From f05a3af30debd26b7fe59e605fbb36a9567c072c Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Thu, 2 Apr 2026 17:24:32 -0500 Subject: [PATCH] forgejo secrets --- modules/features/forgejo.nix | 122 +++++++++++++++++++++++++---------- 1 file changed, 89 insertions(+), 33 deletions(-) diff --git a/modules/features/forgejo.nix b/modules/features/forgejo.nix index a095e62..cb578d1 100644 --- a/modules/features/forgejo.nix +++ b/modules/features/forgejo.nix @@ -25,40 +25,96 @@ config = lib.mkIf cfg.enable { networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ]; - services.forgejo = { - enable = true; - lfs.enable = true; - settings.server = lib.mkMerge [ - { - HTTP_PORT = cfg.port; - DISABLE_SSH = true; - } - (lib.mkIf cfg.https { - ROOT_URL = "https://forgejo.john-stream.com"; - PROTOCOL = "https"; - COOKIE_SECURE = true; - KEY_FILE = config.mtls.keyFile; - CERT_FILE = config.mtls.certFile; - }) + sops.secrets = { + "forgejo/secret_key".owner = config.services.forgejo.user; + "forgejo/internal_token".owner = config.services.forgejo.user; + "forgejo/jwt_secret".owner = config.services.forgejo.user; + "forgejo/lfs_jwt_secret".owner = config.services.forgejo.user; + }; + + services = { + forgejo = { + enable = true; + lfs.enable = true; + settings = { + DEFAULT = { + RUN_MODE = "dev"; + }; + server = lib.mkMerge [ + { + HTTP_PORT = cfg.port; + DISABLE_SSH = true; + ROOT_URL = "https://forgejo.john-stream.com"; + } + (lib.mkIf cfg.https { + PROTOCOL = "https"; + COOKIE_SECURE = true; + KEY_FILE = config.mtls.keyFile; + CERT_FILE = config.mtls.certFile; + }) + ]; + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + ui.SHOW_USER_EMAIL = false; + markup = { + ENABLED = true; + }; + }; + + secrets = { + security = { + SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path; + INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path; + }; + oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path; + server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path; + }; + + database = { + type = "postgres"; + port = config.services.postgresql.settings.port; + # createDatabase = false; + }; + # dump = { + # enable = true; + # interval = "12h"; + # }; + }; + + postgresql = { + enable = true; + settings = { + }; + }; + }; + + environment.systemPackages = + let + systemctl = lib.getExe' pkgs.systemd "systemctl"; + clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" '' + set -e + ${systemctl} stop forgejo.service + sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir} + ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}" + ''); + clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" '' + set -e + ${systemctl} stop postgresql.service + ${lib.getExe' pkgs.coreutils "echo"} Stopped + sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir} + ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}" + ''); + in [ + clean-forgejo + clean-postgres + (pkgs.writeShellScriptBin "clean-all" '' + set -e + ${lib.getExe clean-forgejo} + ${lib.getExe clean-postgres} + ${lib.getExe' pkgs.coreutils "echo"} "Removed everything related to forgejo" + '') ]; - - database = { - type = "postgres"; - port = config.services.postgresql.settings.port; - # createDatabase = false; - }; - # dump = { - # enable = true; - # interval = "12h"; - # }; - }; - - services.postgresql = { - enable = true; - settings = { - - }; - }; }; }; } \ No newline at end of file