forgejo secrets

2026-04-02 17:24:32 -05:00
parent 3e84eb641f
commit f05a3af30d
1 changed files with 89 additions and 33 deletions
@@ -25,22 +25,51 @@
      config = lib.mkIf cfg.enable {
        networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
-        services.forgejo = {
+        sops.secrets = {
          "forgejo/secret_key".owner = config.services.forgejo.user;
          "forgejo/internal_token".owner = config.services.forgejo.user;
          "forgejo/jwt_secret".owner = config.services.forgejo.user;
          "forgejo/lfs_jwt_secret".owner = config.services.forgejo.user;
        };
        services = {
          forgejo = {
            enable = true;
            lfs.enable = true;
-          settings.server = lib.mkMerge [
+            settings = {
              DEFAULT = {
                RUN_MODE = "dev";
              };
              server = lib.mkMerge [
                {
                  HTTP_PORT = cfg.port;
                  DISABLE_SSH = true;
                  ROOT_URL = "https://forgejo.john-stream.com";
                }
                (lib.mkIf cfg.https {
              ROOT_URL = "https://forgejo.john-stream.com";
                  PROTOCOL = "https";
                  COOKIE_SECURE = true;
                  KEY_FILE = config.mtls.keyFile;
                  CERT_FILE = config.mtls.certFile;
                })
              ];
              repository = {
                ENABLE_PUSH_CREATE_USER = true;
              };
              ui.SHOW_USER_EMAIL = false;
              markup = {
                ENABLED = true;
              };
            };
            secrets = {
              security = {
                SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path;
                INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path;
              };
              oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path;
              server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path;
            };
            database = {
              type = "postgres";
@@ -53,12 +82,39 @@
            # };
          };
-        services.postgresql = {
+          postgresql = {
            enable = true;
            settings = {
            };
          };
        };
-          };
+        environment.systemPackages =
-        };
+          let
            systemctl = lib.getExe' pkgs.systemd "systemctl";
            clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" ''
              set -e
              ${systemctl} stop forgejo.service
              sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir}
              ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}"
            '');
            clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" ''
              set -e
              ${systemctl} stop postgresql.service
              ${lib.getExe' pkgs.coreutils "echo"} Stopped
              sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir}
              ${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}"
            '');
          in [
            clean-forgejo
            clean-postgres
            (pkgs.writeShellScriptBin "clean-all" ''
              set -e
              ${lib.getExe clean-forgejo}
              ${lib.getExe clean-postgres}
              ${lib.getExe' pkgs.coreutils "echo"} "Removed everything related to forgejo"
            '')
          ];
      };
    };
 }