hosts/marvin/services/git.nix at 60fa108f8332b1edac1d3ac955f078b084987da3 · pyrox.dev/nix

pyrox.dev / nix
My Nix Configuration
nix / hosts / marvin / services / git.nix
at 60fa108f8332b1edac1d3ac955f078b084987da3 4.8 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  self',
  6  self,
  7  ...
  8}:
  9let
 10  cfg = config.services.forgejo.settings;
 11  age = config.age.secrets;
 12
 13  forgejoSecret = {
 14    owner = "forgejo";
 15    group = "forgejo";
 16  };
 17
 18  d = self.lib.data.services.git;
 19in
 20{
 21  catppuccin.forgejo.enable = true;
 22  py.services.forgejo-runner = {
 23    enable = true;
 24    tokenFile = age.forgejo-default-runner-token.path;
 25  };
 26  services.forgejo = {
 27    enable = true;
 28    package = pkgs.forgejo;
 29    lfs.enable = true;
 30    database = {
 31      type = "postgres";
 32      createDatabase = true;
 33      passwordFile = age.forgejo-db-pw.path;
 34    };
 35    secrets = {
 36      mailer.PASSWD = age.forgejo-mail-pw.path;
 37      security.SECRET_KEY = lib.mkForce age.forgejo-secret-key.path;
 38      security.INTERNAL_TOKEN = lib.mkForce age.forgejo-internal-token.path;
 39      oauth2.JWT_SECRET = lib.mkForce age.forgejo-oauth2-jwt-secret.path;
 40      server.LFS_JWT_SECRET = lib.mkForce age.forgejo-lfs-jwt-secret.path;
 41    };
 42    settings = {
 43      DEFAULT = {
 44        APP_NAME = "PyroNet Git";
 45        RUN_MODE = "prod";
 46      };
 47      attachment = {
 48        MAX_SIZE = 200;
 49      };
 50      log."logger.router.MODE" = "";
 51      mailer = {
 52        ENABLED = true;
 53        FROM = "PyroNet Git <git@pyrox.dev>";
 54        PROTOCOL = "smtps";
 55        SMTP_ADDR = "mail.pyrox.dev";
 56        SMTP_PORT = 465;
 57        USER = "git@pyrox.dev";
 58      };
 59      picture = {
 60        ENABLE_FEDERATED_AVATAR = true;
 61      };
 62      ui = {
 63        DEFAULT_SHOW_FULL_NAME = true;
 64        USE_SERVICE_WORKER = true;
 65        SHOW_USER_EMAIL = false;
 66      };
 67      "ui.meta" = {
 68        AUTHOR = "dish";
 69        DESCRIPTION = "PyroNet Git Services";
 70      };
 71      metrics = {
 72        ENABLED = true;
 73      };
 74      server = {
 75        DISABLE_SSH = true;
 76        DOMAIN = d.extUrl;
 77        HTTP_PORT = d.port;
 78        ROOT_URL = "https://${cfg.server.DOMAIN}";
 79        LFS_START_SERVER = true;
 80      };
 81      #
 82      indexer = {
 83        # Enable issue indexing
 84        ISSUE_INDEXER_TYPE = "bleve";
 85        ISSUE_INDEXER_PATH = "indexers/issues.bleve";
 86        # Enable repo indexing
 87        REPO_INDEXER_ENABLED = true;
 88        REPO_INDEXER_REPO_TYPES = "sources,forks,templates,mirrors";
 89        REPO_INDEXER_TYPE = "bleve";
 90        REPO_INDEXER_PATH = "indexers/repos.bleve";
 91      };
 92      session = {
 93        PROVIDER = "db";
 94        COOKIE_SECURE = true;
 95        COOKIE_NAME = "pyrogit-session";
 96        DOMAIN = d.extUrl;
 97        # Sessions last for 1 week
 98        GC_INTERVAL_TIME = 86400 * 7;
 99        SESSION_LIFE_TIME = 86400 * 7;
100      };
101      service = {
102        DISABLE_REGISTRATION = true;
103        AUTO_WATCH_NEW_REPOS = false;
104      };
105      security = {
106        INSTALL_LOCK = true;
107        COOKIE_USERNAME = "pyrogit-user";
108        COOKIE_REMEMBER_NAME = "pyrogit-auth";
109        MIN_PASSWORD_LENGTH = 10;
110        PASSWORD_COMPLEXITY = "lower,upper,digit,spec";
111        PASSWORD_HASH_ALGO = "argon2";
112        PASSWORD_CHECK_PWN = true;
113        ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true;
114        # Only allow reverse proxies from Tailscale tailnet
115        REVERSE_PROXY_TRUSTED_PROXIES = "10.64.0.0/10";
116      };
117      actions = {
118        ENABLED = true;
119      };
120    };
121  };
122  age.secrets = lib.mkIf config.services.forgejo.enable {
123    forgejo-db-pw = forgejoSecret // {
124      file = ./secrets/forgejo/db-pw.age;
125    };
126    forgejo-mail-pw = forgejoSecret // {
127      file = ./secrets/forgejo/mail-pw.age;
128    };
129    forgejo-aux-docs-runner-token = forgejoSecret // {
130      file = ./secrets/forgejo/aux-docs-runner-token.age;
131    };
132    forgejo-default-runner-token = forgejoSecret // {
133      file = ./secrets/forgejo/default-runner-token.age;
134    };
135    forgejo-gitgay-runner-token = forgejoSecret // {
136      file = ./secrets/forgejo/gitgay-runner-token.age;
137    };
138    forgejo-internal-token = forgejoSecret // {
139      file = ./secrets/forgejo/internal-token.age;
140    };
141    forgejo-oauth2-jwt-secret = forgejoSecret // {
142      file = ./secrets/forgejo/oauth2-jwt-secret.age;
143    };
144    forgejo-lfs-jwt-secret = forgejoSecret // {
145      file = ./secrets/forgejo/lfs-jwt-secret.age;
146    };
147    forgejo-secret-key = forgejoSecret // {
148      file = ./secrets/forgejo/secret-key.age;
149    };
150  };
151  services.anubis.instances.forgejo = lib.mkIf config.services.forgejo.enable {
152    settings = {
153      BIND = ":${toString d.anubis}";
154      POLICY_FNAME = "${self'.packages.anubis-files}/policies/forgejo.yaml";
155      TARGET = "http://localhost:${toString d.port}";
156    };
157  };
158  services.prometheus.scrapeConfigs = lib.mkIf config.services.forgejo.enable [
159    {
160      job_name = "forgejo";
161      static_configs = [
162        { targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ]; }
163      ];
164    }
165  ];
166}