diff --git a/moduler/services/forgejo/default.nix b/moduler/services/forgejo/default.nix index d45ec8c..8b82304 100644 --- a/moduler/services/forgejo/default.nix +++ b/moduler/services/forgejo/default.nix @@ -16,12 +16,17 @@ with lib; port = lib.mkOption { type = lib.types.int; default = 8003; - description = "The port that Actual is served on."; + description = "The port that Forgejo is served on."; + }; + sshPort = lib.mkOption { + type = lib.types.int; + default = 3022; + description = "The ssh port that Forgejo is served on."; }; domain = lib.mkOption { type = lib.types.str; default = "git.wastring.com"; - description = "The hostname that Actual is served on."; + description = "The hostname that Forgejo is served on."; }; }; }; @@ -52,6 +57,37 @@ with lib; # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true ''; + systemd.sockets.forgejo = { + requiredBy = [ "forgejo.service" ]; + wantedBy = [ "sockets.target" ]; + + listenStreams = [ + (toString config.services.forgejo.settings.server.SSH_PORT) + ]; + }; + + sops.secrets.forgejo-runner-token = {}; + + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "monolith"; + url = "https://git.wastring.com"; + # Obtaining the path to the runner token file may differ + # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + tokenFile = config.sops.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:20-bullseye" + # "ubuntu-22.04:docker://node:16-bullseye" + # "ubuntu-20.04:docker://node:16-bullseye" + # "ubuntu-18.04:docker://node:16-buster" + ## optionally provide native execution on the host: + # "native:host" + ]; + }; + }; + services.forgejo = { enable = true; database.type = "postgres"; @@ -63,6 +99,7 @@ with lib; # You need to specify this to remove the port from URLs in the web UI. ROOT_URL = "https://${config.forgejo.domain}/"; HTTP_PORT = config.forgejo.port; + SSH_PORT = config.forgejo.sshPort; }; # You can temporarily allow registration to create an admin user. service.DISABLE_REGISTRATION = true; diff --git a/secrets/sops.yaml b/secrets/sops.yaml index 8f6bed5..5f67b6a 100644 --- a/secrets/sops.yaml +++ b/secrets/sops.yaml @@ -4,6 +4,7 @@ wireguard_public_key: ENC[AES256_GCM,data:4ETVdAeLrqwPh7LZGN6wounajnh8bD9zdq4GWM github_password: ENC[AES256_GCM,data:2Q27cc0cqsWFt/lBNUApWPVRQaXi7uZ3UEn051G/Ar8lZs9zTYYWrg==,iv:s81MlK8u7QzP1azsNw2CtKouJqe/pAHZ7wy5aCWEEuI=,tag:Lf9o6RbLdsQ7ZYCMdVXglQ==,type:str] smtp_password: ENC[AES256_GCM,data:h1K973qeehIIATdoqFhrLiY7XiU=,iv:ltrsG9KZ8rQuSJXNXswMnbIW/N8+CGbRmiTiENzcGTM=,tag:mD/VpM1FqZaiwksWQpAAog==,type:str] forgejo-admin-password: ENC[AES256_GCM,data:FuDfqjeQ2T5KcOO1BQ==,iv:ueX7XjbiChuwfYm1B/MJvJaYdWbCmoIs91lj9h9uFYE=,tag:qUszDTRZklwSKrS0PpJhTA==,type:str] +forgejo-runner-token: ENC[AES256_GCM,data:1AUeTy5Sqoa4u5L/TGjt/v69p2xF/mp0oXVv08TA+squzRVW9/t40xfY2yD8HQ==,iv:uWf9jKIIsajh362vY2NBw8od+iOFGfIQ7NJVFgjWlBw=,tag:hCOzvSKoDbKCGceqNkRx7g==,type:str] sops: age: - recipient: age1jeyw96795qu52swmtkjqgr2w3g4vxc43ckc5r4hlwpje23ptnfwsheah0s @@ -33,7 +34,7 @@ sops: OU8yT0cvcnZMMXphMFVHSXpHNjc4dEkKyXiwholsJthB9O7onb0buF6qHNVNZA3s A2+HSl5P0HCyaZhDIDBFdaUL2r0CHKOPCN3Lrd5+Rirnx48RnDxwBA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-23T11:21:30Z" - mac: ENC[AES256_GCM,data:/bLDPC0lRZhs/KY3wQ+nEapiIaMjjWCFUVQLgojiGfKvp7Cp7XmyGaHx1GbcxVSbh67TxjlbojEtno6QVtbfT64gFFq6X5Y96S1UCLBgTzsbn7c8NKzXvf3viUPgf8zZJDnKT2nzq6p3FVt+ZNcheZfpBUO1WmXadEbmCNGMR6A=,iv:BAh9rLxGcfNt0xrwgJDe9edLaAHoRFFSb0nnlbH6FMQ=,tag:2f3L7mQ+on/3wy64nhCC/Q==,type:str] + lastmodified: "2025-09-23T11:59:25Z" + mac: ENC[AES256_GCM,data:AND2KnSFn0pgZZ4rT6Vt8sF8IFoysn77JKkiA0c829op3LKZe9NjT0O+PkZegOTlJbqKGyScSNqPidEoVpACAbODd3jtos80AO/LbWHgKo7DUuuPsnB7MgDqFF/khvdQQrvOIVoS0JmDScMnPfzZYYn79dilWuSdUcy0AvCdxPk=,iv:tUG1vtt4hHgHByH8IF9snth34MqesgHQmX6J8QH7vns=,tag:QcUXbmS+8+INuGONOzXL4A==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2