feat: adds forgejo instance to git.ily.rs

hosts/common/default.nix

@@ -8,5 +8,6 @@
   environment.systemPackages = with pkgs; [
     neovim
     git
+    sops
   ];
 }

hosts/lab/default.nix

@@ -5,6 +5,7 @@
     ../common
     ./foundry.nix
     ./dokuwiki.nix
+    ./forgejo.nix
   ];
 
   networking.hostName = "lab";
@@ -36,6 +37,8 @@
   };
   virtualisation.oci-containers.backend = "podman";
 
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
   services.caddy.enable = true;
 
   system.stateVersion = "23.11";

hosts/lab/forgejo.nix

@@ -0,0 +1,43 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
+{
+  sops.secrets.forgejo-admin-password = {
+    sopsFile = ../../secrets/forgejo.yaml;
+    owner = "forgejo";
+  };
+
+  services.caddy.virtualHosts."git.ily.rs" = {
+    extraConfig = ''
+      reverse_proxy localhost:${toString srv.HTTP_PORT}
+    '';
+  };
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.ily.rs";
+        ROOT_URL = "https://git.ily.rs/";
+        HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
+        SSH_PORT = 2222;
+        SSH_LISTEN_PORT = 2222;
+      };
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+
+  systemd.services.forgejo.preStart = let
+    adminCmd = "${lib.getExe cfg.package} admin user";
+    pwd = config.sops.secrets.forgejo-admin-password;
+  in lib.mkAfter ''
+    ${adminCmd} create --admin --email "lew@ily.rs" \
+      --username lew --password "$(tr -d '\n' < ${pwd.path})" || true
+  '';
+}