server: add forgejo and postgresql

2026-01-09 15:10:24 +01:00 · 2026-01-06 14:16:51 +01:00 · 2026-01-06 14:16:51 +01:00 · 6014ad7d7a
commit 6014ad7d7a
parent 27d347d3c8
8 changed files with 158 additions and 3 deletions
--- a/hosts/thegeneralist-central/acme/default.nix
+++ b/hosts/thegeneralist-central/acme/default.nix
@ -17,6 +17,9 @@ in {
        extraDomainNames = [ "*.${domain}" ];
        group = "acme";
      };
+      "git.${domain}" = {
+        group = "acme";
+      };
      "internal.${domain}" = {
        group = "acme";
      };
--- a/hosts/thegeneralist-central/configuration.nix
+++ b/hosts/thegeneralist-central/configuration.nix
@ -5,7 +5,7 @@
 { config, pkgs, inputs, ... }:

 {
-  imports = [ ./hardware-configuration.nix ./site.nix ./cache ./archive ];
+  imports = [ ./hardware-configuration.nix ./site.nix ./cache ./archive ./forgejo ];

  age.secrets.password.file = ./password.age;
  users.users = {
--- a/hosts/thegeneralist-central/forgejo/default.nix
+++ b/hosts/thegeneralist-central/forgejo/default.nix
@ -0,0 +1,94 @@
+let
+  forgejo_root_dir = "/var/lib/forgejo";
+  domain = "git.thegeneralist01.com";
+
+  forgejo_folder = folder_name: "${forgejo_root_dir}/${folder_name}";
+in
+{
+  imports = [ ../../../modules/postgresql.nix ];
+
+  services.forgejo = {
+    enable = true;
+    stateDir = forgejo_folder "state";
+
+    lfs.enable = true;
+
+    settings =
+      let
+        title = "thegeneralist01's forgejo";
+        desc = "the attic of thegeneralist01's random repositories";
+      in
+      {
+        default.APP_NAME = title;
+        "ui.meta" = {
+          AUTHOR = title;
+          DESCRIPTION = desc;
+        };
+
+        attachment.ALLOWED_TYPES = "*/*";
+        cache.ENABLED = true;
+
+        "cron.archive_cleanup" =
+          let
+            interval = "4h";
+          in
+          {
+            SCHEDULE = "@every ${interval}";
+            OLDER_THAN = interval;
+          };
+
+        packages.ENABLED = true;
+        mailer = {
+          ENABLED = false;
+
+          # PROTOCOL = "smtps";
+          # SMTP_ADDR = self.disk.mailserver.fqdn;
+          # USER = "git@${domain}";
+        };
+
+        other = {
+          SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+          SHOW_FOOTER_VERSION = false;
+        };
+
+        repository = {
+          DEFAULT_BRANCH = "master";
+          DEFAULT_MERGE_STYLE = "rebase-merge";
+          DEFAULT_REPO_UNITS = "repo.code, repo.issues, repo.pulls";
+
+          DEFAULT_PUSH_CREATE_PRIVATE = false;
+          ENABLE_PUSH_CREATE_ORG = true;
+          ENABLE_PUSH_CREATE_USER = true;
+
+          DISABLE_STARS = true;
+        };
+
+        "repository.upload" = {
+          FILE_MAX_SIZE = 100;
+          MAX_FILES = 10;
+        };
+
+        server = {
+          ROOT_URL = "https://${domain}/";
+          DOMAIN = domain;
+          LANDING_PAGE = "/explore";
+
+          HTTP_ADDR = "127.0.0.1";
+          HTTP_PORT = 3000;
+
+          SSH_LISTEN_HOST = "0.0.0.0";
+          SSH_PORT = 2222;
+          SSH_LISTEN_PORT = 2222;
+        };
+
+        service.DISABLE_REGISTRATION = true;
+
+        session = {
+          COOKIE_SECURE = true;
+          SAME_SITE = "strict";
+        };
+      };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+}
--- a/hosts/thegeneralist-central/site.nix
+++ b/hosts/thegeneralist-central/site.nix
@ -98,6 +98,7 @@ in
          "thegeneralist01.com" = "http://localhost:80";
          "www.thegeneralist01.com" = "http://localhost:80";
          "cache.thegeneralist01.com" = "http://localhost:80";
+          "git.thegeneralist01.com" = "http://localhost:3000";
        };
        default = "http_status:404";

--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,5 +1,6 @@
 inputs: self: super:
 let
  system = import ./system.nix inputs self super;
+  option = import ./option.nix inputs self super;
 in
-system
+system // option
--- a/lib/option.nix
+++ b/lib/option.nix
@ -0,0 +1,12 @@
+_: _: super: let
+  inherit (super) mkOption;
+in {
+  mkConst = value: mkOption {
+    default  = value;
+    readOnly = true;
+  };
+
+  mkValue = default: mkOption {
+    inherit default;
+  };
+}
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@ -25,7 +25,7 @@ in {
      "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
    ];

-    trusted-users = [ "thegeneralist" "central" "root" "@build" "@wheel" "@admin" "jellyfin" ];
+    trusted-users = [ "thegeneralist" "central" "root" "@build" "@wheel" "@admin" "jellyfin" "git" ];

    builders-use-substitutes = true;
  };
--- a/modules/postgresql.nix
+++ b/modules/postgresql.nix
@ -0,0 +1,44 @@
+# stolen from https://github.com/RGBCube/ncc/blob/94c349aa767f04f40ff4165c70c15ed3c3996f82/modules/postgresql.nix
+{ config, lib, pkgs, ... }: let
+  inherit (lib) flip mkForce mkOverride mkValue;
+in {
+  config.environment.systemPackages = [
+    config.services.postgresql.package
+  ];
+
+  options.services.postgresql.ensure = mkValue [];
+
+  config.services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_17;
+
+    enableJIT   = true;
+    enableTCPIP = true;
+
+    settings.listen_addresses = mkForce "::";
+    authentication            = mkOverride 10 /* ini */ ''
+      #     DATABASE USER        AUTHENTICATION
+      local all      all         peer
+
+      #     DATABASE USER ADDRESS AUTHENTICATION
+      host  all      all  ::/0    md5
+    '';
+
+    ensure = [ "postgres" "root" ];
+
+    initdbArgs      = [ "--locale=C" "--encoding=UTF8" ];
+    ensureDatabases = config.services.postgresql.ensure;
+
+    ensureUsers = flip map config.services.postgresql.ensure (name: {
+      inherit name;
+
+      ensureDBOwnership = true;
+
+      ensureClauses = {
+        login       = true;
+        superuser   = name == "postgres" || name == "root";
+      };
+    });
+  };
+}
+