Add forgejo host

config/hosts/forgejo/configuration.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "forgejo";
+    firewall = {
+      allowedTCPPorts = [ 80 8443 ];
+    };
+  };
+
+  system.stateVersion = "23.11";
+}

config/hosts/forgejo/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./forgejo.nix
+    ./redis.nix
+    ./nginx.nix
+  ];
+}

config/hosts/forgejo/forgejo.nix

@@ -0,0 +1,60 @@
+{ ... }:
+{
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    mailerPasswordFile = "/secrets/forgejo-mailer-password.secret";
+
+    settings = {
+      DEFAULT = {
+        APP_NAME = "Nekoverse Git";
+      };
+      server = {
+        DOMAIN = "git.nekover.se";
+        PROTOCOL = "http";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://git.nekover.se/";
+        # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
+        # Doesn't need to be set.
+      };
+      admin = {
+        DISABLE_REGULAR_ORG_CREATION = false;
+      };
+      session = {
+        COOKIE_SECURE = true;
+      };
+      "ui.meta" = {
+        AUTHOR = "Nekoverse Git";
+        DESCRIPTION = "Git instance of the Nekoverse.";
+        KEYWORDS = "git,forge,forgejo,nekoverse";
+      };
+      service = {
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+        DEFAULT_USER_VISIBILITY = "limited";
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        ENABLE_BASIC_AUTHENTICATION = false;
+      };
+      repo = {
+        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
+      };
+      actions = {
+        ENABLED = true;
+        ARTIFACT_RETENTION_DAYS = 30;
+      };
+      mailer = {
+        ENABLED = true;
+        FROM = "nyareply@nekover.se";
+        PROTOCOL = "smtps";
+        SMTP_ADDR = "mail-1.grzb.de";
+        SMTP_PORT = 465;
+        USER = "forgejo@nekover.se";
+      };
+      cache = {
+        ENABLED = true;
+        ADAPTER = "redis";
+        HOST = "redis+socket:///run/redis-forgejo/redis.sock";
+      };
+    };
+  };
+}

config/hosts/forgejo/nginx.nix

@@ -0,0 +1,37 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."git.nekover.se" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+
+      locations."/" = {
+        proxyPass = "${config.services.forgejo.settings.server.PROTOCOL}://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+      };
+
+      # Disallow crawling archives to save disk space.
+      # See: https://forgejo.org/docs/latest/admin/search-engines-indexation/
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
+      };
+
+      extraConfig = ''
+        set_real_ip_from 10.202.41.100;
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}

config/hosts/forgejo/redis.nix

@@ -0,0 +1,12 @@
+{ ... }:
+{
+  services.redis.servers.forgejo = {
+    enable = true;
+    user = "forgejo";
+  };
+
+  systemd.services.forgejo = {
+    after = [ "redis-forgejo.service" ];
+    requires = [ "redis-forgejo.service" ];
+  };
+}

config/hosts/forgejo/secrets.nix

@@ -0,0 +1,13 @@
+{ keyCommandEnv, ... }:
+{
+  deployment.keys = {
+    "forgejo-mailer-password.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
+      destDir = "/secrets";
+      user = "forgejo";
+      group = "forgejo";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+  };
+}