initial commit, after deletion :)

2026-01-07 06:25:07 +02:00 · 2026-01-07 06:25:07 +02:00 · 9ec37597b3
commit 9ec37597b3
20 changed files with 1006 additions and 0 deletions
--- a/config/devops/actions_runner.nix
+++ b/config/devops/actions_runner.nix
@ -0,0 +1,31 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets."actions_runner/token" = {};
+
+  virtualisation.docker.enable = true;
+
+  sops.secrets."ssh/authorizedKeys/nix-deploy" = {};
+
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    config.sops.secrets."ssh/authorizedKeys/nix-deploy".path
+  ];
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances.default = {
+      enable = true;
+      name = "monolith";
+      url = config.services.forgejo.settings.actions.DEFAULT_ACTIONS_URL;
+      tokenFile = config.sops.secrets."actions_runner/token".path;
+      labels = [
+        "debian-latest:docker://debian:latest"
+        "ubuntu-latest:docker://node:current-bullseye"
+        "alpine-latest:docker://node:current-alpine"
+        "nix-latest:docker://nixos/nix:latest"
+      ];
+    };
+  };
+}
--- a/config/devops/default.nix
+++ b/config/devops/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./forgejo.nix
+    ./actions_runner.nix
+  ];
+}
--- a/config/devops/forgejo.nix
+++ b/config/devops/forgejo.nix
@ -0,0 +1,128 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  customDomain = config.customOps.domain;
+  mail = "forgejo@${customDomain}";
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in {
+  sops.secrets = {
+    "forgejo/mail".owner = "forgejo";
+    "forgejo/admin".owner = "forgejo";
+    "mailserver/forgejo".owner = "dovecot2";
+  };
+
+  mailserver.loginAccounts.${mail} = lib.mkIf config.mailserver.enable {
+    hashedPasswordFile = config.sops.secrets."mailserver/forgejo".path;
+    sendOnly = true;
+  };
+
+  services.nginx.virtualHosts.${srv.DOMAIN} = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      client_max_body_size 512M;
+    '';
+    locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+  };
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    settings = {
+      DEFAULT = {
+        APP_NAME = "git.${customDomain}";
+        APP_SLOGAN = "the git repositories of ${config.customOps.owner}'s projects";
+        APP_DISPLAY_NAME_FORMAT = "${config.customOps.owner}'s forge | {APP_NAME}";
+      };
+      server = {
+        DOMAIN = "git.${customDomain}";
+        ROOT_URL = "https://${srv.DOMAIN}/";
+        HTTP_PORT = 3000;
+        SSH_PORT = lib.head config.services.openssh.ports;
+        LANDING_PAGE = "/${config.customOps.owner}";
+      };
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "https://${srv.DOMAIN}";
+      };
+      repository = {
+        DISABLE_STARS = true;
+      };
+      ui = {
+        DEFAULT_THEME = "forgejo-auto";
+        THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
+        DEFAULT_SHOW_FULL_NAME = true;
+        PREFERRED_TIMESTAMP_TENSE = "absolute";
+      };
+      "ui.meta" = {
+        AUTHOR = cfg.settings.DEFAULT.APP_NAME;
+        DESCRIPTION = cfg.settings.DEFAULT.APP_SLOGAN;
+      };
+      admin = {
+        DISABLE_REGULAR_ORG_CREATION = true;
+      };
+      security = {
+        INSTALL_LOCK = true;
+        GLOBAL_TWO_FACTOR_REQUIREMENT = "all";
+        PASSWORD_COMPLEXITY = "lower,upper,digit,spec";
+        DISABLE_QUERY_AUTH_TOKEN = true;
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+        VALID_SITE_URL_SCHEMES = "https";
+      };
+      "service.explore" = {
+        DISABLE_USERS_PAGE = true;
+      };
+      picture = {
+        ENABLE_FEDERATED_AVATAR = true;
+        AVATAR_MAX_FILE_SIZE = 10485760;
+        REPOSITORY_AVATAR_FALLBACK = "random";
+      };
+      federation = {
+        ENABLED = true;
+      };
+      mailer = lib.mkIf config.mailserver.enable {
+        ENABLED = true;
+        SMTP_ADDR = config.mailserver.fqdn;
+        FROM = mail;
+        USER = mail;
+      };
+      i18n = {
+        LANGS =
+          "en-US,zh-CN,zh-HK,zh-TW,da,de-DE,nds,fr-FR"
+          + ",nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR"
+          + ",pt-PT,pl-PL,bg,it-IT,fi-FI,fil,eo,tr-TR"
+          + ",cs-CZ,sl,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,"
+          + "id-ID,ar";
+        NAMES =
+          "English,简体中文,繁體中文（香港）"
+          + ",繁體中文（台灣）,Dansk,Deutsch,Plattdüütsch"
+          + ",Français,Nederlands,Latviešu,Русский,Українська"
+          + ",日本語,Español,Português do Brasil"
+          + ",Português de Portugal,Polski,Български,Italiano"
+          + ",Suomi,Filipino,Esperanto,Türkçe,Čeština,Slovenščina"
+          + ",Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv"
+          + ",Bahasa Indonesia,العربية";
+      };
+      other = {
+        SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+      };
+    };
+    secrets = lib.mkIf config.mailserver.enable {
+      mailer.PASSWD = config.sops.secrets."forgejo/mail".path;
+    };
+  };
+
+  systemd.services.forgejo.preStart = let
+    adminCmd = "${lib.getExe cfg.package} admin user";
+    passwd = config.sops.secrets."forgejo/admin".path;
+    user = config.customOps.owner;
+    email = "root@${config.mailserver.fqdn}";
+  in ''
+    ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${passwd})" || true
+  '';
+}