF9BySeAGXHMEbX/27MxIl5tPIE=,tag:4tat0yvkE/4njWYyr/IRfA==,type:str] @@ -71,8 +73,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-12-18T23:35:08Z" - mac: ENC[AES256_GCM,data:M+pepYwbvH5WVSsrE1KqIsY1pi8ZuCzZ27wi0eMCVAvKLu6f+Sx4JMbYA5xDrSbJky2zaFDmfMRV/ykDAwSAhyrDVT8uneD/WRQuNbCLpnES2CmIdIRt7DuKN7OozcecrpQa/MP/9PnJfPjL2ho6yYXka28PJSCQrm7cX0Ln2O4=,iv:JSmQI/IAd6tw5lDhQbsT+1MdlGaQZ6za0Ri8ZdtUOUo=,tag:QfnUwJN6DpetX9e0qz+Iaw==,type:str] + lastmodified: "2025-03-04T03:00:21Z" + mac: ENC[AES256_GCM,data:ClmqrdlPZsrLBwEj65LzkypyQNovvZup8ttHiaDoOhU/JUpSC/1ZaPq3WhVjE1HUqrU8WtGrtYySn4uAzOmvocXaVXNYabNd98BLSZZXSqKZxH0D01lJ9KspC9Z1vXwwYzev/YUbV3MoLx5XA642Y9K8x6Xmc+VQXmgRASSRFUM=,iv:10b1zdo5NaYrt5zbl8rk1HnYpzEcwTpLIPuufN8mJP0=,tag:o7lL1yIk8fm7VHJF/XkmmA==,type:str] pgp: - created_at: "2025-01-17T21:38:02Z" enc: |- @@ -135,4 +137,4 @@ sops: -----END PGP MESSAGE----- fp: 0f0c4c2f9877cb8a53efadacb90613a2af502673 unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.9.4 diff --git a/terraform/dns.tf b/terraform/dns.tf index 411a8b4..5ff5954 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -342,6 +342,14 @@ resource "hetznerdns_record" "website_marie_a" { ttl = 600 } +resource "hetznerdns_record" "forge_a" { + zone_id = data.hetznerdns_zone.froidmont_zone.id + name = "forge" + value = local.hel1_ip + type = "A" + ttl = 600 +} + resource "hetznerdns_record" "froidmont_cname" { zone_id = data.hetznerdns_zone.froidmont_zone.id name = "*"