forgejo

2026-01-14 16:55:00 +01:00 · 2025-03-21 21:14:29 +01:00 · 2025-03-21 21:14:29 +01:00 · a25b5fc2b7
commit a25b5fc2b7
parent ac5540fc22
28 changed files with 88 additions and 28 deletions
--- a/newinfra/nix/apps/forgejo/default.nix
+++ b/newinfra/nix/apps/forgejo/default.nix
@ -0,0 +1,45 @@
+{ config, pkgs, name, ... }: {
+  age.secrets.forgejo_s3_key_secret.file = ../../secrets/forgejo_s3_key_secret.age;
+
+
+  services.forgejo = {
+    enable = true;
+    database = {
+      type = "sqlite3";
+    };
+    lfs.enable = false;
+
+    settings = {
+      DEFAULT = {
+        APP_NAME = "this forge meows";
+        APP_SLOGAN = "this forge meows";
+      };
+
+      server = rec {
+        DOMAIN = "git.noratrieb.dev";
+        ROOT_URL = "https://${DOMAIN}/";
+        HTTP_PORT = 5015;
+      };
+
+      service = {
+        DISABLE_REGISTRATION = true;
+      };
+
+      storage = {
+        STORAGE_TYPE = "minio";
+        MINIO_ENDPOINT = "127.0.0.1:3900";
+        MINIO_ACCESS_KEY_ID = "GKc8bfd905eb7f85980ffe84c9";
+        MINIO_BUCKET = "forgejo";
+        MINIO_BUCKET_LOOKUP = "auto";
+        MINIO_LOCATION = "garage";
+        MINIO_USE_SSL = false;
+      };
+    };
+
+    secrets = {
+      storage = {
+        MINIO_SECRET_ACCESS_KEY = config.age.secrets.forgejo_s3_key_secret.path;
+      };
+    };
+  };
+}
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@ -173,6 +173,7 @@
      ./apps/uptime
      ./apps/cargo-bisect-rustc-service
      ./apps/killua
+      ./apps/forgejo
    ];

    deployment.tags = [ "caddy" "eu" "apps" "website" ];
--- a/newinfra/nix/modules/caddy/vps1.Caddyfile
+++ b/newinfra/nix/modules/caddy/vps1.Caddyfile
@ -59,6 +59,12 @@ docker.noratrieb.dev {
 	reverse_proxy * localhost:5000
 }

+git.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5015
+}
+
 ################################################################
 # redirects

--- a/newinfra/nix/modules/dns/noratrieb.dev.nix
+++ b/newinfra/nix/modules/dns/noratrieb.dev.nix
@ -69,6 +69,7 @@ let
        };
        uptime = vps1;
        does-it-build = vps4;
+        git = vps1;

        # --- fun shit
        localhost.A = [ (a "127.0.0.1") ];
--- a/newinfra/nix/modules/garage/README.md
+++ b/newinfra/nix/modules/garage/README.md
@ -23,6 +23,8 @@
    - key `loki` RW
 - `backups`
    - key `backups` RW
+- `forgejo`
+    - key `forgejo` RW

 ## keys

@ -30,6 +32,7 @@
 - `docker-registry`: `GK48011ee5b5ccbaf4233c0e40`
 - `loki`: `GK84ffae2a0728abff0f96667b`
 - `backups`: `GK8cb8454a6f650326562bff2f`
+- `forgejo`: `GKc8bfd905eb7f85980ffe84c9`

 - `admin`: `GKaead6cf5340e54a4a19d9490`
    - RW permissions on ~every bucket
--- a/newinfra/nix/secrets/backup_s3_secret.age
+++ b/newinfra/nix/secrets/backup_s3_secret.age
--- a/newinfra/nix/secrets/caddy_s3_key_secret.age
+++ b/newinfra/nix/secrets/caddy_s3_key_secret.age
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ b/newinfra/nix/secrets/docker_registry_password.age
--- a/newinfra/nix/secrets/forgejo_s3_key_secret.age
+++ b/newinfra/nix/secrets/forgejo_s3_key_secret.age
--- a/newinfra/nix/secrets/garage_secrets.age
+++ b/newinfra/nix/secrets/garage_secrets.age
--- a/newinfra/nix/secrets/grafana_admin_password.age
+++ b/newinfra/nix/secrets/grafana_admin_password.age
--- a/newinfra/nix/secrets/hugochat_db_password.age
+++ b/newinfra/nix/secrets/hugochat_db_password.age
@ -1,5 +1,6 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg 6eQ/q3Fj5+L+xROvG9gNysRDWJ6haDVVJHmlDSeAxS0
-H4nDYw2w4iWujEE8GllQAh8rOdE+CDrKuMagurs7LbI
--- +yoBU3zYLaP0gJ6iUPSe9I46F2xKWWFUZNSW5M/yOLo
-þÄ
²åfP:sšÐ?`Þ)±ñÄ7¨UõG©«©åñÎHEŽù~…¾{$Kåéu˜M<A7bTàPIÂŽqÅjoóFB<46>(LeìÇ¨<0F>ò(—Î •õ ‹X<E280B9>˜ž“Nb'àb¶äòôD!jÑnÎ1‡U5à'¶«¶&m4peüŽzN“Þ±+.‹!Õ,c)›ªÀÃà°É-¦<>kHrÓUKÑ
+-> ssh-ed25519 qM6TYg H4CAhH2tiZgtdBLnIT2NQpwbuuJIhX2fku6ukjFHonA
+jqQ4SKoyG+lIN6nFtBkUPsPLbQtQG1McRrH5BSjMmbk
+--- Gxbst2zgWl8yZrCCami4TA7/bXRE84sI6FBjnzpPsiI
+È…›€rçÕí
+T6„ôŠÒ[k¯Ž¯sºñ‰iÄ–þ\'¡~Kšÿ
<0A>ÎýIÀƒ““%€|«h´¸Æ†¹ú%<25>NÕSúªtòYÒŽÂÅÎvüSÒÄæå©þ’Ó`‡*3€ƒ_éžÐ;fÉ°/¾*!º¹q-^óCkA7˜ÍR° ù<6„‘4•h*vjYøVæ²S÷22Ê®R†³<E280A0>EŒÏ
--- a/newinfra/nix/secrets/killua_env.age
+++ b/newinfra/nix/secrets/killua_env.age
--- a/newinfra/nix/secrets/loki_env.age
+++ b/newinfra/nix/secrets/loki_env.age
--- a/newinfra/nix/secrets/minio_env_file.age
+++ b/newinfra/nix/secrets/minio_env_file.age
--- a/newinfra/nix/secrets/registry_htpasswd.age
+++ b/newinfra/nix/secrets/registry_htpasswd.age
--- a/newinfra/nix/secrets/registry_s3_key_secret.age
+++ b/newinfra/nix/secrets/registry_s3_key_secret.age
--- a/newinfra/nix/secrets/s3_mc_admin_client.age
+++ b/newinfra/nix/secrets/s3_mc_admin_client.age
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@ -21,6 +21,7 @@ in
  "backup_s3_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
  "s3_mc_admin_client.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
  "killua_env.age".publicKeys = [ vps1 ];
+  "forgejo_s3_key_secret.age".publicKeys = [ vps1 ];
  "wg_private_dns1.age".publicKeys = [ dns1 ];
  "wg_private_dns2.age".publicKeys = [ dns2 ];
  "wg_private_vps1.age".publicKeys = [ vps1 ];
--- a/newinfra/nix/secrets/wg_private_dns1.age
+++ b/newinfra/nix/secrets/wg_private_dns1.age
@ -1,5 +1,6 @@
 age-encryption.org/v1
-> ssh-ed25519 LZU5Eg U3dxvEDcEOtW8FXZjVFJLauY4iGqz0ZEaXFpQ/wtRRo
-pYTB+l/4k7j5CjIe2UpDG/UD26zAwfXBQ5ChgOf6UTI
--- gjyHv0JR14A+KGrSqfGY+XDdEK5O96RY1vz3QRagN+Y
-ŕW]`O-Mł¦ÄĘ<><C498>ŚôŇw«@^ŇżTt˛ŰI8ZŢÔvô`Âdí:e[MŇ;ĐË¸nŮpKłHíwµPĎ˛Ŕ›9’
+-> ssh-ed25519 LZU5Eg C/Xxl6xmqJU17rLrtktvdLeRY5/bF3bjftHo4mbl1iI
+dLiactDlpelKogeTFl2fD6YjAK1dfFd7jnvrgc7m4O8
+--- LARr+mBHSH1Hn7gLprVSZdL5/MK5zEmwWnkAYH0Q4T0
+2+÷V(źű‚s	
+Rź P>ßÜazZŃ>y˝>•rř‰Jç‘¸!>ł—ôKňEA¸Řap ¶Ąyđ~Ş č‰¸<E280B0>¨źS×C“W-&ćŃ
--- a/newinfra/nix/secrets/wg_private_dns2.age
+++ b/newinfra/nix/secrets/wg_private_dns2.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 5bWSnQ EtJ6xvnAKqBQAcMkg8ZvqlKLds+fAurbMDwa2y59WzY
-1K7hYZsklt50rzd3m3s+eJz4QRnLffCTJkNdg5XgXko
--- rwXlwZH92YleL48/WiC7+sjUSPRcIak5S4UIkhoSD10
-ўµ.µ“‚ВТSњWущб<-э8YДЭ?и)T&«ҐьЄГЉќN¦БЮ2ЫZJ¦„;в&СТВ39dъФ{ё8љлЭ:yЬ^ЯKл™І*‰
+-> ssh-ed25519 5bWSnQ LZJ3IeeU2FcoStl7FVMbL0zttZEWy1t+E25GEqXdznk
+hMIVGygEe++AfccTi15wj6rWaqtwsOabUugtiuR5GWI
+--- /YFZvkG8jK+vVp+edwEpbkDiAe0yPvwzml6d1HOynI4
+¡áìöLÀÐOÿ_Ù'cÔÝ<C394>¹ç•Š=ä]äQÚ—[’Æø?Ùo‘3MNÁ6dVþÒ?<3F>•RA<>‡ÜëWÆºõà<C3B5>x5³ðùkc¿
--- a/newinfra/nix/secrets/wg_private_vps1.age
+++ b/newinfra/nix/secrets/wg_private_vps1.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg 5ufMbqsCyIvHt0C8w+t5SWHGSeoO/zJidZI42EIJvxU
-Zwm8H68YWqjAe0Gq/itCwtEj1cu1VOACtfriPuPdbGs
--- ZomF2aQQywN2ZToZB5oqJT/+H+UEvC0j/fQiR67szec
-?lÁ/yuç@ì«èÄ\¼fh Q1 [_”Mˆ<4D>Ó<EFBFBD>Å¡7éÎùíÞZÞ5?évÅ"ïâ6º°”lýÂlPÀ+Èä8u×"R¹E
+-> ssh-ed25519 qM6TYg wMMdxXZc1yZiD9oS6ne/7Ne29uz+Q97kYYjZtyhR9Qs
+hNwS16RMdvb7hNfjRdUow/sYtUcta4YPoe4qh0jAEOE
+--- 30m6ILfUyjxm/nindgNcujh4bGOUvMbrcArSLEd2NuI
+Ì¢×î0ÍÃÉfÌÜÍ-1TØ‘à_s>?f·I[L•À…•ÇÏ<C387>mL4¯á«#ÛÑ,qwÔÂåPY-[’‰n$áò<C3A1>Á¦ µ4
--- a/newinfra/nix/secrets/wg_private_vps3.age
+++ b/newinfra/nix/secrets/wg_private_vps3.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 XzACZQ zCt7Biavy5amayc4xU57K6vv+4/MgKZRhNwvA6xdJQE
-z/TWt8WbdZcXsbZSmiJ/Yp1ormoVk88HlXxY+8lmF60
--- x5fpB686RpY4KxbKu940m29V4E+wdzd417YaUxzT4V4
-Ť®a[…G‹‚ěŢg”ç‰˘¶ÎŰ<C38E>Yß'¶<>ą*|ÂŰWmPBR–ZĎţb\ůĘłÇH›AO$„űkĂÇť .8{ô'nŻş4«#Ľ'
+-> ssh-ed25519 XzACZQ k5WVMoS1WD1Jb+RfV0OOW5umLFfEdfIqDodBViQFvzc
+kypBLkD32beBsTtEoCyH0b9L4GAxorTFhqH3nhkO72w
+--- aUbimoG2VppL5CPG3tES+zp/cINt6ZjNnthvCcpt0ww
+‹kð…éÈ~iÃ"ÃßB˜÷V¸M‘DEù´–QöBŠu<C5A0>òK
P§ñâàuä×h¦GCÞ±épT‰±íØé)t¤l€Çnö
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 51bcvA 05bVKsZ8ztuvA34HH9Tr/AwtgENlfE5IL+fab8lvGic
-+Ib+H+pnPsmrQtQCejyZHP+Moab17YORhVkkAqVjtbs
--- d0nYesYevgnhdN5t6XN8zuyJzxifu2BW5KNqG3wAIR8
-$?äP†ä3Å3‘Ö*Oy/r½î»ç=tË<74>q-/„BA\3@æVA#¸'cÅı{¶†íğÆEaB´R>ÄÅ¥È±³¹.V„Ã¶<C383>C²Ó
+-> ssh-ed25519 51bcvA A5RlnDQ8XJQK5KqxwrvVsrfJKVzb22/c/J/EPvfhtRA
+ByXVkK+QIuGV9bCgcqYOAj54k/O6SrYBLrJIQMec0nA
+--- S+1ZbskI6F3pIT8Pm9qjoHpHu0BmihvC1c9D77sghVY
+·Ë{ŤX‡ă¶w°ő˙<ńp‘äśřé“’ĘZ¶SŻ><3E>G*KD_r;Ĺć9«ÄşO"s<áÓ™Cb6ú#lűQ“Éa¸<<3C>j)ťĎu
--- a/newinfra/nix/secrets/wg_private_vps5.age
+++ b/newinfra/nix/secrets/wg_private_vps5.age
--- a/newinfra/nix/secrets/widetom_bot_token.age
+++ b/newinfra/nix/secrets/widetom_bot_token.age
@ -1,5 +1,6 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg 8PHArngZr845Vyzvr06Syrn4w3mV1vbeMKnSzd7PtUc
-GoI7ssVbQzlQAZPopxMpyKdhv1BixF+eac5nQA0Q+i4
--- c/MJSct6IxWiitSeEGez2c55nQ94A22OuM4NliuHpOk
-ÿw*_P‡fÁYÓ×Yç-‡š¡©ylAtˆÙ½U!ÀAÐ‡Uì³1÷5f‘cFùÀ/ðžœcÉŠZ%)NÁ¯÷Áhƒ‹âTtd–þÅÈÚ?²›7>ë:UÅkü
+-> ssh-ed25519 qM6TYg +hQBAuU1CjDiXyZyufXz6MsGhvYTN0HjmReqbVW8WGQ
+DDq5KdAiBei16CiU+CYOdRbhqZKyaUEfPdCee3T6K88
+--- Gl21s/ER3GfHeVm9lFbqfyBth5Ac56g0ceoogfzmzXg
+OÒ<EFBFBD>>t˜—lÕ¹ôûë<1C>6[UAÓ"yf-ÊAã¡»ÌíÊÜj¾ ìtž rÁxàRÚd95ýŽ7¢jqàICLÅåvéÈiocÖOM$…
+ÜuÙRZ!ä©·—¯qâ
--- a/newinfra/nix/secrets/widetom_config_toml.age
+++ b/newinfra/nix/secrets/widetom_config_toml.age
--- a/newinfra/secrets-git-crypt/forgejo_s3_key_secret
+++ b/newinfra/secrets-git-crypt/forgejo_s3_key_secret