pyrox.dev / nix
My Nix Configuration
fork atom
nix / hosts / marvin / services / git.nix
at main 4.8 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 self', 6 self, 7 ... 8}: 9let 10 cfg = config.services.forgejo.settings; 11 age = config.age.secrets; 12 13 forgejoSecret = { 14 owner = "forgejo"; 15 group = "forgejo"; 16 }; 17 18 d = self.lib.data.services.git; 19in 20{ 21 catppuccin.forgejo.enable = true; 22 py.services.forgejo-runner = { 23 enable = true; 24 tokenFile = age.forgejo-default-runner-token.path; 25 }; 26 services.forgejo = { 27 enable = true; 28 package = pkgs.forgejo; 29 lfs.enable = true; 30 database = { 31 type = "postgres"; 32 createDatabase = true; 33 passwordFile = age.forgejo-db-pw.path; 34 }; 35 secrets = { 36 mailer.PASSWD = age.forgejo-mail-pw.path; 37 security.SECRET_KEY = lib.mkForce age.forgejo-secret-key.path; 38 security.INTERNAL_TOKEN = lib.mkForce age.forgejo-internal-token.path; 39 oauth2.JWT_SECRET = lib.mkForce age.forgejo-oauth2-jwt-secret.path; 40 server.LFS_JWT_SECRET = lib.mkForce age.forgejo-lfs-jwt-secret.path; 41 }; 42 settings = { 43 DEFAULT = { 44 APP_NAME = "dishNet Git"; 45 RUN_MODE = "prod"; 46 }; 47 attachment = { 48 MAX_SIZE = 200; 49 }; 50 log.LOGGER_ROUTER_MODE = ""; 51 mailer = { 52 ENABLED = true; 53 FROM = "dishNet Git <git@pyrox.dev>"; 54 PROTOCOL = "smtps"; 55 SMTP_ADDR = "mail.pyrox.dev"; 56 SMTP_PORT = 465; 57 USER = "git@pyrox.dev"; 58 }; 59 picture = { 60 ENABLE_FEDERATED_AVATAR = true; 61 }; 62 ui = { 63 DEFAULT_SHOW_FULL_NAME = true; 64 USE_SERVICE_WORKER = true; 65 SHOW_USER_EMAIL = false; 66 }; 67 "ui.meta" = { 68 AUTHOR = "dish"; 69 DESCRIPTION = "dishNet Git Services"; 70 }; 71 metrics = { 72 ENABLED = true; 73 }; 74 server = { 75 DISABLE_SSH = true; 76 DOMAIN = d.extUrl; 77 HTTP_PORT = d.port; 78 ROOT_URL = "https://${cfg.server.DOMAIN}"; 79 LFS_START_SERVER = true; 80 }; 81 # 82 indexer = { 83 # Enable issue indexing 84 ISSUE_INDEXER_TYPE = "bleve"; 85 ISSUE_INDEXER_PATH = "indexers/issues.bleve"; 86 # Enable repo indexing 87 REPO_INDEXER_ENABLED = true; 88 REPO_INDEXER_REPO_TYPES = "sources,forks"; 89 REPO_INDEXER_TYPE = "bleve"; 90 REPO_INDEXER_PATH = "indexers/repos.bleve"; 91 }; 92 session = { 93 PROVIDER = "db"; 94 COOKIE_SECURE = true; 95 COOKIE_NAME = "pyrogit-session"; 96 DOMAIN = d.extUrl; 97 # Sessions last for 1 week 98 GC_INTERVAL_TIME = 86400 * 7; 99 SESSION_LIFE_TIME = 86400 * 7; 100 }; 101 service = { 102 DISABLE_REGISTRATION = true; 103 AUTO_WATCH_NEW_REPOS = false; 104 }; 105 security = { 106 INSTALL_LOCK = true; 107 COOKIE_USERNAME = "pyrogit-user"; 108 COOKIE_REMEMBER_NAME = "pyrogit-auth"; 109 MIN_PASSWORD_LENGTH = 10; 110 PASSWORD_COMPLEXITY = "lower,upper,digit,spec"; 111 PASSWORD_HASH_ALGO = "argon2"; 112 PASSWORD_CHECK_PWN = true; 113 ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true; 114 # Only allow reverse proxies from Tailscale tailnet 115 REVERSE_PROXY_TRUSTED_PROXIES = "10.64.0.0/10"; 116 }; 117 actions = { 118 ENABLED = true; 119 }; 120 }; 121 }; 122 age.secrets = lib.mkIf config.services.forgejo.enable { 123 forgejo-db-pw = forgejoSecret // { 124 file = ./secrets/forgejo/db-pw.age; 125 }; 126 forgejo-mail-pw = forgejoSecret // { 127 file = ./secrets/forgejo/mail-pw.age; 128 }; 129 forgejo-aux-docs-runner-token = forgejoSecret // { 130 file = ./secrets/forgejo/aux-docs-runner-token.age; 131 }; 132 forgejo-default-runner-token = forgejoSecret // { 133 file = ./secrets/forgejo/default-runner-token.age; 134 }; 135 forgejo-gitgay-runner-token = forgejoSecret // { 136 file = ./secrets/forgejo/gitgay-runner-token.age; 137 }; 138 forgejo-internal-token = forgejoSecret // { 139 file = ./secrets/forgejo/internal-token.age; 140 }; 141 forgejo-oauth2-jwt-secret = forgejoSecret // { 142 file = ./secrets/forgejo/oauth2-jwt-secret.age; 143 }; 144 forgejo-lfs-jwt-secret = forgejoSecret // { 145 file = ./secrets/forgejo/lfs-jwt-secret.age; 146 }; 147 forgejo-secret-key = forgejoSecret // { 148 file = ./secrets/forgejo/secret-key.age; 149 }; 150 }; 151 services.anubis.instances.forgejo = lib.mkIf config.services.forgejo.enable { 152 settings = { 153 BIND = ":${toString d.anubis}"; 154 POLICY_FNAME = "${self'.packages.anubis-files}/policies/forgejo.yaml"; 155 TARGET = "http://localhost:${toString d.port}"; 156 }; 157 }; 158 services.prometheus.scrapeConfigs = lib.mkIf config.services.forgejo.enable [ 159 { 160 job_name = "forgejo"; 161 static_configs = [ 162 { targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ]; } 163 ]; 164 } 165 ]; 166}