From b00d1519acb69e6e0feaa95e798067821571fe50 Mon Sep 17 00:00:00 2001
From: lew <lew@ily.rs>
Date: Sat, 4 Apr 2026 21:15:59 +0100
Subject: [PATCH] feat: adds forgejo instance to git.ily.rs

---
 hosts/common/default.nix |  1 +
 hosts/lab/default.nix    |  3 +++
 hosts/lab/forgejo.nix    | 43 ++++++++++++++++++++++++++++++++++++++++
 secrets/forgejo.yaml     | 16 +++++++++++++++
 4 files changed, 63 insertions(+)
 create mode 100644 hosts/lab/forgejo.nix
 create mode 100644 secrets/forgejo.yaml

diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 6a72d6b..b35d011 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -8,5 +8,6 @@
   environment.systemPackages = with pkgs; [
     neovim
     git
+    sops
   ];
 }
diff --git a/hosts/lab/default.nix b/hosts/lab/default.nix
index 220771a..d409671 100644
--- a/hosts/lab/default.nix
+++ b/hosts/lab/default.nix
@@ -5,6 +5,7 @@
     ../common
     ./foundry.nix
     ./dokuwiki.nix
+    ./forgejo.nix
   ];
 
   networking.hostName = "lab";
@@ -36,6 +37,8 @@
   };
   virtualisation.oci-containers.backend = "podman";
 
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
   services.caddy.enable = true;
 
   system.stateVersion = "23.11";
diff --git a/hosts/lab/forgejo.nix b/hosts/lab/forgejo.nix
new file mode 100644
index 0000000..d301eee
--- /dev/null
+++ b/hosts/lab/forgejo.nix
@@ -0,0 +1,43 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
+{
+  sops.secrets.forgejo-admin-password = {
+    sopsFile = ../../secrets/forgejo.yaml;
+    owner = "forgejo";
+  };
+
+  services.caddy.virtualHosts."git.ily.rs" = {
+    extraConfig = ''
+      reverse_proxy localhost:${toString srv.HTTP_PORT}
+    '';
+  };
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.ily.rs";
+        ROOT_URL = "https://git.ily.rs/";
+        HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
+        SSH_PORT = 2222;
+        SSH_LISTEN_PORT = 2222;
+      };
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+
+  systemd.services.forgejo.preStart = let
+    adminCmd = "${lib.getExe cfg.package} admin user";
+    pwd = config.sops.secrets.forgejo-admin-password;
+  in lib.mkAfter ''
+    ${adminCmd} create --admin --email "lew@ily.rs" \
+      --username lew --password "$(tr -d '\n' < ${pwd.path})" || true
+  '';
+}
diff --git a/secrets/forgejo.yaml b/secrets/forgejo.yaml
new file mode 100644
index 0000000..f0a4990
--- /dev/null
+++ b/secrets/forgejo.yaml
@@ -0,0 +1,16 @@
+forgejo-admin-password: ENC[AES256_GCM,data:YN/89Fu+rVBn/1miWVTpaM7ZhAjbdk0tnDAiM4BjCeQeUcWrig==,iv:oXhiK0VswzOr4ifU2gYd9r4P/wLUc/+6LdVRiPwzvXE=,tag:hQsjD78KPD1EGu6MjaFmJg==,type:str]
+sops:
+    age:
+        - recipient: age1r8h6gy2f4mu8xvx609qeadl82v2hua74xaevsp982zyfh4tm9qlsu80s0f
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRzY3NUNFOTdVVGsrcS8v
+            Wi93QWVXRjZraE9hUWxNWlh5MzA1WWtGcUN3CmxiZVA3WGk0Y0ZjTmswV1NqQUI5
+            L3hUeGtkckkyenVERnh5Z0daRC9tMHcKLS0tIFdObmtyWDZQbDFvcGJXQkJoMVNE
+            N0s0MCs0TWd2dXJjRXBHeVFFdWdvU28Kraf+RP0yRk4idTTc7OGW+8aj9rfcM+HK
+            Gq7chQORRec0N6aSxlo+AbptePO5wVY9/nnzNPl40Ue714/VOcbC0Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-04T19:54:12Z"
+    mac: ENC[AES256_GCM,data:Xeps9MbZAFAsYoy6BWoJ3MJtJ9XgS4L76SWrGh6MXCIRyDM2sG5/M/iIry54Pk++Ofk6ZMjW6CSNUEOkto7qDYxSDkhK9JGS+82AM3Jd4ChGoApELsGCUw0Li7jIrf4GVB21eX19iFSulAUSRF/HqnGtx1BVJELKzKwLGQYEjmM=,iv:hkjf0NF/VT9BNNWYdyicPb5UNV7JE9/V3hGX1RvjtSY=,tag:wrLsa/UTiy9AllrF4jUMDQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2