john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

forgejo secrets

Browse Source
This commit is contained in:
John Lancaster
2026-04-02 17:24:32 -05:00
parent 3e84eb641f
commit f05a3af30d
1 changed files with 89 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/forgejo.nix
+89 -33
View File
@@ -25,40 +25,96 @@
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ]; networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
services.forgejo = { sops.secrets = {
enable = true; "forgejo/secret_key".owner = config.services.forgejo.user;
lfs.enable = true; "forgejo/internal_token".owner = config.services.forgejo.user;
settings.server = lib.mkMerge [ "forgejo/jwt_secret".owner = config.services.forgejo.user;
{ "forgejo/lfs_jwt_secret".owner = config.services.forgejo.user;
HTTP_PORT = cfg.port; };
DISABLE_SSH = true;
} services = {
(lib.mkIf cfg.https { forgejo = {
ROOT_URL = "https://forgejo.john-stream.com"; enable = true;
PROTOCOL = "https"; lfs.enable = true;
COOKIE_SECURE = true; settings = {
KEY_FILE = config.mtls.keyFile; DEFAULT = {
CERT_FILE = config.mtls.certFile; RUN_MODE = "dev";
}) };
server = lib.mkMerge [
{
HTTP_PORT = cfg.port;
DISABLE_SSH = true;
ROOT_URL = "https://forgejo.john-stream.com";
}
(lib.mkIf cfg.https {
PROTOCOL = "https";
COOKIE_SECURE = true;
KEY_FILE = config.mtls.keyFile;
CERT_FILE = config.mtls.certFile;
})
];
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
ui.SHOW_USER_EMAIL = false;
markup = {
ENABLED = true;
};
};
secrets = {
security = {
SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path;
INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path;
};
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path;
server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path;
};
database = {
type = "postgres";
port = config.services.postgresql.settings.port;
# createDatabase = false;
};
# dump = {
# enable = true;
# interval = "12h";
# };
};
postgresql = {
enable = true;
settings = {
};
};
};
environment.systemPackages =
let
systemctl = lib.getExe' pkgs.systemd "systemctl";
clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" ''
set -e
${systemctl} stop forgejo.service
sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir}
${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}"
'');
clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" ''
set -e
${systemctl} stop postgresql.service
${lib.getExe' pkgs.coreutils "echo"} Stopped
sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir}
${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}"
'');
in [
clean-forgejo
clean-postgres
(pkgs.writeShellScriptBin "clean-all" ''
set -e
${lib.getExe clean-forgejo}
${lib.getExe clean-postgres}
${lib.getExe' pkgs.coreutils "echo"} "Removed everything related to forgejo"
'')
]; ];
database = {
type = "postgres";
port = config.services.postgresql.settings.port;
# createDatabase = false;
};
# dump = {
# enable = true;
# interval = "12h";
# };
};
services.postgresql = {
enable = true;
settings = {
};
};
}; };
}; };
} }