depot/cluster/services/forge/server.nix

120 lines
3.6 KiB
Nix

{ cluster, config, depot, lib, pkgs, ... }:
let
inherit (depot.lib.meta) domain;
inherit (depot.lib.nginx) vhosts;
inherit (config.age) secrets;
patroni = cluster.config.links.patroni-pg-access;
host = "forge.${domain}";
link = cluster.config.hostLinks.${config.networking.hostName}.forge;
exe = lib.getExe config.services.forgejo.package;
in
{
system.ascensions.forgejo = {
requiredBy = [ "forgejo.service" ];
before = [ "forgejo.service" ];
incantations = i: [
(i.execShell "chown -R forgejo:forgejo /srv/storage/private/forge")
(i.execShell "rm -rf /srv/storage/private/forge/data/{attachments,lfs,avatars,repo-avatars,repo-archive,packages,actions_log,actions_artifacts}")
];
};
age.secrets = {
forgejoOidcSecret = {
file = ./credentials/forgejo-oidc-secret.age;
owner = "forgejo";
};
forgejoDbCredentials = {
file = ./credentials/forgejo-db-credentials.age;
owner = "forgejo";
};
forgejoS3AccessKeyID = {
file = ./credentials/forgejo-s3-access-key-id.age;
owner = "forgejo";
};
forgejoS3SecretAccessKey = {
file = ./credentials/forgejo-s3-secret-access-key.age;
owner = "forgejo";
};
};
services.forgejo = {
enable = true;
package = depot.packages.forgejo;
stateDir = "/srv/storage/private/forge";
database = {
createDatabase = false;
type = "postgres";
host = patroni.ipv4;
inherit (patroni) port;
name = "forge";
user = "forge";
passwordFile = secrets.forgejoDbCredentials.path;
};
settings = {
DEFAULT = {
APP_NAME = "The Forge";
};
server = {
DOMAIN = host;
ROOT_URL = "https://${host}/";
PROTOCOL = link.protocol;
HTTP_ADDR = link.ipv4;
HTTP_PORT = link.port;
};
oauth2_client = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto";
UPDATE_AVATAR = true;
};
session.COOKIE_SECURE = true;
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_INTERNAL_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
};
storage = {
STORAGE_TYPE = "minio";
MINIO_ENDPOINT = cluster.config.links.garageS3.hostname;
MINIO_BUCKET = "forgejo";
MINIO_USE_SSL = true;
MINIO_BUCKET_LOOKUP = "path";
SERVE_DIRECT = true;
};
log.ENABLE_XORM_LOG = false;
# enabling this will leak secrets to the log
database.LOG_SQL = false;
};
secrets = {
storage = {
MINIO_ACCESS_KEY_ID = secrets.forgejoS3AccessKeyID.path;
MINIO_SECRET_ACCESS_KEY = secrets.forgejoS3SecretAccessKey.path;
};
};
};
systemd.services.forgejo.preStart = let
providerName = "PrivateVoidAccount";
args = lib.escapeShellArgs [
"--name" providerName
"--provider" "openidConnect"
"--key" "net.privatevoid.forge1"
"--auto-discover-url" "https://login.${domain}/auth/realms/master/.well-known/openid-configuration"
"--group-claim-name" "groups"
"--admin-group" "/forge_admins@${domain}"
];
in lib.mkAfter /*bash*/ ''
providerId="$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)"
if [[ -z "$providerId" ]]; then
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth add-oauth ${args}
else
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth update-oauth --id "$providerId" ${args}
fi
'';
}