1
0
Fork 0
NixOS/hosts/greatyamada/services/forgejo.nix
2025-02-16 17:14:00 +01:00

59 lines
1.6 KiB
Nix

{ pkgs, ... }:
let
forgejoConfigPath = "/var/lib/forgejo/custom/conf";
portDefinitions = import ./_port-definitions.nix;
arrayToSecrets = elements:
builtins.listToAttrs (map (key: {
name = "forgejo/${key}";
value = {
path = "${forgejoConfigPath}/${key}";
owner = "forgejo";
};
}) elements);
in {
services = {
forgejo = {
enable = true;
package = pkgs.forgejo;
database = {
type = "postgres";
port = portDefinitions.postgresql;
passwordFile = "${forgejoConfigPath}/database_password";
};
secrets = {
server.LFS_JWT_SECRET = "${forgejoConfigPath}/lfs_jwt_secret";
security = {
INTERNAL_TOKEN = "${forgejoConfigPath}/internal_token";
SECRET_KEY = "${forgejoConfigPath}/secret_key";
};
oauth2.JWT_SECRET = "${forgejoConfigPath}/oauth2_jwt_secret";
};
settings = {
server = {
DOMAIN = "git.rcia.dev";
ROOT_URL = "https://git.rcia.dev";
HTTP_PORT = portDefinitions.forgejo-http;
DISABLE_SSH = true;
LFS_START_SERVER = true;
};
security = { INSTALL_LOCK = true; };
};
};
nginx.virtualHosts."git.rcia.dev" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString portDefinitions.forgejo-http}";
};
useACMEHost = "rcia.dev";
};
};
systemd.services.forgejo.preStart = ''
${pkgs.forgejo}/bin/gitea migrate
'';
sops.secrets = arrayToSecrets [
"database_password"
"internal_token"
"lfs_jwt_secret"
"oauth2_jwt_secret"
"secret_key"
];
}