Migrated Gitlab -> Forgejo

2025-10-07 00:37:50 +02:00 · 2025-10-07 00:37:50 +02:00 · 858a25b692
commit 858a25b692
parent 987e1681c0
9 changed files with 130 additions and 61 deletions
--- a/modules/nixos/programs/sops/secrets/secrets.yaml
+++ b/modules/nixos/programs/sops/secrets/secrets.yaml
@ -8,6 +8,8 @@ services:
    nextcloud: ENC[AES256_GCM,data:YLRMhChTu/UQI+HIcUjNFFK+CfSCl2+0kfSkSfauAftRO2A1VHhyCjP5,iv:DLfhSvNRWXVU5XE3SwV4vZmAQI2ZVa+ak/g5Nu+Fgcg=,tag:K3nWfJRNxodeMkxGG3ljmg==,type:str]
    paperless: ENC[AES256_GCM,data:VjbEtwfY4T0Bpb+iutN7kDMqgcRy4ThQJiVyCHHT,iv:rlWB0ZfFYuKkpAfIzxryySH+Zl8hLf6c9UTjv1hVDVI=,tag:gHFoJZoKFOVupmE2VSJOoA==,type:str]
    jellyfin: ENC[AES256_GCM,data:/a+Q7io2kDjXrchXJlAt2hmgTMRx+fwPyrHH4d9PW1qQcEfCMBf0Erbzkq9m3iikASwfWr/ROfFY28yNN55zGPxZVcS2RzCv3Y6RH3ECEMf0N6Kl9H8h1vOGK/GoNDFyb66jN9qCPSHzU91Lm7trMebOLauDgKSigx3U9E91cVpNF2H7J2Q/kQzBqjUk2+9d3gUAokGJwIn2hvqPuSGsUEareaBB9KNFLsOhY7EJmPmVIbEPpAPxr9eikjCpd+f1uY4=,iv:4MsYjE7RnI2Y/4okcnmeunNJh3Qz/hMWW0/1UBjXENg=,tag:y4n3v+L3163GJYVWolLKFA==,type:str]
+    forgejo:
+        mailer: ENC[AES256_GCM,data:1N8tTi32+gKkNaCBq2obEpi6lXqUf9XalFc=,iv:5V3OIZcyCN+S4BD45pvu93MHSEUmE++cP7TWiwK3w1s=,tag:IrHtpjWQ1zELWzmxmfL59Q==,type:str]
    gitlab:
        dbPassword: ENC[AES256_GCM,data:itn9xyNZO+xkSk0GKvLzjLRzM0uZ+TalqLtj6tyjKXM=,iv:U8bX/On89wz6Lz4R2/fZ+FWRObehlnjFhUQdAhmxb60=,tag:oEbee14jCGfRs8i5bJZ5FA==,type:str]
        rootPassword: ENC[AES256_GCM,data:lXq+GIn6ooTzZL4iMYFzx3kn8gdcdsNaLQ/zVCr75Nw=,iv:mGp9gxL9uABpbod/ZNNyEllBbcfrQuFG4pQgs0v/xbk=,tag:CZzj4hauh/Qi8fvtmaZ/KQ==,type:str]
@ -56,7 +58,7 @@ sops:
            MU43ZWEwMXEwdGx5d0hUNlhiaGdjWU0K9UoNQOnMxTy0KdfiYOgm0TxH5qFUV3gi
            f7z2RzR44ndf0nHwIzr8e1bmF9q5mc685Wq9qyM7aLCE+yUU/vUO7Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-27T20:11:05Z"
-    mac: ENC[AES256_GCM,data:lZTCCM3bB6aEolUNLG5ZoxmdmaQeZWD+gxzheG+AX0HXHuqU2ZeuvzPRY1xFVQ2nQwHYaXJz5Suq6yQRM65bAX2VPpFo2knUoqVU0+dXDuzXpVCDvpMPGPsjU1uoPHGlkyuDISQF9jE1ekzXjK8wGx2hWMvFv4YuuuVkosv7bPQ=,iv:0DCa0VIEl0bUKaRYq1QSuu53VjBHngVgTCqUlzzdCDw=,tag:owfDKGdSitqZiAzgA+2IhQ==,type:str]
+    lastmodified: "2025-10-06T21:10:00Z"
+    mac: ENC[AES256_GCM,data:wkP5oE4UkdzeQQtSgjlbG5L44IE64KKcjJjBunHIFu7Ga3t5exz4ZcpSP9yQPmiJfNak4VAtXgwHILtbCsQFrnBFMc8qC1wssjUQR8ObReRA75RJdbcMo1Vo2CEUaVrw0IatM4gRifec3o23rulbDIAuz0/boZuxPkN9ffto8iY=,iv:rA3irIX9BImkan6Oce9wm5aoFuHT3wrSgza62F33LlY=,tag:22wM1jwG8cXhhF+ySSYY4w==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
--- a/modules/nixos/users/kylekrein/default.nix
+++ b/modules/nixos/users/kylekrein/default.nix
@ -17,7 +17,6 @@ with lib.${namespace}; let
  admin = true;
  extraGroups = ["networkmanager" "touchscreen"];
  trustedSshKeys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMt3PWVvmEL6a0HHTsxL4KMq1UGKFdzgX5iIkm6owGQ kylekrein@kylekrein-mac"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDdxZ5OyGcfD1JwEa4RWw86HWZ2dKFR0syrRckl7EvG kylekrein@kylekrein-homepc"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILt+CDDU4gDo12IO2dc50fceIWkn26/NuTq4j25hiGre kylekrein@kylekrein-framework12"
  ];
--- a/systems/x86_64-linux/kylekrein-server/default.nix
+++ b/systems/x86_64-linux/kylekrein-server/default.nix
@ -93,9 +93,20 @@ with lib.custom; {
      respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}`
          reverse_proxy * http://localhost:6167
    '';
-    virtualHosts."gitlab.kylekrein.com".extraConfig = ''
-      reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket
+    virtualHosts."uptime.kylekrein.com".extraConfig = ''
+      reverse_proxy * http://localhost:4621
    '';
+    #virtualHosts."gitlab.kylekrein.com".extraConfig = ''
+    #  reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket
+    #'';
+  };
+  services.uptime-kuma = {
+    enable = true;
+    settings = {
+      PORT = "4621";
+      HOST = "127.0.0.1";
+    };
+    appriseSupport = true;
  };

  #Chat host
@ -103,17 +114,17 @@ with lib.custom; {
  networking.firewall.allowedUDPPorts = [3478 5349];
  #sops.secrets."services/conduwuit" = {mode = "0755";};

-  sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
  services.gitlab = {
-    enable = true;
+    enable = false;
    host = "gitlab.kylekrein.com";
    https = true;
    port = 443;
--- a/systems/x86_64-linux/stargate/duckdns.nix
+++ b/systems/x86_64-linux/stargate/duckdns.nix
@ -29,7 +29,7 @@
        ${pkgs.coreutils}/bin/mkdir -p /etc/fail2ban/jail.d
        ${pkgs.coreutils}/bin/cat > /etc/fail2ban/jail.d/duckdns-ignore.local <<EOF
        [DEFAULT]
-        ignoreip = 127.0.0.1/8 ::1 192.168.178.1/24 $REALV4 $REALV6
+        ignoreip = 127.0.0.1/8 ::1 192.168.178.1/24 91.99.0.169 $REALV4 $REALV6
        EOF
      '';
    in ''
--- a/systems/x86_64-linux/stargate/services/fail2ban.nix
+++ b/systems/x86_64-linux/stargate/services/fail2ban.nix
@ -23,6 +23,7 @@
    ignoreIP = [
      # Whitelist some subnets
      "192.168.178.0/24"
+      "91.99.0.169"
      "kylekrein.duckdns.org"
    ];
    bantime = "24h"; # Ban IPs for one day on the first ban
--- a/systems/x86_64-linux/stargate/services/forgejo.nix
+++ b/systems/x86_64-linux/stargate/services/forgejo.nix
@ -0,0 +1,59 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in {
+  services.nginx = {
+    virtualHosts.${cfg.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+    };
+  };
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    # Enable support for Git Large File Storage
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.kylekrein.com";
+        # You need to specify this to remove the port from URLs in the web UI.
+        ROOT_URL = "https://${srv.DOMAIN}/";
+        HTTP_PORT = 9777;
+      };
+      # You can temporarily allow registration to create an admin user.
+      service.DISABLE_REGISTRATION = true;
+      # Add support for actions, based on act: https://github.com/nektos/act
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+      # Sending emails is completely optional
+      # You can send a test email from the web UI at:
+      # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "mail.notthebees.org";
+        FROM = "noreply@${srv.DOMAIN}";
+        USER = "noreply@${srv.DOMAIN}";
+      };
+    };
+    secrets = {
+      mailer.PASSWD = config.sops.secrets."services/forgejo/mailer".path;
+    };
+  };
+
+  sops.secrets."services/forgejo/mailer" = {
+    mode = "400";
+    owner = "forgejo";
+  };
+}
--- a/systems/x86_64-linux/stargate/services/gitlab.nix
+++ b/systems/x86_64-linux/stargate/services/gitlab.nix
@ -1,37 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}: {
-  sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
-  services.gitlab = {
-    enable = true;
-    host = "gitlab.kylekrein.com";
-    https = true;
-    port = 443;
-    statePath = "/var/lib/gitlab/state";
-    backup.startAt = "3:00";
-    databasePasswordFile = config.sops.secrets."services/gitlab/dbPassword".path;
-    initialRootPasswordFile = config.sops.secrets."services/gitlab/rootPassword".path;
-    secrets = {
-      secretFile = config.sops.secrets."services/gitlab/secret".path;
-      otpFile = config.sops.secrets."services/gitlab/otpsecret".path;
-      dbFile = config.sops.secrets."services/gitlab/dbsecret".path;
-      jwsFile = config.sops.secrets."services/gitlab/oidcKeyBase".path; #pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
-      activeRecordSaltFile = config.sops.secrets."services/gitlab/activeRecordSalt".path;
-      activeRecordPrimaryKeyFile = config.sops.secrets."services/gitlab/activeRecordPrimaryKey".path;
-      activeRecordDeterministicKeyFile = config.sops.secrets."services/gitlab/activeRecordDeterministicKey".path;
-    };
-  };
-
-  systemd.services.gitlab-backup.environment.BACKUP = "dump";
-}
--- a/systems/x86_64-linux/stargate/services/metatube.nix
+++ b/systems/x86_64-linux/stargate/services/metatube.nix
@ -0,0 +1,34 @@
+{...}: {
+  virtualisation.oci-containers.containers.metatube = {
+    image = "jvt038/metatube:latest";
+    autoStart = true;
+
+    ports = [
+      "0.0.0.0:1488:5000"
+    ];
+
+    environment = {
+      PORT = "5000";
+      HOST = "0.0.0.0";
+    };
+
+    volumes = [
+      "/zstorage/media:/media:rw"
+      "/var/lib/metatube/downloads:/downloads:rw"
+      "/var/lib/metatube/database:/database:rw"
+      "/var/lib/metatube/migrations:/config/migrations:rw"
+    ];
+    extraOptions = [
+      "--device=/dev/dri"
+    ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/metatube 0755 root root -"
+    "d /var/lib/metatube/downloads 0755 root root -"
+    "d /var/lib/metatube/database 0755 root root -"
+    "d /var/lib/metatube/migrations 0755 root root -"
+  ];
+
+  networking.firewall.allowedTCPPorts = [1488];
+}
--- a/systems/x86_64-linux/stargate/services/nginx.nix
+++ b/systems/x86_64-linux/stargate/services/nginx.nix
@ -48,13 +48,13 @@ in {
      #  locations = matrixLocations;
      #};

-      "gitlab.kylekrein.com" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
-        };
-      };
+      #"git.kylekrein.com" = {
+      #  enableACME = true;
+      #  forceSSL = true;
+      #  locations."/" = {
+      #    proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+      #  };
+      #};

      "immich.kylekrein.com" = {
        enableACME = true;