From 93cf777ce76981ccce23038944cc70c5fc05524b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 2 Jun 2024 23:26:07 +0200 Subject: [PATCH] feat(webserver): add forgejo --- flake.lock | 17 ++++++++++ flake.nix | 4 +++ nix/os/containers/webserver.nix | 40 ++++++++++++++++++++++++ nix/os/containers/webserver_secrets.yaml | 10 ++++-- 4 files changed, 68 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 3fc54a5..25e159b 100644 --- a/flake.lock +++ b/flake.lock @@ -769,6 +769,22 @@ "type": "github" } }, + "nixpkgs_forgejo": { + "locked": { + "lastModified": 1715981093, + "narHash": "sha256-jGhHUB5MUF3mWtBG1l+3Lag67y7K9JtI+8ulDBVp8zE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "08bda672588b2d613f05311bd4f2e6e23065a3fe", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "08bda672588b2d613f05311bd4f2e6e23065a3fe", + "type": "github" + } + }, "ofi-pass": { "flake": false, "locked": { @@ -850,6 +866,7 @@ "nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-vscodium": "nixpkgs-vscodium", "nixpkgs-wayland": "nixpkgs-wayland", + "nixpkgs_forgejo": "nixpkgs_forgejo", "ofi-pass": "ofi-pass", "openvscode-server": "openvscode-server", "prs": "prs", diff --git a/flake.nix b/flake.nix index 75cd5b0..c1204cb 100644 --- a/flake.nix +++ b/flake.nix @@ -116,6 +116,10 @@ flake = false; url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; }; + + # remove when https://github.com/NixOS/nixpkgs/pull/312523 is merged and backported + nixpkgs_forgejo.url = "github:NixOS/nixpkgs/08bda672588b2d613f05311bd4f2e6e23065a3fe"; + # nixpkgs_forgejo.url = "github:steveej-forks/nixpkgs/9c3519ab3beb11b8d997281f8922330f707df419"; }; outputs = inputs @ { diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 4a7de86..1fb6e17 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -18,12 +18,20 @@ in { }: { system.stateVersion = "22.05"; # Did you read the comment? + disabledModules = [ + "services/misc/forgejo.nix" + ]; + imports = [ + "${repoFlake.inputs.nixpkgs_forgejo}/nixos/modules/services/misc/forgejo.nix" + ../profiles/containers/configuration.nix repoFlake.inputs.sops-nix.nixosModules.sops ]; + sops.defaultSopsFile = ./webserver_secrets.yaml; + networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ httpPort @@ -73,6 +81,12 @@ in { reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} ''; }; + + virtualHosts."forgejo.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} + ''; + }; }; services.hedgedoc = { @@ -223,6 +237,27 @@ in { }; }; + sops.secrets.FORGEJO_JWT_SECRET = {}; + sops.secrets.FORGEJO_INTERNAL_TOKEN = {}; + sops.secrets.FORGEJO_SECRET_KEY = {}; + + services.forgejo = { + enable = true; + package = repoFlake.inputs.nixpkgs_forgejo.legacyPackages.${pkgs.system}.forgejo; + settings = { + service.DISABLE_REGISTRATION = true; + server.HTTP_ADDR = "127.0.0.1"; + server.DISABLE_SSH = true; + server.ROOT_URL = "https://forgejo.${domain}"; + server.HTTP_PORT = 3001; + }; + secrets = { + oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; + security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; + security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; + }; + }; + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; @@ -259,6 +294,11 @@ in { hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; isReadOnly = false; }; + + "/var/lib/forgejo" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo"; + isReadOnly = false; + }; }; # extraFlags = ["--resolv-conf=bind-host"]; diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml index 29bb119..9804f67 100644 --- a/nix/os/containers/webserver_secrets.yaml +++ b/nix/os/containers/webserver_secrets.yaml @@ -4,6 +4,10 @@ authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] +#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment] +FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str] +FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] +FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] sops: kms: [] gcp_kms: [] @@ -19,8 +23,8 @@ sops: eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T11:48:04Z" - mac: ENC[AES256_GCM,data:Bgmm5+IrFdnTG907cZe0cnSmbWLyNDVYyABFj5eRuGsYCthclRM9WEKktvJg2RVYcND39IEH/FiFR/Hxf5YgrUcU7HKEXKzn7U4AGcREh2tb5EVTELjAJ4e00omNoD1gmFOklRS9AWce1g03AGzfbzM68enpDUkxWWTU2FOPei8=,iv:A9V4EsMAIoEs7j/eWy06Y9RExz+N/PT70TBNSViswKc=,tag:287n8ygaEj/40vh1x2IQig==,type:str] + lastmodified: "2024-06-02T20:35:16Z" + mac: ENC[AES256_GCM,data:2aE4orgaTz9x9TeZcTavXNGnPJnb1tlTINutT6X7KktOlcCpWfBqjWZ3ggXGXwMYIc7FhwTS7bWrDYC/nuvaiG/TcSyy8bshEdzawyAHXhs22pPE0uiXl+n67jUJvMrVnSPjaw66g5AzyU7MYkgw+FqncLPQDZtSyVH+F2GYINA=,iv:Ou0f9q/T5s3c6UrWHu1QIoze4v/Wi+u1FhiwXyglHog=,tag:ZoDkCDh7fFm7YfnVSO6Zgw==,type:str] pgp: - created_at: "2023-07-09T17:51:27Z" enc: |- @@ -38,4 +42,4 @@ sops: -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1