From 858a25b692a1475ce606fa2cb196f3cc9b7b3e04 Mon Sep 17 00:00:00 2001
From: Aleksandr Lebedev <alex.lebedev2003@icloud.com>
Date: Tue, 7 Oct 2025 00:37:50 +0200
Subject: [PATCH] Migrated Gitlab -> Forgejo

---
 .../nixos/programs/sops/secrets/secrets.yaml  |  8 ++-
 modules/nixos/users/kylekrein/default.nix     |  1 -
 .../x86_64-linux/kylekrein-server/default.nix | 35 +++++++----
 systems/x86_64-linux/stargate/duckdns.nix     |  2 +-
 .../stargate/services/fail2ban.nix            |  1 +
 .../stargate/services/forgejo.nix             | 59 +++++++++++++++++++
 .../x86_64-linux/stargate/services/gitlab.nix | 37 ------------
 .../stargate/services/metatube.nix            | 34 +++++++++++
 .../x86_64-linux/stargate/services/nginx.nix  | 14 ++---
 9 files changed, 130 insertions(+), 61 deletions(-)
 create mode 100644 systems/x86_64-linux/stargate/services/forgejo.nix
 delete mode 100644 systems/x86_64-linux/stargate/services/gitlab.nix
 create mode 100644 systems/x86_64-linux/stargate/services/metatube.nix

diff --git a/modules/nixos/programs/sops/secrets/secrets.yaml b/modules/nixos/programs/sops/secrets/secrets.yaml
index a11b321..2d5ca73 100644
--- a/modules/nixos/programs/sops/secrets/secrets.yaml
+++ b/modules/nixos/programs/sops/secrets/secrets.yaml
@@ -8,6 +8,8 @@ services:
     nextcloud: ENC[AES256_GCM,data:YLRMhChTu/UQI+HIcUjNFFK+CfSCl2+0kfSkSfauAftRO2A1VHhyCjP5,iv:DLfhSvNRWXVU5XE3SwV4vZmAQI2ZVa+ak/g5Nu+Fgcg=,tag:K3nWfJRNxodeMkxGG3ljmg==,type:str]
     paperless: ENC[AES256_GCM,data:VjbEtwfY4T0Bpb+iutN7kDMqgcRy4ThQJiVyCHHT,iv:rlWB0ZfFYuKkpAfIzxryySH+Zl8hLf6c9UTjv1hVDVI=,tag:gHFoJZoKFOVupmE2VSJOoA==,type:str]
     jellyfin: ENC[AES256_GCM,data:/a+Q7io2kDjXrchXJlAt2hmgTMRx+fwPyrHH4d9PW1qQcEfCMBf0Erbzkq9m3iikASwfWr/ROfFY28yNN55zGPxZVcS2RzCv3Y6RH3ECEMf0N6Kl9H8h1vOGK/GoNDFyb66jN9qCPSHzU91Lm7trMebOLauDgKSigx3U9E91cVpNF2H7J2Q/kQzBqjUk2+9d3gUAokGJwIn2hvqPuSGsUEareaBB9KNFLsOhY7EJmPmVIbEPpAPxr9eikjCpd+f1uY4=,iv:4MsYjE7RnI2Y/4okcnmeunNJh3Qz/hMWW0/1UBjXENg=,tag:y4n3v+L3163GJYVWolLKFA==,type:str]
+    forgejo:
+        mailer: ENC[AES256_GCM,data:1N8tTi32+gKkNaCBq2obEpi6lXqUf9XalFc=,iv:5V3OIZcyCN+S4BD45pvu93MHSEUmE++cP7TWiwK3w1s=,tag:IrHtpjWQ1zELWzmxmfL59Q==,type:str]
     gitlab:
         dbPassword: ENC[AES256_GCM,data:itn9xyNZO+xkSk0GKvLzjLRzM0uZ+TalqLtj6tyjKXM=,iv:U8bX/On89wz6Lz4R2/fZ+FWRObehlnjFhUQdAhmxb60=,tag:oEbee14jCGfRs8i5bJZ5FA==,type:str]
         rootPassword: ENC[AES256_GCM,data:lXq+GIn6ooTzZL4iMYFzx3kn8gdcdsNaLQ/zVCr75Nw=,iv:mGp9gxL9uABpbod/ZNNyEllBbcfrQuFG4pQgs0v/xbk=,tag:CZzj4hauh/Qi8fvtmaZ/KQ==,type:str]
@@ -56,7 +58,7 @@ sops:
             MU43ZWEwMXEwdGx5d0hUNlhiaGdjWU0K9UoNQOnMxTy0KdfiYOgm0TxH5qFUV3gi
             f7z2RzR44ndf0nHwIzr8e1bmF9q5mc685Wq9qyM7aLCE+yUU/vUO7Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-27T20:11:05Z"
-    mac: ENC[AES256_GCM,data:lZTCCM3bB6aEolUNLG5ZoxmdmaQeZWD+gxzheG+AX0HXHuqU2ZeuvzPRY1xFVQ2nQwHYaXJz5Suq6yQRM65bAX2VPpFo2knUoqVU0+dXDuzXpVCDvpMPGPsjU1uoPHGlkyuDISQF9jE1ekzXjK8wGx2hWMvFv4YuuuVkosv7bPQ=,iv:0DCa0VIEl0bUKaRYq1QSuu53VjBHngVgTCqUlzzdCDw=,tag:owfDKGdSitqZiAzgA+2IhQ==,type:str]
+    lastmodified: "2025-10-06T21:10:00Z"
+    mac: ENC[AES256_GCM,data:wkP5oE4UkdzeQQtSgjlbG5L44IE64KKcjJjBunHIFu7Ga3t5exz4ZcpSP9yQPmiJfNak4VAtXgwHILtbCsQFrnBFMc8qC1wssjUQR8ObReRA75RJdbcMo1Vo2CEUaVrw0IatM4gRifec3o23rulbDIAuz0/boZuxPkN9ffto8iY=,iv:rA3irIX9BImkan6Oce9wm5aoFuHT3wrSgza62F33LlY=,tag:22wM1jwG8cXhhF+ySSYY4w==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
diff --git a/modules/nixos/users/kylekrein/default.nix b/modules/nixos/users/kylekrein/default.nix
index 5a2694b..cf0cc89 100644
--- a/modules/nixos/users/kylekrein/default.nix
+++ b/modules/nixos/users/kylekrein/default.nix
@@ -17,7 +17,6 @@ with lib.${namespace}; let
   admin = true;
   extraGroups = ["networkmanager" "touchscreen"];
   trustedSshKeys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMt3PWVvmEL6a0HHTsxL4KMq1UGKFdzgX5iIkm6owGQ kylekrein@kylekrein-mac"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDdxZ5OyGcfD1JwEa4RWw86HWZ2dKFR0syrRckl7EvG kylekrein@kylekrein-homepc"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILt+CDDU4gDo12IO2dc50fceIWkn26/NuTq4j25hiGre kylekrein@kylekrein-framework12"
   ];
diff --git a/systems/x86_64-linux/kylekrein-server/default.nix b/systems/x86_64-linux/kylekrein-server/default.nix
index 92d0c97..7b7fd73 100644
--- a/systems/x86_64-linux/kylekrein-server/default.nix
+++ b/systems/x86_64-linux/kylekrein-server/default.nix
@@ -93,9 +93,20 @@ with lib.custom; {
       respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}`
           reverse_proxy * http://localhost:6167
     '';
-    virtualHosts."gitlab.kylekrein.com".extraConfig = ''
-      reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket
+    virtualHosts."uptime.kylekrein.com".extraConfig = ''
+      reverse_proxy * http://localhost:4621
     '';
+    #virtualHosts."gitlab.kylekrein.com".extraConfig = ''
+    #  reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket
+    #'';
+  };
+  services.uptime-kuma = {
+    enable = true;
+    settings = {
+      PORT = "4621";
+      HOST = "127.0.0.1";
+    };
+    appriseSupport = true;
   };
 
   #Chat host
@@ -103,17 +114,17 @@ with lib.custom; {
   networking.firewall.allowedUDPPorts = [3478 5349];
   #sops.secrets."services/conduwuit" = {mode = "0755";};
 
-  sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
+  #sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
   services.gitlab = {
-    enable = true;
+    enable = false;
     host = "gitlab.kylekrein.com";
     https = true;
     port = 443;
diff --git a/systems/x86_64-linux/stargate/duckdns.nix b/systems/x86_64-linux/stargate/duckdns.nix
index e78e8dd..7cf091b 100644
--- a/systems/x86_64-linux/stargate/duckdns.nix
+++ b/systems/x86_64-linux/stargate/duckdns.nix
@@ -29,7 +29,7 @@
         ${pkgs.coreutils}/bin/mkdir -p /etc/fail2ban/jail.d
         ${pkgs.coreutils}/bin/cat > /etc/fail2ban/jail.d/duckdns-ignore.local <<EOF
         [DEFAULT]
-        ignoreip = 127.0.0.1/8 ::1 192.168.178.1/24 $REALV4 $REALV6
+        ignoreip = 127.0.0.1/8 ::1 192.168.178.1/24 91.99.0.169 $REALV4 $REALV6
         EOF
       '';
     in ''
diff --git a/systems/x86_64-linux/stargate/services/fail2ban.nix b/systems/x86_64-linux/stargate/services/fail2ban.nix
index cd0ce03..eb0cd58 100644
--- a/systems/x86_64-linux/stargate/services/fail2ban.nix
+++ b/systems/x86_64-linux/stargate/services/fail2ban.nix
@@ -23,6 +23,7 @@
     ignoreIP = [
       # Whitelist some subnets
       "192.168.178.0/24"
+      "91.99.0.169"
       "kylekrein.duckdns.org"
     ];
     bantime = "24h"; # Ban IPs for one day on the first ban
diff --git a/systems/x86_64-linux/stargate/services/forgejo.nix b/systems/x86_64-linux/stargate/services/forgejo.nix
new file mode 100644
index 0000000..b60d4fd
--- /dev/null
+++ b/systems/x86_64-linux/stargate/services/forgejo.nix
@@ -0,0 +1,59 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in {
+  services.nginx = {
+    virtualHosts.${cfg.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+    };
+  };
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    # Enable support for Git Large File Storage
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.kylekrein.com";
+        # You need to specify this to remove the port from URLs in the web UI.
+        ROOT_URL = "https://${srv.DOMAIN}/";
+        HTTP_PORT = 9777;
+      };
+      # You can temporarily allow registration to create an admin user.
+      service.DISABLE_REGISTRATION = true;
+      # Add support for actions, based on act: https://github.com/nektos/act
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+      # Sending emails is completely optional
+      # You can send a test email from the web UI at:
+      # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "mail.notthebees.org";
+        FROM = "noreply@${srv.DOMAIN}";
+        USER = "noreply@${srv.DOMAIN}";
+      };
+    };
+    secrets = {
+      mailer.PASSWD = config.sops.secrets."services/forgejo/mailer".path;
+    };
+  };
+
+  sops.secrets."services/forgejo/mailer" = {
+    mode = "400";
+    owner = "forgejo";
+  };
+}
diff --git a/systems/x86_64-linux/stargate/services/gitlab.nix b/systems/x86_64-linux/stargate/services/gitlab.nix
deleted file mode 100644
index f5d18ff..0000000
--- a/systems/x86_64-linux/stargate/services/gitlab.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}: {
-  sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
-  sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
-  services.gitlab = {
-    enable = true;
-    host = "gitlab.kylekrein.com";
-    https = true;
-    port = 443;
-    statePath = "/var/lib/gitlab/state";
-    backup.startAt = "3:00";
-    databasePasswordFile = config.sops.secrets."services/gitlab/dbPassword".path;
-    initialRootPasswordFile = config.sops.secrets."services/gitlab/rootPassword".path;
-    secrets = {
-      secretFile = config.sops.secrets."services/gitlab/secret".path;
-      otpFile = config.sops.secrets."services/gitlab/otpsecret".path;
-      dbFile = config.sops.secrets."services/gitlab/dbsecret".path;
-      jwsFile = config.sops.secrets."services/gitlab/oidcKeyBase".path; #pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
-      activeRecordSaltFile = config.sops.secrets."services/gitlab/activeRecordSalt".path;
-      activeRecordPrimaryKeyFile = config.sops.secrets."services/gitlab/activeRecordPrimaryKey".path;
-      activeRecordDeterministicKeyFile = config.sops.secrets."services/gitlab/activeRecordDeterministicKey".path;
-    };
-  };
-
-  systemd.services.gitlab-backup.environment.BACKUP = "dump";
-}
diff --git a/systems/x86_64-linux/stargate/services/metatube.nix b/systems/x86_64-linux/stargate/services/metatube.nix
new file mode 100644
index 0000000..bc728aa
--- /dev/null
+++ b/systems/x86_64-linux/stargate/services/metatube.nix
@@ -0,0 +1,34 @@
+{...}: {
+  virtualisation.oci-containers.containers.metatube = {
+    image = "jvt038/metatube:latest";
+    autoStart = true;
+
+    ports = [
+      "0.0.0.0:1488:5000"
+    ];
+
+    environment = {
+      PORT = "5000";
+      HOST = "0.0.0.0";
+    };
+
+    volumes = [
+      "/zstorage/media:/media:rw"
+      "/var/lib/metatube/downloads:/downloads:rw"
+      "/var/lib/metatube/database:/database:rw"
+      "/var/lib/metatube/migrations:/config/migrations:rw"
+    ];
+    extraOptions = [
+      "--device=/dev/dri"
+    ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/metatube 0755 root root -"
+    "d /var/lib/metatube/downloads 0755 root root -"
+    "d /var/lib/metatube/database 0755 root root -"
+    "d /var/lib/metatube/migrations 0755 root root -"
+  ];
+
+  networking.firewall.allowedTCPPorts = [1488];
+}
diff --git a/systems/x86_64-linux/stargate/services/nginx.nix b/systems/x86_64-linux/stargate/services/nginx.nix
index 168f728..98e8aa0 100644
--- a/systems/x86_64-linux/stargate/services/nginx.nix
+++ b/systems/x86_64-linux/stargate/services/nginx.nix
@@ -48,13 +48,13 @@ in {
       #  locations = matrixLocations;
       #};
 
-      "gitlab.kylekrein.com" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
-        };
-      };
+      #"git.kylekrein.com" = {
+      #  enableACME = true;
+      #  forceSSL = true;
+      #  locations."/" = {
+      #    proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+      #  };
+      #};
 
       "immich.kylekrein.com" = {
         enableACME = true;