phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-24 21:26:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add Forgejo

Browse source
This commit is contained in:
Paul-Henri Froidmont 2025-03-04 05:20:49 +01:00
parent 69d06e8e71
commit c2f5e22bc6
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
7 changed files with 98 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.envrc
View file

@ -1,3 +1,3 @@
use flake
export TF_HTTP_PASSWORD=`sops -d --extract '["gitlab"]["password"]' secrets.enc.yml`
export TF_HTTP_PASSWORD=`sops -d --extract '["gitlab"]["token"]' secrets.enc.yml`

1
modules/default.nix
View file

@ -23,5 +23,6 @@
./postgresql.nix
./foundryvtt.nix
./immich.nix
./forgejo.nix
];
}

68
modules/forgejo.nix Normal file
View file

@ -0,0 +1,68 @@
{ config, lib, ... }:
with lib;
let
cfg = config.custom.services.forgejo;
domain = "forge.froidmont.org";
in
{
options.custom.services.forgejo = {
enable = mkEnableOption "forgejo";
};
config = mkIf cfg.enable {
sops.secrets = {
forgejoDbPassword = {
owner = config.users.users.forgejo.name;
key = "forgejo/db_password";
restartUnits = [ "forgejo.service" ];
};
};
services.forgejo = {
enable = true;
stateDir = "/nix/var/data/forgejo";
database = {
createDatabase = false;
type = "postgres";
host = "127.0.0.1";
name = "forgejo";
user = "forgejo";
passwordFile = config.sops.secrets.forgejoDbPassword.path;
};
settings = {
server = {
PROTOCOL = "http+unix";
DOMAIN = domain;
ROOT_URL = "https://${domain}/";
};
session = {
COOKIE_SECURE = true;
};
DEFAULT = {
RUN_MODE = "prod";
};
mailer = {
ENABLED = true;
PROTOCOL = "sendmail";
FROM = "noreply@froidmont.org";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
SENDMAIL_ARGS = "--";
};
service = {
DISABLE_REGISTRATION = true;
};
};
};
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
extraConfig = ''
client_max_body_size 512M;
'';
};
};
};
}

11
modules/postgresql.nix
View file

@ -23,6 +23,7 @@ in
root_as_others root nextcloud
root_as_others root roundcube
root_as_others root immich
root_as_others root forgejo
'';
authentication = ''
local all postgres peer
@ -52,6 +53,11 @@ in
key = "immich/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
forgejoDbPasswordPg = {
owner = config.services.postgresql.superUser;
key = "forgejo/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
};
systemd.services.postgresql-setup =
@ -76,16 +82,19 @@ in
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'immich'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "immich"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'forgejo'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "forgejo"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'immich'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "immich" OWNER "immich"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'forgejo'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "forgejo" OWNER "forgejo"'
PSQL -tAc "ALTER ROLE synapse LOGIN"
PSQL -tAc "ALTER ROLE nextcloud LOGIN"
PSQL -tAc "ALTER ROLE roundcube LOGIN"
PSQL -tAc "ALTER ROLE immich LOGIN"
PSQL -tAc "ALTER ROLE forgejo LOGIN"
synapse_password="$(<'${config.sops.secrets.synapseDbPasswordPg.path}')"
PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
@ -95,6 +104,8 @@ in
PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
immich_password="$(<'${config.sops.secrets.immichDbPasswordPg.path}')"
PSQL -tAc "ALTER ROLE immich WITH PASSWORD '$immich_password'"
forgejo_password="$(<'${config.sops.secrets.forgejoDbPasswordPg.path}')"
PSQL -tAc "ALTER ROLE forgejo WITH PASSWORD '$forgejo_password'"
'';
serviceConfig = {

3
profiles/hel.nix
View file

@ -229,6 +229,7 @@
grafana.enable = true;
monitoring-exporters.enable = true;
immich.enable = true;
forgejo.enable = true;
backup-job = {
enable = true;
@ -257,6 +258,8 @@
${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
${config.services.postgresql.package}/bin/pg_dump -U immich immich > /nix/var/data/postgresql/immich.dmp
${config.services.postgresql.package}/bin/pg_dump -U forgejo forgejo > /nix/var/data/postgresql/forgejo.dmp
${pkgs.podman}/bin/podman exec stb-mariadb sh -c 'mysqldump -u stb -pstb stb' > /nix/var/data/backup/stb_mariadb.sql
${pkgs.systemd}/bin/systemctl stop jellyfin.service
${pkgs.systemd}/bin/systemctl stop container@torrents

10
secrets.enc.yml
View file

@ -6,7 +6,7 @@ grafana:
nix:
cache_secret_key: ENC[AES256_GCM,data:L5HJ6TRpKVJRM0GVc9pztflyHitK1n6l56vyxbkuRbT5ZPjq8qJnUwD7sVrqYdtEUr1VA+q3Tf021u/PjK4He2hAHKEGWwviel5YBl4dZE/pSgzONP2e2NkE5USWxigyivdFfz8Apix+0Rpq,iv:cQcmGijhZmAwW9kCLbeISBYGkXa9w9IZsLDNaKqiOyg=,tag:jIEMfXjjnWNs1yC8d7RHxQ==,type:str]
gitlab:
password: ENC[AES256_GCM,data:ellmwJv7zasbAD3hzAkSSJ4Z9qHqmlernG0=,iv:czXgy9wnDHLSrzefL+nKfbPm6DhZwpNARkUxNsBDHzM=,tag:NYXTjgaUAvOOeJlGe5fchQ==,type:str]
token: ENC[AES256_GCM,data:zZ77gaLg2/YDc5BmKvO1AzwzY6JM7cBwyCk=,iv:kb6+lyRxnH5KifLG49t3XA5jDAgjQFiYUnE0YyAdla0=,tag:umVKw3x3MPII3IqIUmAmIQ==,type:str]
runner_registration_config:
storage1: ENC[AES256_GCM,data:rYaKEZaJEIXTgLCrSGw7IqahrEBrD6cpwf+dB1C1mrUn395PcZ7A/er5765WKTuaFHsOUyZ7Lsj1fDl1bzbr1xnhkPE3/gCJFy7OLg==,iv:WCz4mEJO6BZbeAPhccfoMI3EYh1Kil40AWj6sU1bR9s=,tag:+DqVtAZpt288S7HAoZKcEw==,type:str]
hel1: ENC[AES256_GCM,data:wP7WidQ+w7V/Dk5eKOg2bO1ZQaTvRMwPK0nadncDZNMsZnU8OcfS3KDDufvZPO33oWd0LfjxqNPikppqOt9T00uO2JoTek8KOzQ75iSwZA==,iv:iEn76embp30/CVyqtOoTNvo0xo8QTZ2hW6wCkwkOM28=,tag:6d/IbI2YnSbZDksfxUlkbw==,type:str]
@ -23,6 +23,8 @@ roundcube:
immich:
db_password: ENC[AES256_GCM,data:hIsMf271x+0jRgTJB4hP1ijEkly55pb5EPmQ2tQ7gsadMv+DiACK84bcIJR+erMcCTdsK5dLe/97+KqM,iv:ls5yQp3pwckCGY5IRuoSF2I/vlf9Fm5w4I26Go8UIjw=,tag:3+Unwrq3VSaEsrEZL0nZ9A==,type:str]
secrets_file: ENC[AES256_GCM,data:+dP8FSS1i0ZYc1vi2yuGup5ekI5OiswB19dl9BBEErWu4/Oc0lQqBzG8kg+7S78DhnUhW8zJONJm5vhriBVklNZpa0wr2oHs,iv:KYxZ5KtitI1QIRunrFQExj0chRddlSx39rJ5epa50oI=,tag:JJXbPHBQhHH2+yLvoQ5AHg==,type:str]
forgejo:
db_password: ENC[AES256_GCM,data:BF4i0b02LfMdKptyK5yi0iB800Ng6PbPcwjzZNaLUJub51Q1YxIHxBl/6rCnugqZkM/lTwjWp+ZdZiyz,iv:OMgBO8wbpgCicvE/tRvu4xee76ZEuBUYsrbcFG4wQQI=,tag:OgaaEgho6yxnqNi20BUqbQ==,type:str]
murmur.env: ENC[AES256_GCM,data:bErJrzpPRrBhUeW113qt9xbJWsrxiI8YIibZ3l0=,iv:2dIlmdLKB+nktQ4/O1W3xtfcCRowW9MkxncDiDpZyck=,tag:3UkSGVKV00385iZ66rHOpw==,type:str]
transmission:
rpc_config.json: ENC[AES256_GCM,data:2dXn4De3RilQpOOtqjZQILJ7+/t8ipQHLiNuYdbQQRZC4fya0l9MLyGRuqfqeBu1B07VYSDMImV/5BZ+5ygCLk2JjhLn8NzbM3IRWg==,iv:SWqUCobb1+MzISjOTF9BySeAGXHMEbX/27MxIl5tPIE=,tag:4tat0yvkE/4njWYyr/IRfA==,type:str]
@ -71,8 +73,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-12-18T23:35:08Z"
mac: ENC[AES256_GCM,data:M+pepYwbvH5WVSsrE1KqIsY1pi8ZuCzZ27wi0eMCVAvKLu6f+Sx4JMbYA5xDrSbJky2zaFDmfMRV/ykDAwSAhyrDVT8uneD/WRQuNbCLpnES2CmIdIRt7DuKN7OozcecrpQa/MP/9PnJfPjL2ho6yYXka28PJSCQrm7cX0Ln2O4=,iv:JSmQI/IAd6tw5lDhQbsT+1MdlGaQZ6za0Ri8ZdtUOUo=,tag:QfnUwJN6DpetX9e0qz+Iaw==,type:str]
lastmodified: "2025-03-04T03:00:21Z"
mac: ENC[AES256_GCM,data:ClmqrdlPZsrLBwEj65LzkypyQNovvZup8ttHiaDoOhU/JUpSC/1ZaPq3WhVjE1HUqrU8WtGrtYySn4uAzOmvocXaVXNYabNd98BLSZZXSqKZxH0D01lJ9KspC9Z1vXwwYzev/YUbV3MoLx5XA642Y9K8x6Xmc+VQXmgRASSRFUM=,iv:10b1zdo5NaYrt5zbl8rk1HnYpzEcwTpLIPuufN8mJP0=,tag:o7lL1yIk8fm7VHJF/XkmmA==,type:str]
pgp:
- created_at: "2025-01-17T21:38:02Z"
enc: |-
@ -135,4 +137,4 @@ sops:
-----END PGP MESSAGE-----
fp: 0f0c4c2f9877cb8a53efadacb90613a2af502673
unencrypted_suffix: _unencrypted
version: 3.9.2
version: 3.9.4

8
terraform/dns.tf
View file

@ -342,6 +342,14 @@ resource "hetznerdns_record" "website_marie_a" {
ttl = 600
}
resource "hetznerdns_record" "forge_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "forge"
value = local.hel1_ip
type = "A"
ttl = 600
}
resource "hetznerdns_record" "froidmont_cname" {
zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "*"