teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(koi): forgejo

Browse source
This commit is contained in:
alina 🌸 2025-01-03 21:49:41 +03:00
parent e8526a1c82
commit 262e185eb1
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
6 changed files with 99 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hosts/koi/configuration.nix
View file

@ -40,6 +40,7 @@
./containers/wakapi ./containers/wakapi
./containers/outline ./containers/outline
./containers/docmost ./containers/docmost
./containers/forgejo
./containers/teisu.nix ./containers/teisu.nix
./containers/bots/pcre-sub-bot.nix ./containers/bots/pcre-sub-bot.nix
./containers/bots/channel-logger-bot.nix ./containers/bots/channel-logger-bot.nix

65
hosts/koi/containers/forgejo/default.nix Normal file
View file

@ -0,0 +1,65 @@
{ abs, pkgs, config, ... }@inputs:
let
UID = 1125;
context = pkgs.copyPathToStore ./image;
in {
users.users.forgejo = {
isNormalUser = true;
uid = UID;
};
services.postgresql.ensureUsers = [
{ name = "forgejo"; ensureDBOwnership = true; }
];
services.postgresql.ensureDatabases = [ "forgejo" ];
desu.postgresql.ensurePasswords.forgejo = "forgejo";
systemd.services.docker-forgejo.serviceConfig.ExecStartPre = [
(pkgs.writeShellScript "build-forgejo" ''
docker build -t local/forgejo ${context}
'')
];
virtualisation.oci-containers.containers.forgejo = {
image = "local/forgejo";
# we use a custom entrypoint to set the uid and then drop privileges,
# because forgejo expects the running user to have username "git" :woozy:
# (and their root image is too bloated for my taste)
volumes = [
"/etc/localtime:/etc/localtime:ro"
"/etc/timezone:/etc/timezone:ro"
];
user = "${builtins.toString UID}";
extraOptions = [
"--group-add=${builtins.toString config.users.groups.geesefs.gid}"
"--mount=type=bind,source=/srv/forgejo/data,target=/var/lib/gitea"
];
ports = [
"2222:2222"
];
};
systemd.services.docker-forgejo.after = [ "postgresql.service" "gocryptfs.service" ];
systemd.tmpfiles.rules = [
"d /srv/forgejo/repos 0700 ${builtins.toString UID} ${builtins.toString UID} -"
];
services.nginx.virtualHosts."git.stupid.fish" = {
forceSSL = true;
useACMEHost = "stupid.fish";
locations."/" = {
proxyPass = "http://forgejo.docker:3000$request_uri";
proxyWebsockets = true;
};
};
networking.firewall.allowedTCPPorts = [ 2222 ];
}

8
hosts/koi/containers/forgejo/image/Dockerfile Normal file
View file

@ -0,0 +1,8 @@
FROM codeberg.org/forgejo/forgejo:9.0.3-rootless
USER root
RUN apk add --no-cache shadow openssh && \
usermod -u 1125 git
USER git

15
hosts/koi/services/actions-runner/default.nix
View file

@ -2,6 +2,7 @@
{ {
desu.secrets.forgejo-runners-token = {}; desu.secrets.forgejo-runners-token = {};
desu.secrets.forgejo-runners-token-sf = {};
systemd.services.actions-runner-build-dind = { systemd.services.actions-runner-build-dind = {
description = "dind image builder for actions runner"; description = "dind image builder for actions runner";
@ -32,5 +33,19 @@
runner.capacity = 8; runner.capacity = 8;
}; };
}; };
instances.koi-stupid-fish = {
name = "koi";
enable = true;
url = "https://git.stupid.fish";
tokenFile = config.desu.secrets.forgejo-runners-token-sf.path;
labels = [
"node18:docker://node:18-bullseye"
"node20:docker://node:20-bullseye"
"node22:docker://node:22-bullseye"
];
settings = {
runner.capacity = 8;
};
};
}; };
} }

4
hosts/koi/services/autorestic/config.yaml
View file

@ -85,3 +85,7 @@ locations:
from: /srv/vaultwarden/ from: /srv/vaultwarden/
to: rclone to: rclone
cron: '0 6 * * *' cron: '0 6 * * *'
forgejo:
from: /srv/forgejo/
to: rclone
cron: '0 */6 * * *'

6
secrets/forgejo-runners-token-sf.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 sj88Xw GgKRg7idO0vDye/NcBuaMhcg1hd9xyCg6akWbg9mbm8
ygNUeOABd0xR9J2QvAOTIATzh2uRHJUrZgwHOxvABQs
--- uNOL20nKtDdHPt7C50jH7qB7FZZAP2SSw8kSQzRBCcI
/%åÂÁç·Df×}Ì/´F*0<>iÖn2Bë¥F
*îgÓÅ®êN±Hfùš[µ•®YÀÅrzQö`ü³ÐUsØ%¤¿