diff --git a/modules/nixos/services/homeserver/default.nix b/modules/nixos/services/homeserver/default.nix index be5bfcc..df55c3c 100755 --- a/modules/nixos/services/homeserver/default.nix +++ b/modules/nixos/services/homeserver/default.nix @@ -6,6 +6,7 @@ ./restic ./caddy.nix ./cloudflared.nix + ./forgejo.nix ./jellyfin.nix ./kanidm.nix ./nextcloud.nix diff --git a/modules/nixos/services/homeserver/forgejo.nix b/modules/nixos/services/homeserver/forgejo.nix new file mode 100644 index 0000000..ee07395 --- /dev/null +++ b/modules/nixos/services/homeserver/forgejo.nix @@ -0,0 +1,70 @@ +{ config, lib, ... }: + +{ + sops.secrets = { + "forgejo/secret-key" = { + owner = "forgejo"; + group = "forgejo"; + }; + "forgejo/internal-token" = { + owner = "forgejo"; + group = "forgejo"; + }; + }; + + services.caddy.virtualHosts."git.wo2wz.fyi".extraConfig = + assert config.services.caddy.enable; + '' + import default-settings + import cloudflare-tls + + reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT} + ''; + + services.forgejo = { + enable = true; + secrets.security = { + SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret-key".path; + INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal-token".path; + }; + settings = { + DEFAULT = { + APP_NAME = "Wo2wz's Git"; + APP_SLOGAN = "Powered by NixOS"; + APP_DISPLAY_NAME_FORMAT = "{APP_NAME} - {APP_SLOGAN}"; + }; + + "ui.meta" = { + AUTHOR = "Wo2wz's forgejo"; + DESCRIPTION = ''in the forged jo, straight up "committing" it, and by "it" lets just say... my git''; + }; + + server = { + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 8008; + + DOMAIN = "git.wo2wz.fyi"; + ROOT_URL = "https://git.wo2wz.fyi/"; + }; + + database.SQLITE_JOURNAL_MODE = "WAL"; + cache = { + ADAPTER = "twoqueue"; + HOST = ''{"size":100, "recent_ratio":0.25, "ghost_ratio":0.5}''; + }; + + openid = { + ENABLE_OPENID_SIGNUP = true; + ENABLE_OPENID_SIGNIN = true; + }; + service = { + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + ENABLE_INTERNAL_SIGNIN = false; + }; + + session.COOKIE_SECURE = true; + + actions.ENABLED = false; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/services/homeserver/kanidm.nix b/modules/nixos/services/homeserver/kanidm.nix index e475f6d..74638fc 100644 --- a/modules/nixos/services/homeserver/kanidm.nix +++ b/modules/nixos/services/homeserver/kanidm.nix @@ -5,6 +5,7 @@ "acme/secrets.env" = {}; } // lib.genAttrs [ + "kanidm/oauth2/forgejo" "kanidm/oauth2/grafana" "kanidm/oauth2/jellyfin" "kanidm/oauth2/nextcloud" @@ -69,28 +70,43 @@ mailAddresses = [ "wo2w@kanidm.wo2wz.fyi" ]; groups = [ + "forgejo_users" "grafana_users" "jellyfin_users" "nextcloud_users" "vaultwarden_users" + "forgejo_admins" "grafana_admins" "jellyfin_admins" ]; }; groups = lib.genAttrs [ + "forgejo_users" "grafana_users" "jellyfin_users" "nextcloud_users" "vaultwarden_users" ] (x: {}) // { + forgejo_admins.members = [ "forgejo_users" ]; grafana_admins.members = [ "grafana_users" ]; jellyfin_admins.members = [ "jellyfin_users" ]; }; systems.oauth2 = { + forgejo = { + displayName = "Forgejo"; + originUrl = "https://git.wo2wz.fyi/user/oauth2/Kanidm/callback"; + originLanding = "https://git.wo2wz.fyi"; + + preferShortUsername = true; + basicSecretFile = config.sops.secrets."kanidm/oauth2/forgejo".path; + scopeMaps.grafana_users = [ "openid" "email" "profile" ]; + claimMaps.grafana_users.valuesByGroup.forgejo_admins = [ "forgejo_admin" ]; + }; + grafana = { displayName = "Grafana"; originUrl = "https://grafana.taild5f7e6.ts.net/login/generic_oauth"; diff --git a/secrets/drone.yaml b/secrets/drone.yaml index 7acd60e..f73481e 100755 --- a/secrets/drone.yaml +++ b/secrets/drone.yaml @@ -6,6 +6,9 @@ caddy: wo2wz.fyi.key: ENC[AES256_GCM,data:8uiuUyVx9yTtRQFR8DBpE5nh39pbsevlU1YFoKu2I/mO6Z1rS1LfUGh4fH6KuKqh1CNtd+e4JYtpUigCrWwcFg5th6K7tj7Zs+4bxigIn7DFpD38wko+1I2BoUOS6nyIgBJ8RL7DDlldS2K/Pow6F6j9kflha6sjUQ5ZFOeoWW1HV6GRNPKlk4/TDueRbYZKsPM0KeDRyCntbDWLE4ap2vLUvIGYoQAk+Ng5Xt3LMKeG2/LBUXp+EU7m4R1WHsmzHjIKtT7qgkhSvg6RwelBVFutp3fg3GbSEsC96D76osNsWNM/tDCqyu8VpG5fIYNXS+aS06wdvCmcvm13Qa1wnYMCvN7GrfNG+4BrarxrGBeb00UU1zBM11vNUyg2sWAhIrOt+5aTHM55rrcjNxJz+3OxEpEtkH7bKl6aL0Yk0/qxRFYHoBaAiRVd3kQ/2FbgTXF336fF40UGSSEoQ/y3Tbp0ad0rpqnxwP1mzK2s+blK5ljBQF3+vNyhQUbhmns3xZN063gvgE6OnK10RcnoKszQpPJ0uHEnjaHxHPkh1BxEgGHhH615+xcLT9O3jWUE/gONBEMQwBaL/f0qxPZZQrR837Yp3QphFrdfo8aobLNlGWZPgAmaphI09CEkDt9IiwM0GmbgoSMLa8uGaBY24W8q294zQwJtpjMt0ALSTEA1h4GdXpyM+iIDhCN5t8AENhFGF65cvHeKk9vvKkFIFOh4PXV/ITQd5VG3CSLgaKCbK3DA2TqFGscL1zf2j8crAR/ZajwTij+IEZd9qIutDE9al4zsSFD6EnkvKPAelC91MZ5S0UZ+c7HWY3j+BtYSEloq9hqZIW7eGO0HIPvhtVMHWlj6E8ujv3Jm0k0WnJ/pP2kEQGMfmutFSx/hAcb/vxs497i5H9oI7CY+yTIFZQiCjNy14m3sKR9dSCe0js7+fjP66KzKnJcoOyJRaOOE8zEz0pU8dgJiTF4mrGD0DTVLmBSq3l5GOOlH0a4FjOVqMzTy0NrbEAoTfqnPcBHhczbXQs+1NjNI2SwWXhSkXZbtnlPJKDUsHv9gjfUQOzL0jQGfmjy/CzEXq5dQUU/gl28i9/HehOvb84IE7hQIKL0Ddn7a8YJDzB0LfEadPjXA5R4sbml69SmUYNWQKQDmABfqM1nB45v/2+f5uzYe+fCxJiP89PR/FEWNvxipf8C9yMO3N+wjj05z4n0UK8q3YwxzZ35ry1kjOHelzXKTI9IakQ5yDlkX8ahDOrG01+qRRLQNoc6e2q7aEhTdNa1mY6ndhRHl1EV8Ed4As/77qDQOiVM6lhykdMdb/BI4d3qBVXwNqRH2kNOQig6mWmSKYL5YEA9sWOQ+CbK3j7TNGZPl8n4u7ya1zcP1m67vCFvc2Fr7rsKJOxoZzH22elfuE6hw6pHAv1m3iV8SYct2yDz81ngUYLzU5MBi8To/GgQIMVDoa4dZrh5aZtZ0OQpH/atQf+UfQS0GcrWw2o+HY96TaDMvGHSGDgE+lOM2ccoJLVFxNoZLqhYOxuK1CxMyd9DM8bjV/YExYritxG/D577M/bSJtpar+AAPrBp5RMjybhsnyxTPahQvihZz07Q4rLZIXjxr2eW04ijI8DBTDXX9uftUc8vDdY4dSy0CKoZ080ziDl6LLO3fVahuXQ6gmwrZdJ9W48Yt0Zc8eiDMZsQV/32IVJocvniZIIkS5nJA09+qoKCQGd+lW0uxjeiRTMYQWXVN7ktnmjaEeDeg1uqAF9QMdhwXGgVyPAppzp7u1s2tXAp8dZoPamczVLpktUg6kEcrDJHEVMTD8Zyoi+koy2C/g331E7Npe/jBrX3m8EBfE2nNBo17BBV7tRn8yBBGHLerw/4IjoOPZrF0NWcvJE/Xirx6lphBhu/JpFvDsfrO3v8qOClgadGIMbf4bA0UQ8NsqCvTmr95+5T7XpsK++YqlznEV4QveQwfxg67A9/uUyurBoidjx/dyMkFHjepk3TB05GZOKk6xuOwt9QhDq192ta2+PAyOoWJQMeexrIELKU1e1652zP+DQv797aqKRvE9og9Pog88VPHOg+8IJe534P9LCVdeTEV2WgfsY5Pj7Vp1qQft+d8aSCftFuQ2/umKlxaxnV/A2mXZcpZE0YQs9IE+P3YjqmqCfvkIzAGVr/HH2o5EdkYCBmuma296zgSyeQ2QfqYVcP09jkQLeCUKJAVEpvSV/TNWdzU8Hse58y7dZtabjcrXNJcv4V6sIaIUzk0D0QjqXxW8etZtglv3uWz,iv:bj2qvdXB4aSUIqzN5mRcMpC0cdgK5lQGFQHZQQ/or9g=,tag:zsqkNqyUcjB/YlblwdoOPw==,type:str] cloudflared: 8af2892d-d534-4e32-b867-5b79308a99d5.json: ENC[AES256_GCM,data:4fOlt/pNxQ9CSuKf1ZPv9odtdU+Q7NTlO56xGp5yY0AEZrbpljSlTS/b8dON5iVwRoUjUbUui8+jvDri7ad99e+kZUwzDC2S294oaQyPa5Bl4jrYZSFn6SWZbnBzyV5tVN0hoQlIMQ/oU53TvBAtNrj10toePH7iLB12AmqMCBshWEFUViAJqGcZZMrcarAT453FgtpR+f3vR8Wv90SGc7wHXARJZ4NzEIRmYD4dGA==,iv:1Mt9FJTlT7Sv9FvrNY97icXSi757ejt56lhc7OG1dJM=,tag:JxW5Cg6nPzzh4zxi9Wvw0A==,type:str] +forgejo: + secret-key: ENC[AES256_GCM,data:KFKTo9Qy6rLOmZmSfTIpJ7RLI+MEhttH9W9Orv6KJhoWG+7mzKNg8SK8ejcj4xVakerFd6XwOITTcmS+xQdpVg==,iv:KAJvvg0DfzF2aQPciCQyhZBlKPx4YNPSCX78Bqh3BGQ=,tag:kCeA8DqOtDPUUjRL4aAt9g==,type:str] + internal-token: ENC[AES256_GCM,data:OQYevugICOaLCQxSleATN1cKVDRvfV5paAas8Opzb1qOu+VmXCcJnoJEd7z0oswQo4Tar0ps9KvuYvOsCcJGChb9U2drFjRRpNQaVWZYG5uIZY2QHzA+Ak/a88JGu025czsAFxLbg5Uj,iv:xglBQ+pqoGZcRPu6GJLxSYs9f+G/CgZUze+hPkdn80Y=,tag:hvMdcV6yX1NjpD7zxRFNLA==,type:str] grafana: secrets.env: ENC[AES256_GCM,data:yv7u5+8l7M4PJ4BzCUlTGX8PeFxxVMtS2Pi4yKnvAeZf+4tcz6NFNRjyPeqTFinqmZ8yq+iYA1tBS5Gy9DTHo8TzmhoaWBPI/ZUXQgl5Y7lnGBOyZ6wHlllsP8zbC+zEWW+gRssaXj6yYBuvQTTzfSqSlmZdB7VwhUegiVxMs722jbys1Rl+NE8TKDc384IbwPRAIi6ZO+UH,iv:M/dgcJ++gMH5/sNQDUQvkiJW2n+fSkPCEDZBcFRXWuE=,tag:SocmiehkaCzl9ZB8dNZPZQ==,type:str] kanidm: @@ -37,7 +40,7 @@ sops: N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-11T18:41:54Z" - mac: ENC[AES256_GCM,data:3PAGANiT332H89BQnKgES5eolecmdjfbYT14Tr+svutKBao3T+jmcbUotlAS00fzfjnqozEgdDNDeuCTK5UugZsdwJ5RH2QcpL4oV/jTPPoMVpvvKGL9X0z3PdryyloBcTNOYRMk8rEDs7bPCmEZzbshHIcx8PkIaP6BeT0TO/U=,iv:Vvy+gH/rqJA0e/R/WFP8UBfMZgDqqHm5z53gdv5G8r4=,tag:q0amJGRC1fbvqUDHTA2GeQ==,type:str] + lastmodified: "2026-01-15T22:36:28Z" + mac: ENC[AES256_GCM,data:aKyHq9f7NtLPklPRFwY2un40K+0Ar86oMPVZrzoPHhihX3WwyIhZvru8d84+eU6m6z0rS94yUcmVe7i8wcX+oDXvMFbX5nh2RNp3C14oBIP0PHNyA1V3z1dCy4wsc9lcM6x1ah0zEuqIIMTOxLVue4x8XBTneeqK47F6HRoNiWw=,iv:pSGLJxuinPCi1FnfXGsLZwlFoJa6GeOX7/e28e9vFOA=,tag:Imb3gEYz88Hu7SYbdz0lYg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0