wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

forgejo: init

Browse source
This commit is contained in:
wo2w 2026-01-19 15:47:16 -05:00
parent 6f9465b890
commit d20c3cade4
4 changed files with 92 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/nixos/services/homeserver/default.nix
View file

@ -6,6 +6,7 @@
./restic
./caddy.nix
./cloudflared.nix
./forgejo.nix
./jellyfin.nix
./kanidm.nix
./nextcloud.nix

70
modules/nixos/services/homeserver/forgejo.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, lib, ... }:
{
sops.secrets = {
"forgejo/secret-key" = {
owner = "forgejo";
group = "forgejo";
};
"forgejo/internal-token" = {
owner = "forgejo";
group = "forgejo";
};
};
services.caddy.virtualHosts."git.wo2wz.fyi".extraConfig =
assert config.services.caddy.enable;
''
import default-settings
import cloudflare-tls
reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
'';
services.forgejo = {
enable = true;
secrets.security = {
SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret-key".path;
INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal-token".path;
};
settings = {
DEFAULT = {
APP_NAME = "Wo2wz's Git";
APP_SLOGAN = "Powered by NixOS";
APP_DISPLAY_NAME_FORMAT = "{APP_NAME} - {APP_SLOGAN}";
};
"ui.meta" = {
AUTHOR = "Wo2wz's forgejo";
DESCRIPTION = ''in the forged jo, straight up "committing" it, and by "it" lets just say... my git'';
};
server = {
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 8008;
DOMAIN = "git.wo2wz.fyi";
ROOT_URL = "https://git.wo2wz.fyi/";
};
database.SQLITE_JOURNAL_MODE = "WAL";
cache = {
ADAPTER = "twoqueue";
HOST = ''{"size":100, "recent_ratio":0.25, "ghost_ratio":0.5}'';
};
openid = {
ENABLE_OPENID_SIGNUP = true;
ENABLE_OPENID_SIGNIN = true;
};
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
ENABLE_INTERNAL_SIGNIN = false;
};
session.COOKIE_SECURE = true;
actions.ENABLED = false;
};
};
}

16
modules/nixos/services/homeserver/kanidm.nix
View file

@ -5,6 +5,7 @@
"acme/secrets.env" = {};
}
// lib.genAttrs [
"kanidm/oauth2/forgejo"
"kanidm/oauth2/grafana"
"kanidm/oauth2/jellyfin"
"kanidm/oauth2/nextcloud"
@ -69,28 +70,43 @@
mailAddresses = [ "wo2w@kanidm.wo2wz.fyi" ];
groups = [
"forgejo_users"
"grafana_users"
"jellyfin_users"
"nextcloud_users"
"vaultwarden_users"
"forgejo_admins"
"grafana_admins"
"jellyfin_admins"
];
};
groups = lib.genAttrs [
"forgejo_users"
"grafana_users"
"jellyfin_users"
"nextcloud_users"
"vaultwarden_users"
] (x: {})
// {
forgejo_admins.members = [ "forgejo_users" ];
grafana_admins.members = [ "grafana_users" ];
jellyfin_admins.members = [ "jellyfin_users" ];
};
systems.oauth2 = {
forgejo = {
displayName = "Forgejo";
originUrl = "https://git.wo2wz.fyi/user/oauth2/Kanidm/callback";
originLanding = "https://git.wo2wz.fyi";
preferShortUsername = true;
basicSecretFile = config.sops.secrets."kanidm/oauth2/forgejo".path;
scopeMaps.grafana_users = [ "openid" "email" "profile" ];
claimMaps.grafana_users.valuesByGroup.forgejo_admins = [ "forgejo_admin" ];
};
grafana = {
displayName = "Grafana";
originUrl = "https://grafana.taild5f7e6.ts.net/login/generic_oauth";

7
secrets/drone.yaml
View file

@ -6,6 +6,9 @@ caddy:
wo2wz.fyi.key: ENC[AES256_GCM,data:8uiuUyVx9yTtRQFR8DBpE5nh39pbsevlU1YFoKu2I/mO6Z1rS1LfUGh4fH6KuKqh1CNtd+e4JYtpUigCrWwcFg5th6K7tj7Zs+4bxigIn7DFpD38wko+1I2BoUOS6nyIgBJ8RL7DDlldS2K/Pow6F6j9kflha6sjUQ5ZFOeoWW1HV6GRNPKlk4/TDueRbYZKsPM0KeDRyCntbDWLE4ap2vLUvIGYoQAk+Ng5Xt3LMKeG2/LBUXp+EU7m4R1WHsmzHjIKtT7qgkhSvg6RwelBVFutp3fg3GbSEsC96D76osNsWNM/tDCqyu8VpG5fIYNXS+aS06wdvCmcvm13Qa1wnYMCvN7GrfNG+4BrarxrGBeb00UU1zBM11vNUyg2sWAhIrOt+5aTHM55rrcjNxJz+3OxEpEtkH7bKl6aL0Yk0/qxRFYHoBaAiRVd3kQ/2FbgTXF336fF40UGSSEoQ/y3Tbp0ad0rpqnxwP1mzK2s+blK5ljBQF3+vNyhQUbhmns3xZN063gvgE6OnK10RcnoKszQpPJ0uHEnjaHxHPkh1BxEgGHhH615+xcLT9O3jWUE/gONBEMQwBaL/f0qxPZZQrR837Yp3QphFrdfo8aobLNlGWZPgAmaphI09CEkDt9IiwM0GmbgoSMLa8uGaBY24W8q294zQwJtpjMt0ALSTEA1h4GdXpyM+iIDhCN5t8AENhFGF65cvHeKk9vvKkFIFOh4PXV/ITQd5VG3CSLgaKCbK3DA2TqFGscL1zf2j8crAR/ZajwTij+IEZd9qIutDE9al4zsSFD6EnkvKPAelC91MZ5S0UZ+c7HWY3j+BtYSEloq9hqZIW7eGO0HIPvhtVMHWlj6E8ujv3Jm0k0WnJ/pP2kEQGMfmutFSx/hAcb/vxs497i5H9oI7CY+yTIFZQiCjNy14m3sKR9dSCe0js7+fjP66KzKnJcoOyJRaOOE8zEz0pU8dgJiTF4mrGD0DTVLmBSq3l5GOOlH0a4FjOVqMzTy0NrbEAoTfqnPcBHhczbXQs+1NjNI2SwWXhSkXZbtnlPJKDUsHv9gjfUQOzL0jQGfmjy/CzEXq5dQUU/gl28i9/HehOvb84IE7hQIKL0Ddn7a8YJDzB0LfEadPjXA5R4sbml69SmUYNWQKQDmABfqM1nB45v/2+f5uzYe+fCxJiP89PR/FEWNvxipf8C9yMO3N+wjj05z4n0UK8q3YwxzZ35ry1kjOHelzXKTI9IakQ5yDlkX8ahDOrG01+qRRLQNoc6e2q7aEhTdNa1mY6ndhRHl1EV8Ed4As/77qDQOiVM6lhykdMdb/BI4d3qBVXwNqRH2kNOQig6mWmSKYL5YEA9sWOQ+CbK3j7TNGZPl8n4u7ya1zcP1m67vCFvc2Fr7rsKJOxoZzH22elfuE6hw6pHAv1m3iV8SYct2yDz81ngUYLzU5MBi8To/GgQIMVDoa4dZrh5aZtZ0OQpH/atQf+UfQS0GcrWw2o+HY96TaDMvGHSGDgE+lOM2ccoJLVFxNoZLqhYOxuK1CxMyd9DM8bjV/YExYritxG/D577M/bSJtpar+AAPrBp5RMjybhsnyxTPahQvihZz07Q4rLZIXjxr2eW04ijI8DBTDXX9uftUc8vDdY4dSy0CKoZ080ziDl6LLO3fVahuXQ6gmwrZdJ9W48Yt0Zc8eiDMZsQV/32IVJocvniZIIkS5nJA09+qoKCQGd+lW0uxjeiRTMYQWXVN7ktnmjaEeDeg1uqAF9QMdhwXGgVyPAppzp7u1s2tXAp8dZoPamczVLpktUg6kEcrDJHEVMTD8Zyoi+koy2C/g331E7Npe/jBrX3m8EBfE2nNBo17BBV7tRn8yBBGHLerw/4IjoOPZrF0NWcvJE/Xirx6lphBhu/JpFvDsfrO3v8qOClgadGIMbf4bA0UQ8NsqCvTmr95+5T7XpsK++YqlznEV4QveQwfxg67A9/uUyurBoidjx/dyMkFHjepk3TB05GZOKk6xuOwt9QhDq192ta2+PAyOoWJQMeexrIELKU1e1652zP+DQv797aqKRvE9og9Pog88VPHOg+8IJe534P9LCVdeTEV2WgfsY5Pj7Vp1qQft+d8aSCftFuQ2/umKlxaxnV/A2mXZcpZE0YQs9IE+P3YjqmqCfvkIzAGVr/HH2o5EdkYCBmuma296zgSyeQ2QfqYVcP09jkQLeCUKJAVEpvSV/TNWdzU8Hse58y7dZtabjcrXNJcv4V6sIaIUzk0D0QjqXxW8etZtglv3uWz,iv:bj2qvdXB4aSUIqzN5mRcMpC0cdgK5lQGFQHZQQ/or9g=,tag:zsqkNqyUcjB/YlblwdoOPw==,type:str]
cloudflared:
8af2892d-d534-4e32-b867-5b79308a99d5.json: ENC[AES256_GCM,data:4fOlt/pNxQ9CSuKf1ZPv9odtdU+Q7NTlO56xGp5yY0AEZrbpljSlTS/b8dON5iVwRoUjUbUui8+jvDri7ad99e+kZUwzDC2S294oaQyPa5Bl4jrYZSFn6SWZbnBzyV5tVN0hoQlIMQ/oU53TvBAtNrj10toePH7iLB12AmqMCBshWEFUViAJqGcZZMrcarAT453FgtpR+f3vR8Wv90SGc7wHXARJZ4NzEIRmYD4dGA==,iv:1Mt9FJTlT7Sv9FvrNY97icXSi757ejt56lhc7OG1dJM=,tag:JxW5Cg6nPzzh4zxi9Wvw0A==,type:str]
forgejo:
secret-key: ENC[AES256_GCM,data:KFKTo9Qy6rLOmZmSfTIpJ7RLI+MEhttH9W9Orv6KJhoWG+7mzKNg8SK8ejcj4xVakerFd6XwOITTcmS+xQdpVg==,iv:KAJvvg0DfzF2aQPciCQyhZBlKPx4YNPSCX78Bqh3BGQ=,tag:kCeA8DqOtDPUUjRL4aAt9g==,type:str]
internal-token: ENC[AES256_GCM,data:OQYevugICOaLCQxSleATN1cKVDRvfV5paAas8Opzb1qOu+VmXCcJnoJEd7z0oswQo4Tar0ps9KvuYvOsCcJGChb9U2drFjRRpNQaVWZYG5uIZY2QHzA+Ak/a88JGu025czsAFxLbg5Uj,iv:xglBQ+pqoGZcRPu6GJLxSYs9f+G/CgZUze+hPkdn80Y=,tag:hvMdcV6yX1NjpD7zxRFNLA==,type:str]
grafana:
secrets.env: ENC[AES256_GCM,data:yv7u5+8l7M4PJ4BzCUlTGX8PeFxxVMtS2Pi4yKnvAeZf+4tcz6NFNRjyPeqTFinqmZ8yq+iYA1tBS5Gy9DTHo8TzmhoaWBPI/ZUXQgl5Y7lnGBOyZ6wHlllsP8zbC+zEWW+gRssaXj6yYBuvQTTzfSqSlmZdB7VwhUegiVxMs722jbys1Rl+NE8TKDc384IbwPRAIi6ZO+UH,iv:M/dgcJ++gMH5/sNQDUQvkiJW2n+fSkPCEDZBcFRXWuE=,tag:SocmiehkaCzl9ZB8dNZPZQ==,type:str]
kanidm:
@ -37,7 +40,7 @@ sops:
N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-11T18:41:54Z"
mac: ENC[AES256_GCM,data:3PAGANiT332H89BQnKgES5eolecmdjfbYT14Tr+svutKBao3T+jmcbUotlAS00fzfjnqozEgdDNDeuCTK5UugZsdwJ5RH2QcpL4oV/jTPPoMVpvvKGL9X0z3PdryyloBcTNOYRMk8rEDs7bPCmEZzbshHIcx8PkIaP6BeT0TO/U=,iv:Vvy+gH/rqJA0e/R/WFP8UBfMZgDqqHm5z53gdv5G8r4=,tag:q0amJGRC1fbvqUDHTA2GeQ==,type:str]
lastmodified: "2026-01-15T22:36:28Z"
mac: ENC[AES256_GCM,data:aKyHq9f7NtLPklPRFwY2un40K+0Ar86oMPVZrzoPHhihX3WwyIhZvru8d84+eU6m6z0rS94yUcmVe7i8wcX+oDXvMFbX5nh2RNp3C14oBIP0PHNyA1V3z1dCy4wsc9lcM6x1ah0zEuqIIMTOxLVue4x8XBTneeqK47F6HRoNiWw=,iv:pSGLJxuinPCi1FnfXGsLZwlFoJa6GeOX7/e28e9vFOA=,tag:Imb3gEYz88Hu7SYbdz0lYg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0