move forgejo to host

hosts/hetzner-arm/containers/forgejo/default.nix

@@ -1,72 +0,0 @@
-{
-  self,
-  hostPath,
-  tree,
-  inputs,
-  pkgs,
-  config,
-  ...
-}: let
-  containerName = "forgejo";
-
-  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
-
-  hostIP = containerAddresses.host;
-  containerIP = containerAddresses.containers.${containerName};
-
-  pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path;
-in {
-  containers.forgejo = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = hostIP;
-    localAddress = containerIP;
-
-    specialArgs = {
-      inherit inputs;
-      inherit tree;
-      inherit self;
-      inherit hostPath;
-    };
-
-    config = {...}: {
-      nixpkgs.pkgs = pkgs;
-
-      imports = with tree;
-        [
-          presets.nixos.containerBase
-
-          ./secrets.nix
-        ]
-        ++ (with hosts.hetzner-arm.containers.forgejo.profiles; [
-          forgejo
-          restic
-        ]);
-
-      networking.firewall.allowedTCPPorts = [2222];
-
-      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "24.05";
-    };
-  };
-
-  networking = {
-    nat.forwardPorts = [
-      {
-        sourcePort = 2222;
-        destination = "${containerIP}\:2222";
-      }
-    ];
-
-    firewall.allowedTCPPorts = [2222];
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."forgejo.owo.monster" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/".proxyPass = "http://unix:${pathInContainer "/var/sockets/forgejo.sock"}";
-    };
-  };
-}

hosts/hetzner-arm/containers/forgejo/profiles/restic.nix

@@ -1,23 +0,0 @@
-{
-  self,
-  config,
-  ...
-}: let
-  backupSchedules = import "${self}/data/backupSchedules.nix";
-  inherit (config.services.secrets) secrets;
-in {
-  services.restic.backups.forgejo = {
-    user = "root";
-    paths = [
-      "/var/lib/forgejo"
-    ];
-
-    repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Forgejo";
-    passwordFile = "${secrets.restic_password.path}";
-    environmentFile = "${secrets.restic_env.path}";
-    createWrapper = true;
-
-    pruneOpts = ["--keep-last 50"];
-    timerConfig = backupSchedules.restic.high;
-  };
-}

hosts/hetzner-arm/containers/forgejo/secrets.nix

@@ -1,35 +0,0 @@
-{...}: {
-  services.secrets = {
-    enable = true;
-
-    vaultLogin = {
-      enable = true;
-      loginUsername = "hetzner-arm-container-forgejo";
-    };
-
-    requiredVaultPaths = [
-      "api-keys/data/backblaze/Chaos-Backups"
-      "private-public-keys/data/restic/Forgejo"
-    ];
-
-    secrets = {
-      vault_password = {
-        manual = true;
-      };
-
-      restic_password = {
-        fetchScript = ''
-          simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile"
-        '';
-      };
-      restic_env = {
-        fetchScript = ''
-          cat << EOF > "$secretFile"
-          AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID)
-          AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey)
-          EOF
-        '';
-      };
-    };
-  };
-}

hosts/hetzner-arm/hetzner-arm.nix

@@ -22,7 +22,6 @@ in {
     ++ (forEach [
       "storage"
       "mail"
-      "forgejo"
       "caldav"
       "jellyfin"
       #"grocy"
@@ -32,6 +31,7 @@ in {
     ++ (with hosts.hetzner-arm.profiles; [
       staticSites
       gotosocial
+      forgejo
       restic
     ]);
 

hosts/hetzner-arm/profiles/forgejo.nix

@@ -11,7 +11,7 @@
         DOMAIN = "forgejo.owo.monster";
         ROOT_URL = "https://${DOMAIN}";
         # Can't access /run out of container
-        HTTP_ADDR = "/var/sockets/forgejo.sock";
+        HTTP_ADDR = "/var/sockets/forgejo/forgejo.sock";
         PROTOCOL = "http+unix";
         START_SSH_SERVER = true;
         SSH_PORT = 2222;
@@ -65,10 +65,20 @@
   ];
 
   systemd.services.forgejo.serviceConfig.ReadWritePaths = [
-    "/var/sockets"
+    "/var/sockets/forgejo"
   ];
 
   systemd.tmpfiles.rules = [
-    "d /var/sockets - forgejo forgejo"
+    "d /var/sockets - root root"
+    "d /var/sockets/forgejo - forgejo forgejo"
   ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."forgejo.owo.monster" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://unix:/var/sockets/forgejo/forgejo.sock";
+    };
+  };
 }

hosts/hetzner-arm/profiles/restic.nix

@@ -8,6 +8,8 @@
   inherit (lib.lists) forEach;
   inherit (lib.strings) concatStringsSep;
 
+  inherit (builtins) attrNames;
+
   inherit (config.services.secrets) secrets;
   backupSchedules = import "${self}/data/backupSchedules.nix";
 
@@ -16,9 +18,7 @@ in {
   environment.systemPackages = [
     # TODO: add ones in container too
     (pkgs.writeShellScriptBin "restic-all" ''
-      ${concatStringsSep "\n" (forEach [
-          "social"
-        ] (
+      ${concatStringsSep "\n" (forEach (attrNames config.services.restic.backups) (
         name: "restic-${name} $@"
       ))}
     '')
@@ -69,5 +69,19 @@ in {
         '')
       }/bin/backupCleanupCommand";
     };
+    forgejo = {
+      user = "root";
+      paths = [
+        "/var/lib/forgejo"
+      ];
+
+      repository = "${repoRoot}/Forgejo";
+      environmentFile = secrets.restic_backups_env.path;
+      passwordFile = secrets.restic_password_forgejo.path;
+      createWrapper = true;
+
+      pruneOpts = ["--keep-last 50"];
+      timerConfig = backupSchedules.restic.high;
+    };
   };
 }

hosts/hetzner-arm/secrets.nix

@@ -15,6 +15,8 @@
 
       "private-public-keys/data/restic/Social"
       "api-keys/data/chaos_mail/gotosocial"
+
+      "private-public-keys/data/restic/Forgejo"
     ];
 
     secrets = {
@@ -72,6 +74,12 @@
           echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile"
         '';
       };
+
+      restic_password_forgejo = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile"
+        '';
+      };
     };
   };
 }