Add forgejo host

config/hosts/forgejo/configuration.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "forgejo";
+    firewall = {
+      allowedTCPPorts = [ 80 8443 ];
+    };
+  };
+
+  system.stateVersion = "23.11";
+}

config/hosts/forgejo/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./forgejo.nix
+    ./redis.nix
+    ./nginx.nix
+  ];
+}

config/hosts/forgejo/forgejo.nix

@@ -0,0 +1,60 @@
+{ ... }:
+{
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    mailerPasswordFile = "/secrets/forgejo-mailer-password.secret";
+
+    settings = {
+      DEFAULT = {
+        APP_NAME = "Nekoverse Git";
+      };
+      server = {
+        DOMAIN = "git.nekover.se";
+        PROTOCOL = "http";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://git.nekover.se/";
+        # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
+        # Doesn't need to be set.
+      };
+      admin = {
+        DISABLE_REGULAR_ORG_CREATION = false;
+      };
+      session = {
+        COOKIE_SECURE = true;
+      };
+      "ui.meta" = {
+        AUTHOR = "Nekoverse Git";
+        DESCRIPTION = "Git instance of the Nekoverse.";
+        KEYWORDS = "git,forge,forgejo,nekoverse";
+      };
+      service = {
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+        DEFAULT_USER_VISIBILITY = "limited";
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        ENABLE_BASIC_AUTHENTICATION = false;
+      };
+      repo = {
+        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
+      };
+      actions = {
+        ENABLED = true;
+        ARTIFACT_RETENTION_DAYS = 30;
+      };
+      mailer = {
+        ENABLED = true;
+        FROM = "nyareply@nekover.se";
+        PROTOCOL = "smtps";
+        SMTP_ADDR = "mail-1.grzb.de";
+        SMTP_PORT = 465;
+        USER = "forgejo@nekover.se";
+      };
+      cache = {
+        ENABLED = true;
+        ADAPTER = "redis";
+        HOST = "redis+socket:///run/redis-forgejo/redis.sock";
+      };
+    };
+  };
+}

config/hosts/forgejo/nginx.nix

@@ -0,0 +1,37 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."git.nekover.se" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+
+      locations."/" = {
+        proxyPass = "${config.services.forgejo.settings.server.PROTOCOL}://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+      };
+
+      # Disallow crawling archives to save disk space.
+      # See: https://forgejo.org/docs/latest/admin/search-engines-indexation/
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
+      };
+
+      extraConfig = ''
+        set_real_ip_from 10.202.41.100;
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}

config/hosts/forgejo/redis.nix

@@ -0,0 +1,12 @@
+{ ... }:
+{
+  services.redis.servers.forgejo = {
+    enable = true;
+    user = "forgejo";
+  };
+
+  systemd.services.forgejo = {
+    after = [ "redis-forgejo.service" ];
+    requires = [ "redis-forgejo.service" ];
+  };
+}

config/hosts/forgejo/secrets.nix

@@ -0,0 +1,13 @@
+{ keyCommandEnv, ... }:
+{
+  deployment.keys = {
+    "forgejo-mailer-password.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
+      destDir = "/secrets";
+      user = "forgejo";
+      group = "forgejo";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+  };
+}

config/hosts/mail-1/secrets.nix

@@ -89,5 +89,13 @@
       permissions = "0640";
       uploadAt = "pre-activation";
     };
+    "mail-forgejo-nekover-se.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
+      destDir = "/secrets";
+      user = "root";
+      group = "root";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }

config/hosts/mail-1/simple-nixos-mailserver.nix

@@ -56,6 +56,11 @@
             sendOnly = true;
             aliases = [ "nyareply@nekover.se" ];
           };
+          "forgejo@nekover.se" = {
+            hashedPasswordFile = "/secrets/mail-forgejo-nekover-se.secret";
+            sendOnly = true;
+            aliases = [ "nyareply@nekover.se" ];
+          };
         };
         certificateScheme = "acme-nginx";
       };

config/hosts/web-public-2/nginx.nix

@@ -22,6 +22,7 @@
           element.nekover.se 127.0.0.1:8443;
           gameserver.grzb.de 127.0.0.1:8443;
           git.grzb.de 127.0.0.1:8443;
+          git.nekover.se 10.202.41.106:8443;
           hydra.nekover.se 10.202.41.121:8443;
           id.nekover.se 10.202.41.124:8443;
           matrix.nekover.se 10.202.41.112:8443;

config/hosts/web-public-2/virtualHosts/acme-challenge.nix

@@ -5,6 +5,7 @@ let
     "mail-1.grzb.de" = "mail-1.vs.grzb.de";
     "matrix.nekover.se" = "matrix.vs.grzb.de";
     "netbox.grzb.de" = "netbox.vs.grzb.de";
+    "git.nekover.se" = "forgejo.vs.grzb.de";
     "grafana.grzb.de" = "metrics.vs.grzb.de";
     "jackett.grzb.de" = "torrent.vs.grzb.de";
     "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de";

hosts.nix

@@ -45,6 +45,10 @@ in
       site = "vs";
       environment = "proxmox";
     };
+    forgejo = {
+      site = "vs";
+      environment = "proxmox";
+    };
     keycloak = {
       site = "vs";
       environment = "proxmox";