Add and configure new Git server using Forgejo

config/hosts/git/configuration.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  networking.hostName = "git";
+
+  system.stateVersion = "23.11";
+}

config/hosts/git/default.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./forgejo.nix
+    ./networking.nix
+    ./nginx.nix
+    ./redis.nix
+  ];
+}

config/hosts/git/forgejo.nix

@@ -0,0 +1,73 @@
+# Sources for this configuration:
+# - https://forgejo.org/
+# - https://forgejo.org/docs/latest/
+# - https://forgejo.org/docs/latest/admin/database-preparation/
+# - https://forgejo.org/docs/latest/admin/config-cheat-sheet/
+# - https://forgejo.org/docs/latest/admin/recommendations/
+# - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
+# - https://forgejo.org/docs/latest/admin/email-setup/
+
+{ ... }:
+
+{
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret";
+
+    settings = {
+      DEFAULT = {
+        APP_NAME = "CCCHH Git";
+      };
+      server = {
+        DOMAIN = "git.hamburg.ccc.de";
+        PROTOCOL = "http";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://git.hamburg.ccc.de/";
+        # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
+        # Doesn't need to be set.
+      };
+      admin = {
+        DISABLE_REGULAR_ORG_CREATION = false;
+      };
+      session = {
+        COOKIE_SECURE = true;
+      };
+      "ui.meta" = {
+        AUTHOR = "CCCHH Git";
+        DESCRIPTION = "Git instance of the CCCHH.";
+        KEYWORDS = "git,forge,forgejo,ccchh";
+      };
+      service = {
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+        DEFAULT_USER_VISIBILITY = "limited";
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+      };
+      mailer = {
+        ENABLED = true;
+        FROM = "no-reply@git.hamburg.ccc.de";
+        PROTOCOL = "smtps";
+        SMTP_ADDR = "cow.hamburg.ccc.de";
+        SMTP_PORT = 465;
+        USER = "no-reply@git.hamburg.ccc.de";
+      };
+      cache = {
+        ENABLED = true;
+        ADAPTER = "redis";
+        HOST = "redis+socket:///run/redis-forgejo/redis.sock";
+      };
+    };
+  };
+
+  deployment.keys = {
+    "forgejo-git-smtp-password.secret" = {
+      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/git/smtp_password" ];
+      destDir = "/secrets";
+      user = "forgejo";
+      group = "forgejo";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+  };
+}

config/hosts/git/networking.nix

@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "212.12.51.136";
+        prefixLength = 28;
+      }
+    ];
+  };
+  networking.defaultGateway = "212.12.51.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "92:7B:E6:12:A4:FA";
+    linkConfig.Name = "net0";
+  };
+}

config/hosts/git/nginx.nix

@@ -0,0 +1,41 @@
+# Sources for this configuration:
+# - https://forgejo.org/docs/latest/admin/reverse-proxy/
+
+{ config, pkgs, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."git.hamburg.ccc.de" = {
+      default = true;
+      forceSSL = true;
+      enableACME = true;
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 443;
+          ssl = true;
+        }
+      ];
+
+      locations."/" = {
+        proxyPass = "${config.services.forgejo.settings.server.PROTOCOL}://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+      };
+
+      # Disallow crawling archives to save disk space.
+      # See: https://forgejo.org/docs/latest/admin/search-engines-indexation/
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 443 ];
+}

config/hosts/git/redis.nix

@@ -0,0 +1,16 @@
+# Sources for this configuration:
+# - https://github.com/NixOS/nixpkgs/blob/d45794fd254a7da62cc2d3c4f54a1d65e39760d9/nixos/modules/services/web-apps/nextcloud.nix#L1086
+
+{ ... }:
+
+{
+  services.redis.servers.forgejo = {
+    enable = true;
+    user = "forgejo";
+  };
+
+  systemd.services.forgejo = {
+    after = [ "redis-forgejo.service" ];
+    requires = [ "redis-forgejo.service" ];
+  };
+}

flake.nix

@@ -164,6 +164,20 @@
           ./config/hosts/public-web-static
         ];
       };
+
+      git = {
+        deployment = {
+          targetHost = "git.hamburg.ccc.de";
+          targetPort = 22;
+          targetUser = "colmena-deploy";
+          tags = [ "chaosknoten" ];
+        };
+        imports = [
+          ./config/common
+          ./config/proxmox-vm
+          ./config/hosts/git
+        ];
+      };
     };
 
     packages.x86_64-linux = {