add forgejo to hetzner-arm

2023-09-30 12:37:07 +01:00 · 2023-09-30 12:37:07 +01:00 · 6c3c0ed577
parent 44fa924c02
commit 6c3c0ed577
4 changed files with 154 additions and 0 deletions
--- a/hosts/hetzner-arm/containers/forgejo/default.nix
+++ b/hosts/hetzner-arm/containers/forgejo/default.nix
@ -0,0 +1,71 @@
+{
+  self,
+  hostPath,
+  tree,
+  inputs,
+  pkgs,
+  config,
+  ...
+}: let
+  containerName = "forgejo";
+
+  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
+
+  hostIP = containerAddresses.host;
+  containerIP = containerAddresses.containers.${containerName};
+
+  pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path;
+in {
+  containers.forgejo = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = hostIP;
+    localAddress = containerIP;
+
+    specialArgs = {
+      inherit inputs;
+      inherit tree;
+      inherit self;
+      inherit hostPath;
+    };
+
+    config = {...}: {
+      nixpkgs.pkgs = pkgs;
+
+      imports = with tree;
+        [
+          presets.nixos.containerBase
+          profiles.sshd
+          profiles.firewallAllow.ssh
+        ]
+        ++ (with hosts.hetzner-arm.containers.forgejo; [
+          profiles.forgejo
+        ]);
+
+      networking.firewall.allowedTCPPorts = [2222];
+
+      home-manager.users.root.home.stateVersion = "23.05";
+      system.stateVersion = "23.05";
+    };
+  };
+
+  networking = {
+    nat.forwardPorts = [
+      {
+        sourcePort = 2222;
+        destination = "${containerIP}\:2222";
+      }
+    ];
+
+    firewall.allowedTCPPorts = [2222];
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."forgejo.owo.monster" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://unix:${pathInContainer "/var/sockets/forgejo.sock"}";
+    };
+  };
+}
--- a/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix
+++ b/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix
@ -0,0 +1,81 @@
+{pkgs, ...}: {
+  services.forgejo = {
+    enable = true;
+    database.type = "sqlite3";
+    lfs.enable = true;
+    settings = {
+      DEFAULT.APP_NAME = "chaos's Forgejo";
+      server = rec {
+        DOMAIN = "forgejo.owo.monster";
+        ROOT_URL = "https://${DOMAIN}";
+        # Can't access /run out of container
+        HTTP_ADDR = "/var/sockets/forgejo.sock";
+        PROTOCOL = "http+unix";
+        START_SSH_SERVER = true;
+        SSH_PORT = 2222;
+        SSH_LISTEN_PORT = SSH_PORT;
+        OFFLINE_MODE = true;
+        ENABLE_GZIP = true;
+      };
+      repository = {
+        DISABLED_REPO_UNITS = "repo.ext_issues,repo.pulls,repo.wiki,repo.ext_wiki,repo.projects,repo.packages";
+        DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.actions";
+      };
+      ui = {
+        DEFAULT_THEME = "forgejo-dark";
+      };
+      "ui.meta" = {
+        AUTHOR = "chaos's Forgejo";
+        DESCRIPTION = "chaos's personal Forgejo instance";
+        KEYWORDS = "";
+      };
+      indexer = {
+        REPO_INDEXER_ENABLED = true;
+      };
+      security = {
+        #INSTALL_LOCK = false;
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+      };
+      "ssh.minimum_key_sizes" = {
+        ECDSA = -1;
+        RSA = -1;
+        DSA = -1;
+      };
+      session = {
+        PROVIDER = "db";
+      };
+      oauth = {
+        ENABLE = false;
+      };
+      time = {
+        DEFAULT_UI_LOCATION = "Europe/London";
+      };
+      packages = {
+        ENABLE = false;
+      };
+    };
+
+    dump = {
+      enable = true;
+      interval = "hourly";
+      file = "forgejo-dump";
+      type = "tar.zst";
+    };
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "forgejo" ''
+      sudo -u forgejo ${pkgs.forgejo}/bin/gitea -w /var/lib/forgejo "$@"
+    '')
+  ];
+
+  systemd.services.forgejo.serviceConfig.ReadWritePaths = [
+    "/var/sockets"
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d /var/sockets - forgejo forgejo"
+  ];
+}
--- a/hosts/hetzner-arm/data/containerAddresses.nix
+++ b/hosts/hetzner-arm/data/containerAddresses.nix
@ -5,5 +5,6 @@
    social = "192.168.100.12";
    music = "192.168.100.13";
    quassel = "192.168.100.14";
+    forgejo = "192.168.100.15";
  };
 }
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -27,6 +27,7 @@ in {
      "piped-db"
      "piped-fi"
      "mail"
+      "forgejo"
    ] (name: ./containers + "/${name}"))
    ++ (with hosts.hetzner-arm.profiles; [
      gitlabStaticSites