nixfiles/hosts/koi/containers/forgejo/default.nix

{ abs, pkgs, config, ... }@inputs:

let 
  UID = 1125;

  context = pkgs.copyPathToStore ./image;
in {
  users.users.forgejo = {
    isNormalUser = true;
    uid = UID;
  };

  services.postgresql.ensureUsers = [
    { name = "forgejo"; ensureDBOwnership = true; }
  ];
  services.postgresql.ensureDatabases = [ "forgejo" ];
  desu.postgresql.ensurePasswords.forgejo = "forgejo";

  systemd.services.docker-forgejo.serviceConfig.ExecStartPre = [
    (pkgs.writeShellScript "build-forgejo" ''
      docker build -t local/forgejo ${context}
    '')
  ];
  virtualisation.oci-containers.containers.forgejo = {
    image = "local/forgejo";

    # we use a custom entrypoint to set the uid and then drop privileges,
    # because forgejo expects the running user to have username "git" :woozy:
    # (and their root image is too bloated for my taste)

    volumes = [
      "/etc/localtime:/etc/localtime:ro"
      "/etc/timezone:/etc/timezone:ro"
    ];

    user = "${builtins.toString UID}";

    extraOptions = [
      "--group-add=${builtins.toString config.users.groups.geesefs.gid}"
      "--mount=type=bind,source=/srv/forgejo/data,target=/var/lib/gitea"
    ];

    ports = [
      "2222:2222"
    ];
  };

  systemd.services.docker-forgejo.after = [ "postgresql.service" "gocryptfs.service" ];

  systemd.tmpfiles.rules = [
    "d /srv/forgejo/repos 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];

  services.nginx.virtualHosts."git.stupid.fish" = {
    forceSSL = true;
    useACMEHost = "stupid.fish";

    locations."/" = {
      proxyPass = "http://forgejo.docker:3000$request_uri";
      proxyWebsockets = true;
    };
  };

  networking.firewall.allowedTCPPorts = [ 2222 ];
}
feat(koi): forgejo 2025-01-03 21:49:41 +03:00			`{ abs, pkgs, config, ... }@inputs:`

			`let`
			`UID = 1125;`

			`context = pkgs.copyPathToStore ./image;`
			`in {`
			`users.users.forgejo = {`
			`isNormalUser = true;`
			`uid = UID;`
			`};`

			`services.postgresql.ensureUsers = [`
			`{ name = "forgejo"; ensureDBOwnership = true; }`
			`];`
			`services.postgresql.ensureDatabases = [ "forgejo" ];`
			`desu.postgresql.ensurePasswords.forgejo = "forgejo";`

			`systemd.services.docker-forgejo.serviceConfig.ExecStartPre = [`
			`(pkgs.writeShellScript "build-forgejo" ''`
			`docker build -t local/forgejo ${context}`
			`'')`
			`];`
			`virtualisation.oci-containers.containers.forgejo = {`
			`image = "local/forgejo";`

			`# we use a custom entrypoint to set the uid and then drop privileges,`
			`# because forgejo expects the running user to have username "git" :woozy:`
			`# (and their root image is too bloated for my taste)`

			`volumes = [`
			`"/etc/localtime:/etc/localtime:ro"`
			`"/etc/timezone:/etc/timezone:ro"`
			`];`

			`user = "${builtins.toString UID}";`

			`extraOptions = [`
			`"--group-add=${builtins.toString config.users.groups.geesefs.gid}"`
			`"--mount=type=bind,source=/srv/forgejo/data,target=/var/lib/gitea"`
			`];`

			`ports = [`
			`"2222:2222"`
			`];`
			`};`

			`systemd.services.docker-forgejo.after = [ "postgresql.service" "gocryptfs.service" ];`

			`systemd.tmpfiles.rules = [`
			`"d /srv/forgejo/repos 0700 ${builtins.toString UID} ${builtins.toString UID} -"`
			`];`

			`services.nginx.virtualHosts."git.stupid.fish" = {`
			`forceSSL = true;`
			`useACMEHost = "stupid.fish";`

			`locations."/" = {`
			`proxyPass = "http://forgejo.docker:3000$request_uri";`
			`proxyWebsockets = true;`
			`};`
			`};`

			`networking.firewall.allowedTCPPorts = [ 2222 ];`
			`}`