teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixfiles/hosts/koi/containers/forgejo/default.nix

80 lines
No EOL
2 KiB
Nix
Raw Blame History

{ abs, pkgs, config, ... }@inputs:
let
UID = 1125;
context = pkgs.copyPathToStore ./image;
in {
users.users.forgejo = {
isNormalUser = true;
uid = UID;
};
services.postgresql.ensureUsers = [
{ name = "forgejo"; ensureDBOwnership = true; }
];
services.postgresql.ensureDatabases = [ "forgejo" ];
desu.postgresql.ensurePasswords.forgejo = "forgejo";
systemd.services.docker-forgejo.serviceConfig.ExecStartPre = [
(pkgs.writeShellScript "build-forgejo" ''
docker build -t local/forgejo ${context}
'')
];
virtualisation.oci-containers.containers.forgejo = {
image = "local/forgejo";
# we use a custom entrypoint to set the uid and then drop privileges,
# because forgejo expects the running user to have username "git" :woozy:
# (and their root image is too bloated for my taste)
volumes = [
"/etc/localtime:/etc/localtime:ro"
"/etc/timezone:/etc/timezone:ro"
];
user = "${builtins.toString UID}";
extraOptions = [
"--group-add=${builtins.toString config.users.groups.geesefs.gid}"
"--mount=type=bind,source=/srv/forgejo/data,target=/var/lib/gitea"
];
ports = [
"2222:2222"
];
};
systemd.services.docker-forgejo.after = [ "postgresql.service" "gocryptfs.service" ];
systemd.services.forgejo-clear-actions-logs = {
serviceConfig = {
Type = "oneshot";
User = "forgejo";
ExecStart = "${pkgs.nodejs_22}/bin/nodejs ${./clear-actions-logs.mjs}";
};
startAt = "03:00";
};
systemd.tmpfiles.rules = [
"d /srv/forgejo/repos 0700 ${builtins.toString UID} ${builtins.toString UID} -"
];
services.nginx.virtualHosts."git.stupid.fish" = {
forceSSL = true;
useACMEHost = "stupid.fish";
locations."/" = {
proxyPass = "http://forgejo.docker:3000$request_uri";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 1g;
proxy_read_timeout 120s;
proxy_send_timeout 120s;
'';
};
};
networking.firewall.allowedTCPPorts = [ 2222 ];
}
Reference in a new issue View git blame Copy permalink