From 6014ad7d7a7167333cb0249c1dffd9edbf0bddc1 Mon Sep 17 00:00:00 2001
From: TheGeneralist <180094941+thegeneralist01@users.noreply.github.com>
Date: Tue, 6 Jan 2026 14:16:51 +0100
Subject: [PATCH] server: add forgejo and postgresql

---
 hosts/thegeneralist-central/acme/default.nix  |  3 +
 hosts/thegeneralist-central/configuration.nix |  2 +-
 .../thegeneralist-central/forgejo/default.nix | 94 +++++++++++++++++++
 hosts/thegeneralist-central/site.nix          |  1 +
 lib/default.nix                               |  3 +-
 lib/option.nix                                | 12 +++
 modules/common/nix.nix                        |  2 +-
 modules/postgresql.nix                        | 44 +++++++++
 8 files changed, 158 insertions(+), 3 deletions(-)
 create mode 100644 hosts/thegeneralist-central/forgejo/default.nix
 create mode 100644 lib/option.nix
 create mode 100644 modules/postgresql.nix

diff --git a/hosts/thegeneralist-central/acme/default.nix b/hosts/thegeneralist-central/acme/default.nix
index eca4206..461b078 100644
--- a/hosts/thegeneralist-central/acme/default.nix
+++ b/hosts/thegeneralist-central/acme/default.nix
@@ -17,6 +17,9 @@ in {
         extraDomainNames = [ "*.${domain}" ];
         group = "acme";
       };
+      "git.${domain}" = {
+        group = "acme";
+      };
       "internal.${domain}" = {
         group = "acme";
       };
diff --git a/hosts/thegeneralist-central/configuration.nix b/hosts/thegeneralist-central/configuration.nix
index 38e0e08..1e5ec17 100644
--- a/hosts/thegeneralist-central/configuration.nix
+++ b/hosts/thegeneralist-central/configuration.nix
@@ -5,7 +5,7 @@
 { config, pkgs, inputs, ... }:
 
 {
-  imports = [ ./hardware-configuration.nix ./site.nix ./cache ./archive ];
+  imports = [ ./hardware-configuration.nix ./site.nix ./cache ./archive ./forgejo ];
 
   age.secrets.password.file = ./password.age;
   users.users = {
diff --git a/hosts/thegeneralist-central/forgejo/default.nix b/hosts/thegeneralist-central/forgejo/default.nix
new file mode 100644
index 0000000..30ca4cf
--- /dev/null
+++ b/hosts/thegeneralist-central/forgejo/default.nix
@@ -0,0 +1,94 @@
+let
+  forgejo_root_dir = "/var/lib/forgejo";
+  domain = "git.thegeneralist01.com";
+
+  forgejo_folder = folder_name: "${forgejo_root_dir}/${folder_name}";
+in
+{
+  imports = [ ../../../modules/postgresql.nix ];
+
+  services.forgejo = {
+    enable = true;
+    stateDir = forgejo_folder "state";
+
+    lfs.enable = true;
+
+    settings =
+      let
+        title = "thegeneralist01's forgejo";
+        desc = "the attic of thegeneralist01's random repositories";
+      in
+      {
+        default.APP_NAME = title;
+        "ui.meta" = {
+          AUTHOR = title;
+          DESCRIPTION = desc;
+        };
+
+        attachment.ALLOWED_TYPES = "*/*";
+        cache.ENABLED = true;
+
+        "cron.archive_cleanup" =
+          let
+            interval = "4h";
+          in
+          {
+            SCHEDULE = "@every ${interval}";
+            OLDER_THAN = interval;
+          };
+
+        packages.ENABLED = true;
+        mailer = {
+          ENABLED = false;
+
+          # PROTOCOL = "smtps";
+          # SMTP_ADDR = self.disk.mailserver.fqdn;
+          # USER = "git@${domain}";
+        };
+
+        other = {
+          SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+          SHOW_FOOTER_VERSION = false;
+        };
+
+        repository = {
+          DEFAULT_BRANCH = "master";
+          DEFAULT_MERGE_STYLE = "rebase-merge";
+          DEFAULT_REPO_UNITS = "repo.code, repo.issues, repo.pulls";
+
+          DEFAULT_PUSH_CREATE_PRIVATE = false;
+          ENABLE_PUSH_CREATE_ORG = true;
+          ENABLE_PUSH_CREATE_USER = true;
+
+          DISABLE_STARS = true;
+        };
+
+        "repository.upload" = {
+          FILE_MAX_SIZE = 100;
+          MAX_FILES = 10;
+        };
+
+        server = {
+          ROOT_URL = "https://${domain}/";
+          DOMAIN = domain;
+          LANDING_PAGE = "/explore";
+
+          HTTP_ADDR = "127.0.0.1";
+          HTTP_PORT = 3000;
+
+          SSH_LISTEN_HOST = "0.0.0.0";
+          SSH_PORT = 2222;
+          SSH_LISTEN_PORT = 2222;
+        };
+
+        service.DISABLE_REGISTRATION = true;
+
+        session = {
+          COOKIE_SECURE = true;
+          SAME_SITE = "strict";
+        };
+      };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+}
diff --git a/hosts/thegeneralist-central/site.nix b/hosts/thegeneralist-central/site.nix
index b16bd1a..afc83f5 100644
--- a/hosts/thegeneralist-central/site.nix
+++ b/hosts/thegeneralist-central/site.nix
@@ -98,6 +98,7 @@ in
           "thegeneralist01.com" = "http://localhost:80";
           "www.thegeneralist01.com" = "http://localhost:80";
           "cache.thegeneralist01.com" = "http://localhost:80";
+          "git.thegeneralist01.com" = "http://localhost:3000";
         };
         default = "http_status:404";
 
diff --git a/lib/default.nix b/lib/default.nix
index c7e9336..25618e8 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -1,5 +1,6 @@
 inputs: self: super:
 let
   system = import ./system.nix inputs self super;
+  option = import ./option.nix inputs self super;
 in
-system
+system // option
diff --git a/lib/option.nix b/lib/option.nix
new file mode 100644
index 0000000..9a8fc34
--- /dev/null
+++ b/lib/option.nix
@@ -0,0 +1,12 @@
+_: _: super: let
+  inherit (super) mkOption;
+in {
+  mkConst = value: mkOption {
+    default  = value;
+    readOnly = true;
+  };
+
+  mkValue = default: mkOption {
+    inherit default;
+  };
+}
diff --git a/modules/common/nix.nix b/modules/common/nix.nix
index 130de89..dd01d84 100644
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@@ -25,7 +25,7 @@ in {
       "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
     ];
 
-    trusted-users = [ "thegeneralist" "central" "root" "@build" "@wheel" "@admin" "jellyfin" ];
+    trusted-users = [ "thegeneralist" "central" "root" "@build" "@wheel" "@admin" "jellyfin" "git" ];
 
     builders-use-substitutes = true;
   };
diff --git a/modules/postgresql.nix b/modules/postgresql.nix
new file mode 100644
index 0000000..071069a
--- /dev/null
+++ b/modules/postgresql.nix
@@ -0,0 +1,44 @@
+# stolen from https://github.com/RGBCube/ncc/blob/94c349aa767f04f40ff4165c70c15ed3c3996f82/modules/postgresql.nix
+{ config, lib, pkgs, ... }: let
+  inherit (lib) flip mkForce mkOverride mkValue;
+in {
+  config.environment.systemPackages = [
+    config.services.postgresql.package
+  ];
+
+  options.services.postgresql.ensure = mkValue [];
+
+  config.services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_17;
+
+    enableJIT   = true;
+    enableTCPIP = true;
+
+    settings.listen_addresses = mkForce "::";
+    authentication            = mkOverride 10 /* ini */ ''
+      #     DATABASE USER        AUTHENTICATION
+      local all      all         peer
+
+      #     DATABASE USER ADDRESS AUTHENTICATION
+      host  all      all  ::/0    md5
+    '';
+
+    ensure = [ "postgres" "root" ];
+
+    initdbArgs      = [ "--locale=C" "--encoding=UTF8" ];
+    ensureDatabases = config.services.postgresql.ensure;
+
+    ensureUsers = flip map config.services.postgresql.ensure (name: {
+      inherit name;
+
+      ensureDBOwnership = true;
+
+      ensureClauses = {
+        login       = true;
+        superuser   = name == "postgres" || name == "root";
+      };
+    });
+  };
+}
+