forgejo: init

2026-01-19 15:47:16 -05:00 · 2026-01-19 15:47:16 -05:00 · d20c3cade4
commit d20c3cade4
parent 6f9465b890
4 changed files with 92 additions and 2 deletions
--- a/modules/nixos/services/homeserver/default.nix
+++ b/modules/nixos/services/homeserver/default.nix
@ -6,6 +6,7 @@
    ./restic
    ./caddy.nix
    ./cloudflared.nix
+    ./forgejo.nix
    ./jellyfin.nix
    ./kanidm.nix
    ./nextcloud.nix
--- a/modules/nixos/services/homeserver/forgejo.nix
+++ b/modules/nixos/services/homeserver/forgejo.nix
@ -0,0 +1,70 @@
+{ config, lib, ... }:
+
+{
+  sops.secrets = {
+    "forgejo/secret-key" = {
+      owner = "forgejo";
+      group = "forgejo";
+    };
+    "forgejo/internal-token" = {
+      owner = "forgejo";
+      group = "forgejo";
+    };
+  };
+
+  services.caddy.virtualHosts."git.wo2wz.fyi".extraConfig =
+  assert config.services.caddy.enable;
+  ''
+    import default-settings
+    import cloudflare-tls
+
+    reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
+  '';
+
+  services.forgejo = {
+    enable = true;
+    secrets.security = {
+      SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret-key".path;
+      INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal-token".path;
+    };
+    settings = {
+      DEFAULT = {
+        APP_NAME = "Wo2wz's Git";
+        APP_SLOGAN = "Powered by NixOS";
+        APP_DISPLAY_NAME_FORMAT = "{APP_NAME} - {APP_SLOGAN}";
+      };
+
+      "ui.meta" = {
+        AUTHOR = "Wo2wz's forgejo";
+        DESCRIPTION = ''in the forged jo, straight up "committing" it, and by "it" lets just say... my git'';
+      };
+
+      server = {
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 8008;
+
+        DOMAIN = "git.wo2wz.fyi";
+        ROOT_URL = "https://git.wo2wz.fyi/";
+      };
+      
+      database.SQLITE_JOURNAL_MODE = "WAL";
+      cache = {
+        ADAPTER = "twoqueue";
+        HOST = ''{"size":100, "recent_ratio":0.25, "ghost_ratio":0.5}'';
+      };
+
+      openid = {
+        ENABLE_OPENID_SIGNUP = true;
+        ENABLE_OPENID_SIGNIN = true;
+      };
+      service = {
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+        ENABLE_INTERNAL_SIGNIN = false;
+      };
+
+      session.COOKIE_SECURE = true;
+
+      actions.ENABLED = false;
+    };
+  };
+}
--- a/modules/nixos/services/homeserver/kanidm.nix
+++ b/modules/nixos/services/homeserver/kanidm.nix
@ -5,6 +5,7 @@
    "acme/secrets.env" = {};
  }
  // lib.genAttrs [
+    "kanidm/oauth2/forgejo"
    "kanidm/oauth2/grafana"
    "kanidm/oauth2/jellyfin"
    "kanidm/oauth2/nextcloud"
@ -69,28 +70,43 @@
        mailAddresses = [ "wo2w@kanidm.wo2wz.fyi" ];

        groups = [
+          "forgejo_users"
          "grafana_users"
          "jellyfin_users"
          "nextcloud_users"
          "vaultwarden_users"

+          "forgejo_admins"
          "grafana_admins"
          "jellyfin_admins"
        ];
      };

      groups = lib.genAttrs [
+        "forgejo_users"
        "grafana_users"
        "jellyfin_users"
        "nextcloud_users"
        "vaultwarden_users"
      ] (x: {})
      // {
+        forgejo_admins.members = [ "forgejo_users" ];
        grafana_admins.members = [ "grafana_users" ];
        jellyfin_admins.members = [ "jellyfin_users" ];
      };

      systems.oauth2 = {
+        forgejo = {
+          displayName = "Forgejo";
+          originUrl = "https://git.wo2wz.fyi/user/oauth2/Kanidm/callback";
+          originLanding = "https://git.wo2wz.fyi";
+
+          preferShortUsername = true;
+          basicSecretFile = config.sops.secrets."kanidm/oauth2/forgejo".path;
+          scopeMaps.grafana_users = [ "openid" "email" "profile" ];
+          claimMaps.grafana_users.valuesByGroup.forgejo_admins = [ "forgejo_admin" ];
+        };
+
        grafana = {
          displayName = "Grafana";
          originUrl = "https://grafana.taild5f7e6.ts.net/login/generic_oauth";