diff --git a/hosts/koi/configuration.nix b/hosts/koi/configuration.nix index 023dec6..30ea73b 100755 --- a/hosts/koi/configuration.nix +++ b/hosts/koi/configuration.nix @@ -40,6 +40,7 @@ ./containers/wakapi ./containers/outline ./containers/docmost + ./containers/forgejo ./containers/teisu.nix ./containers/bots/pcre-sub-bot.nix ./containers/bots/channel-logger-bot.nix diff --git a/hosts/koi/containers/forgejo/default.nix b/hosts/koi/containers/forgejo/default.nix new file mode 100644 index 0000000..ab809e6 --- /dev/null +++ b/hosts/koi/containers/forgejo/default.nix @@ -0,0 +1,65 @@ +{ abs, pkgs, config, ... }@inputs: + +let + UID = 1125; + + context = pkgs.copyPathToStore ./image; +in { + users.users.forgejo = { + isNormalUser = true; + uid = UID; + }; + + services.postgresql.ensureUsers = [ + { name = "forgejo"; ensureDBOwnership = true; } + ]; + services.postgresql.ensureDatabases = [ "forgejo" ]; + desu.postgresql.ensurePasswords.forgejo = "forgejo"; + + systemd.services.docker-forgejo.serviceConfig.ExecStartPre = [ + (pkgs.writeShellScript "build-forgejo" '' + docker build -t local/forgejo ${context} + '') + ]; + virtualisation.oci-containers.containers.forgejo = { + image = "local/forgejo"; + + # we use a custom entrypoint to set the uid and then drop privileges, + # because forgejo expects the running user to have username "git" :woozy: + # (and their root image is too bloated for my taste) + + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/etc/timezone:/etc/timezone:ro" + ]; + + user = "${builtins.toString UID}"; + + extraOptions = [ + "--group-add=${builtins.toString config.users.groups.geesefs.gid}" + "--mount=type=bind,source=/srv/forgejo/data,target=/var/lib/gitea" + ]; + + ports = [ + "2222:2222" + ]; + }; + + systemd.services.docker-forgejo.after = [ "postgresql.service" "gocryptfs.service" ]; + + systemd.tmpfiles.rules = [ + "d /srv/forgejo/repos 0700 ${builtins.toString UID} ${builtins.toString UID} -" + ]; + + services.nginx.virtualHosts."git.stupid.fish" = { + forceSSL = true; + useACMEHost = "stupid.fish"; + + locations."/" = { + proxyPass = "http://forgejo.docker:3000$request_uri"; + proxyWebsockets = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ 2222 ]; +} \ No newline at end of file diff --git a/hosts/koi/containers/forgejo/image/Dockerfile b/hosts/koi/containers/forgejo/image/Dockerfile new file mode 100644 index 0000000..84ec5af --- /dev/null +++ b/hosts/koi/containers/forgejo/image/Dockerfile @@ -0,0 +1,8 @@ +FROM codeberg.org/forgejo/forgejo:9.0.3-rootless + +USER root + +RUN apk add --no-cache shadow openssh && \ + usermod -u 1125 git + +USER git \ No newline at end of file diff --git a/hosts/koi/services/actions-runner/default.nix b/hosts/koi/services/actions-runner/default.nix index 9da5e4e..ef6e35a 100644 --- a/hosts/koi/services/actions-runner/default.nix +++ b/hosts/koi/services/actions-runner/default.nix @@ -2,6 +2,7 @@ { desu.secrets.forgejo-runners-token = {}; + desu.secrets.forgejo-runners-token-sf = {}; systemd.services.actions-runner-build-dind = { description = "dind image builder for actions runner"; @@ -32,5 +33,19 @@ runner.capacity = 8; }; }; + instances.koi-stupid-fish = { + name = "koi"; + enable = true; + url = "https://git.stupid.fish"; + tokenFile = config.desu.secrets.forgejo-runners-token-sf.path; + labels = [ + "node18:docker://node:18-bullseye" + "node20:docker://node:20-bullseye" + "node22:docker://node:22-bullseye" + ]; + settings = { + runner.capacity = 8; + }; + }; }; } \ No newline at end of file diff --git a/hosts/koi/services/autorestic/config.yaml b/hosts/koi/services/autorestic/config.yaml index 4262946..da8daf4 100644 --- a/hosts/koi/services/autorestic/config.yaml +++ b/hosts/koi/services/autorestic/config.yaml @@ -85,3 +85,7 @@ locations: from: /srv/vaultwarden/ to: rclone cron: '0 6 * * *' + forgejo: + from: /srv/forgejo/ + to: rclone + cron: '0 */6 * * *' diff --git a/secrets/forgejo-runners-token-sf.age b/secrets/forgejo-runners-token-sf.age new file mode 100644 index 0000000..51065bd --- /dev/null +++ b/secrets/forgejo-runners-token-sf.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 sj88Xw GgKRg7idO0vDye/NcBuaMhcg1hd9xyCg6akWbg9mbm8 +ygNUeOABd0xR9J2QvAOTIATzh2uRHJUrZgwHOxvABQs +--- uNOL20nKtDdHPt7C50jH7qB7FZZAP2SSw8kSQzRBCcI +/%Df}/F*0in2BF +x*gŮNHf[YrzQ`Us% \ No newline at end of file