nix-infra/config/hosts/git/forgejo.nix
June 88e3da11a6
Introduce sops and sops-nix for secret management
Use the GPG keys used for the password-store noc directory for the admin
keys.
Switch the git hosts secret management from colmena to sops-nix.

https://github.com/getsops/sops
https://github.com/Mic92/sops-nix
2024-05-25 16:47:34 +02:00

86 lines
2.5 KiB
Nix

# Sources for this configuration:
# - https://forgejo.org/
# - https://forgejo.org/docs/latest/
# - https://forgejo.org/docs/latest/admin/database-preparation/
# - https://forgejo.org/docs/latest/admin/config-cheat-sheet/
# - https://forgejo.org/docs/latest/admin/recommendations/
# - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
# - https://forgejo.org/docs/latest/admin/email-setup/
{ pkgs-unstable, ... }:
{
services.forgejo = {
enable = true;
package = pkgs-unstable.forgejo;
database.type = "postgres";
mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
settings = {
DEFAULT = {
APP_NAME = "CCCHH Git";
};
server = {
DOMAIN = "git.hamburg.ccc.de";
PROTOCOL = "http";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
ROOT_URL = "https://git.hamburg.ccc.de/";
# LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
# Doesn't need to be set.
OFFLINE_MODE = true;
};
admin = {
DISABLE_REGULAR_ORG_CREATION = false;
};
session = {
COOKIE_SECURE = true;
};
"ui.meta" = {
AUTHOR = "CCCHH Git";
DESCRIPTION = "Git instance of the CCCHH.";
KEYWORDS = "git,forge,forgejo,ccchh";
};
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
};
repo = {
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
};
actions = {
ENABLED = true;
ARTIFACT_RETENTION_DAYS = 30;
};
mailer = {
ENABLED = true;
FROM = "no-reply@git.hamburg.ccc.de";
PROTOCOL = "smtps";
SMTP_ADDR = "cow.hamburg.ccc.de";
SMTP_PORT = 465;
USER = "no-reply@git.hamburg.ccc.de";
};
cache = {
ENABLED = true;
ADAPTER = "redis";
HOST = "redis+socket:///run/redis-forgejo/redis.sock";
};
indexer = {
ISSUE_INDEXER_TYPE = "elasticsearch";
ISSUE_INDEXER_CONN_STR = "http://127.0.0.1:9200";
REPO_INDEXER_ENABLED = true;
REPO_INDEXER_TYPE = "elasticsearch";
REPO_INDEXER_CONN_STR = "http://127.0.0.1:9200";
};
};
};
sops.secrets."forgejo_git_smtp_password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
};
}