kiara/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity
Fediversity/machines/dev/vm02116/forgejo.nix
Kiara Grouwstra 9a25a04bfa specify _class module attributes to explicitly declare module types (#398) 
closes #93.

note that this includes classes:

- `nixos`
- `nixosTest`
- `nixops4Resource`
- `nixops4Deployment`

.. and my (made-up, as per the [docs](https://ryantm.github.io/nixpkgs/module-system/module-system/#module-system-lib-evalModules-param-class)):

- `nix-unit`
- `package`

.. while i did not manage to cover:

- service tests, given `pkgs.nixosTest` seemed to not actually like `_class = "nixosTest"` (?!)

... nor #93's mentioned destructured arguments for that matter, as per Fediversity/Fediversity#93 (comment) - let me know if that is still desired as well.

Reviewed-on: Fediversity/Fediversity#398
Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Kiara Grouwstra <kiara@procolix.eu>
Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>
2025-06-23 17:24:54 +02:00

113 lines
2.6 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
let
domain = "git.fediversity.eu";
in
{
_class = "nixos";
services.forgejo = {
enable = true;
## NOTE: By default, the Forgejo service features Forgejo LTS. However, we
## want some more recent features, so we rely on a more recent one.
package = pkgs.forgejo;
lfs.enable = true;
settings = {
service = {
DISABLE_REGISTRATION = true;
};
server = {
DOMAIN = "${domain}";
ROOT_URL = "https://${domain}/";
HTTP_ADDR = "127.0.0.1";
LANDING_PAGE = "explore";
};
};
settings.service.ENABLE_NOTIFY_MAIL = true;
settings.mailer = {
ENABLED = true;
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "mail.protagio.nl";
SMTP_PORT = "587";
FROM = "git@fediversity.eu";
USER = "git@fediversity.eu";
};
secrets.mailer.PASSWD = config.age.secrets.forgejo-email-password.path;
database = {
type = "mysql";
socket = "/run/mysqld/mysqld.sock";
passwordFile = config.age.secrets.forgejo-database-password.path;
};
};
age.secrets.forgejo-database-password = {
owner = "forgejo";
group = "forgejo";
mode = "440";
};
users.groups.keys.members = [ "forgejo" ];
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = [ "forgejo" ];
ensureUsers = [
{
name = "forgejo";
ensurePermissions = {
"forgejo.*" = "ALL PRIVILEGES";
};
}
];
};
security.acme = {
acceptTerms = true;
defaults.email = "beheer@procolix.com";
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "500m";
appendHttpConfig = ''
map $uri $forgejo_access_log {
default 1;
/api/actions/runner.v1.RunnerService/FetchTask 0;
}
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; always";
}
add_header Strict-Transport-Security $hsts_header;
'';
virtualHosts.${domain} = {
listenAddresses = [
"185.206.232.34"
"[2a00:51c0:12:1201::20]"
];
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000/";
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
#access_log /var/log/nginx/access.log info if=$forgejo_access_log;
'';
};
};
};
}
View git blame Copy permalink