feat: adds forgejo instance to git.ily.rs

hosts/common/default.nix

@@ -8,5 +8,6 @@
   environment.systemPackages = with pkgs; [
     neovim
     git
+    sops
   ];
 }

hosts/lab/default.nix

@@ -5,6 +5,7 @@
     ../common
     ./foundry.nix
     ./dokuwiki.nix
+    ./forgejo.nix
   ];
 
   networking.hostName = "lab";
@@ -36,6 +37,8 @@
   };
   virtualisation.oci-containers.backend = "podman";
 
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
   services.caddy.enable = true;
 
   system.stateVersion = "23.11";

hosts/lab/forgejo.nix

@@ -0,0 +1,43 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
+{
+  sops.secrets.forgejo-admin-password = {
+    sopsFile = ../../secrets/forgejo.yaml;
+    owner = "forgejo";
+  };
+
+  services.caddy.virtualHosts."git.ily.rs" = {
+    extraConfig = ''
+      reverse_proxy localhost:${toString srv.HTTP_PORT}
+    '';
+  };
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.ily.rs";
+        ROOT_URL = "https://git.ily.rs/";
+        HTTP_PORT = 3000;
+        START_SSH_SERVER = true;
+        SSH_PORT = 2222;
+        SSH_LISTEN_PORT = 2222;
+      };
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+
+  systemd.services.forgejo.preStart = let
+    adminCmd = "${lib.getExe cfg.package} admin user";
+    pwd = config.sops.secrets.forgejo-admin-password;
+  in lib.mkAfter ''
+    ${adminCmd} create --admin --email "lew@ily.rs" \
+      --username lew --password "$(tr -d '\n' < ${pwd.path})" || true
+  '';
+}

secrets/forgejo.yaml

@@ -0,0 +1,16 @@
+forgejo-admin-password: ENC[AES256_GCM,data:YN/89Fu+rVBn/1miWVTpaM7ZhAjbdk0tnDAiM4BjCeQeUcWrig==,iv:oXhiK0VswzOr4ifU2gYd9r4P/wLUc/+6LdVRiPwzvXE=,tag:hQsjD78KPD1EGu6MjaFmJg==,type:str]
+sops:
+    age:
+        - recipient: age1r8h6gy2f4mu8xvx609qeadl82v2hua74xaevsp982zyfh4tm9qlsu80s0f
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRzY3NUNFOTdVVGsrcS8v
+            Wi93QWVXRjZraE9hUWxNWlh5MzA1WWtGcUN3CmxiZVA3WGk0Y0ZjTmswV1NqQUI5
+            L3hUeGtkckkyenVERnh5Z0daRC9tMHcKLS0tIFdObmtyWDZQbDFvcGJXQkJoMVNE
+            N0s0MCs0TWd2dXJjRXBHeVFFdWdvU28Kraf+RP0yRk4idTTc7OGW+8aj9rfcM+HK
+            Gq7chQORRec0N6aSxlo+AbptePO5wVY9/nnzNPl40Ue714/VOcbC0Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-04T19:54:12Z"
+    mac: ENC[AES256_GCM,data:Xeps9MbZAFAsYoy6BWoJ3MJtJ9XgS4L76SWrGh6MXCIRyDM2sG5/M/iIry54Pk++Ofk6ZMjW6CSNUEOkto7qDYxSDkhK9JGS+82AM3Jd4ChGoApELsGCUw0Li7jIrf4GVB21eX19iFSulAUSRF/HqnGtx1BVJELKzKwLGQYEjmM=,iv:hkjf0NF/VT9BNNWYdyicPb5UNV7JE9/V3hGX1RvjtSY=,tag:wrLsa/UTiy9AllrF4jUMDQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2