NixOS/system/services/forgejo.nix

107 lines
2.6 KiB
Nix
Raw Normal View History

{
config,
lib,
pkgs,
...
}:
2024-06-13 16:08:33 +07:00
let
cfg = config.profile.services.forgejo;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
2024-11-24 20:16:30 +07:00
services.nginx.virtualHosts."git.tigor.web.id" = {
useACMEHost = "tigor.web.id";
2024-11-24 20:16:30 +07:00
forceSSL = true;
locations = {
"= /" = {
extraConfig =
#nginx
''
if ($http_cookie !~ "gitea_incredible") {
rewrite ^(.*)$ /Tigor redirect;
}
'';
proxyPass = "http://unix:/run/forgejo/forgejo.sock";
};
"/" = {
proxyPass = "http://unix:/run/forgejo/forgejo.sock";
};
};
};
security.acme.certs."tigor.web.id".extraDomainNames = [ "git.tigor.web.id" ];
2024-06-13 18:59:07 +07:00
services.caddy.virtualHosts."git.tigor.web.id".extraConfig = ''
@home_not_login {
not header_regexp Cookie gitea_incredible
path /
}
redir @home_not_login /Tigor
2024-06-13 18:59:07 +07:00
reverse_proxy * unix//run/forgejo/forgejo.sock
'';
2024-06-13 16:08:33 +07:00
services.forgejo = {
enable = true;
settings = {
2024-06-13 20:30:03 +07:00
server = rec {
2024-06-13 18:59:07 +07:00
PROTOCOL = "http+unix";
DOMAIN = "git.tigor.web.id";
HTTP_PORT = 443;
2024-06-13 20:30:03 +07:00
ROOT_URL = "https://${DOMAIN}:${toString HTTP_PORT}";
2024-06-13 18:59:07 +07:00
};
service = {
DISABLE_REGISTRATION = true;
};
2024-06-13 16:08:33 +07:00
session.COOKIE_SECURE = true;
};
};
2024-06-13 20:12:46 +07:00
sops.secrets."forgejo/runners/global" = {
2024-06-13 20:12:46 +07:00
sopsFile = ../../secrets/forgejo.yaml;
};
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances = {
${config.networking.hostName} = {
enable = true;
name = config.networking.hostName;
url = config.services.forgejo.settings.server.ROOT_URL;
tokenFile = config.sops.secrets."forgejo/runners/global".path;
2024-06-20 14:15:21 +07:00
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
typst
];
2024-06-13 20:12:46 +07:00
settings = {
runner = {
capacity = 2;
timeout = "1h";
};
cache = {
enabled = true;
};
2024-06-13 20:12:46 +07:00
container = {
privileged = true;
# docker_host = "unix:///var/run/docker.sock";
valid_volumes = [ "**" ];
};
};
labels = [
"docker:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
"ubuntu:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
2024-06-13 20:12:46 +07:00
"native:host"
];
};
};
};
2024-06-13 16:08:33 +07:00
};
}