feat(koi): forgejo

2025-01-03 21:49:41 +03:00 · 2025-01-03 21:49:41 +03:00 · 262e185eb1
commit 262e185eb1
parent e8526a1c82
6 changed files with 99 additions and 0 deletions
--- a/hosts/koi/configuration.nix
+++ b/hosts/koi/configuration.nix
@ -40,6 +40,7 @@
    ./containers/wakapi
    ./containers/outline
    ./containers/docmost
+    ./containers/forgejo
    ./containers/teisu.nix
    ./containers/bots/pcre-sub-bot.nix
    ./containers/bots/channel-logger-bot.nix
--- a/hosts/koi/containers/forgejo/default.nix
+++ b/hosts/koi/containers/forgejo/default.nix
@ -0,0 +1,65 @@
+{ abs, pkgs, config, ... }@inputs:
+
+let 
+  UID = 1125;
+
+  context = pkgs.copyPathToStore ./image;
+in {
+  users.users.forgejo = {
+    isNormalUser = true;
+    uid = UID;
+  };
+
+  services.postgresql.ensureUsers = [
+    { name = "forgejo"; ensureDBOwnership = true; }
+  ];
+  services.postgresql.ensureDatabases = [ "forgejo" ];
+  desu.postgresql.ensurePasswords.forgejo = "forgejo";
+
+  systemd.services.docker-forgejo.serviceConfig.ExecStartPre = [
+    (pkgs.writeShellScript "build-forgejo" ''
+      docker build -t local/forgejo ${context}
+    '')
+  ];
+  virtualisation.oci-containers.containers.forgejo = {
+    image = "local/forgejo";
+
+    # we use a custom entrypoint to set the uid and then drop privileges,
+    # because forgejo expects the running user to have username "git" :woozy:
+    # (and their root image is too bloated for my taste)
+
+    volumes = [
+      "/etc/localtime:/etc/localtime:ro"
+      "/etc/timezone:/etc/timezone:ro"
+    ];
+
+    user = "${builtins.toString UID}";
+
+    extraOptions = [
+      "--group-add=${builtins.toString config.users.groups.geesefs.gid}"
+      "--mount=type=bind,source=/srv/forgejo/data,target=/var/lib/gitea"
+    ];
+
+    ports = [
+      "2222:2222"
+    ];
+  };
+
+  systemd.services.docker-forgejo.after = [ "postgresql.service" "gocryptfs.service" ];
+
+  systemd.tmpfiles.rules = [
+    "d /srv/forgejo/repos 0700 ${builtins.toString UID} ${builtins.toString UID} -"
+  ];
+
+  services.nginx.virtualHosts."git.stupid.fish" = {
+    forceSSL = true;
+    useACMEHost = "stupid.fish";
+
+    locations."/" = {
+      proxyPass = "http://forgejo.docker:3000$request_uri";
+      proxyWebsockets = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+}
--- a/hosts/koi/containers/forgejo/image/Dockerfile
+++ b/hosts/koi/containers/forgejo/image/Dockerfile
@ -0,0 +1,8 @@
+FROM codeberg.org/forgejo/forgejo:9.0.3-rootless
+
+USER root
+
+RUN apk add --no-cache shadow openssh && \
+    usermod -u 1125 git
+
+USER git
--- a/hosts/koi/services/actions-runner/default.nix
+++ b/hosts/koi/services/actions-runner/default.nix
@ -2,6 +2,7 @@

 {
  desu.secrets.forgejo-runners-token = {};
+  desu.secrets.forgejo-runners-token-sf = {};

  systemd.services.actions-runner-build-dind = {
    description = "dind image builder for actions runner";
@ -32,5 +33,19 @@
        runner.capacity = 8;
      };
    };
+    instances.koi-stupid-fish = {
+      name = "koi";
+      enable = true;
+      url = "https://git.stupid.fish";
+      tokenFile = config.desu.secrets.forgejo-runners-token-sf.path;
+      labels = [
+        "node18:docker://node:18-bullseye"
+        "node20:docker://node:20-bullseye"
+        "node22:docker://node:22-bullseye"
+      ];
+      settings = {
+        runner.capacity = 8;
+      };
+    };
  };
 }
--- a/hosts/koi/services/autorestic/config.yaml
+++ b/hosts/koi/services/autorestic/config.yaml
@ -85,3 +85,7 @@ locations:
    from: /srv/vaultwarden/
    to: rclone
    cron: '0 6 * * *'
+  forgejo:
+    from: /srv/forgejo/
+    to: rclone
+    cron: '0 */6 * * *'
--- a/secrets/forgejo-runners-token-sf.age
+++ b/secrets/forgejo-runners-token-sf.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 sj88Xw GgKRg7idO0vDye/NcBuaMhcg1hd9xyCg6akWbg9mbm8
+ygNUeOABd0xR9J2QvAOTIATzh2uRHJUrZgwHOxvABQs
+--- uNOL20nKtDdHPt7C50jH7qB7FZZAP2SSw8kSQzRBCcI
+/%åÂÁç·D›f×}Ì/‘´F*0<>iÖn2Bë¥F
+x§›*îgÓÅ®ê–N±Hfùš[µ•®YÀÅrzQö`ü³ÐUsØ%¤¿