forgejo: setup

system/services/cockpit.nix

@@ -8,11 +8,9 @@ in
     environment.systemPackages = mkIf config.profile.podman.enable [
       (pkgs.callPackage ../packages/cockpit-podman.nix { })
     ];
-    sops.secrets."cockpit" = {
+    services.caddy.virtualHosts."cockpit.tigor.web.id".extraConfig = ''
-      sopsFile = ../../secrets/caddy_reverse_proxy.yaml;
+      reverse_proxy 0.0.0.0:9090
-      path = "/etc/caddy/sites-enabled/cockpit";
+    '';
-      mode = "0440";
-    };
     services.cockpit = {
       enable = true;
       openFirewall = true;

system/services/default.nix

@@ -3,6 +3,7 @@
   imports = [
     ./caddy.nix
     ./cockpit.nix
+    ./forgejo.nix
     ./samba.nix
   ];
 }

system/services/forgejo.nix

@@ -5,18 +5,28 @@ let
 in
 {
   config = mkIf cfg.enable {
-    sops.secrets."forgejo" = {
+    services.caddy.virtualHosts."git.tigor.web.id".extraConfig = ''
-      sopsFile = ../../secrets/caddy_reverse_proxy.yaml;
+      reverse_proxy * unix//run/forgejo/forgejo.sock
-      path = "/etc/caddy/sites-enabled/forgejo";
+    '';
-      mode = "0440";
+
-    };
 
     services.forgejo = {
       enable = true;
       settings = {
-        server.PROTOCOL = "http+unix";
+        server = {
+          PROTOCOL = "http+unix";
+          SSH_PORT = 2222;
+          DOMAIN = "git.tigor.web.id";
+          HTTP_PORT = 443;
+          ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}:${toString config.services.forgejo.settings.server.HTTP_PORT}";
+        };
+        service = {
+          DISABLE_REGISTRATION = true;
+        };
         session.COOKIE_SECURE = true;
       };
     };
+
+    networking.firewall.allowedTCPPorts = [ config.services.forgejo.settings.server.SSH_PORT ];
   };
 }