diff --git a/kubenix-modules/all.nix b/kubenix-modules/all.nix index 70631f3..1d79b28 100644 --- a/kubenix-modules/all.nix +++ b/kubenix-modules/all.nix @@ -13,7 +13,7 @@ ./hedgedoc.nix ./paperless-ngx.nix ./kitchenowl.nix - ./forgejo.nix + ./forgejo ./media.nix ./bind9 ./dnsmasq.nix diff --git a/kubenix-modules/forgejo/config.nix b/kubenix-modules/forgejo/config.nix new file mode 100644 index 0000000..9c77bd5 --- /dev/null +++ b/kubenix-modules/forgejo/config.nix @@ -0,0 +1,101 @@ +{ + "repository.local".LOCAL_COPY_PATH = "/data/gitea/tmp/local-repo"; + "repository.upload".TEMP_PATH = "/data/gitea/uploads"; + attachment.PATH = "/data/gitea/attachments"; + lfs.PATH = "/data/git/lfs"; + mailer.ENABLED = false; + "repository.pull-request".DEFAULT_MERGE_STYLE = "merge"; + "repository.signing".DEFAULT_TRUST_MODEL = "committer"; + ui.DEFAULT_THEME = "forgejo-light"; + oauth2.ENABLE = false; + + DEFAULT = { + APP_NAME = "Forgejo: Beyond coding. We forge."; + RUN_MODE = "prod"; + RUN_USER = "git"; + WORK_PATH = "/data/gitea"; + }; + + repository = { + ROOT = "/data/git/repositories"; + DEFAULT_BRANCH = "master"; + }; + + server = { + APP_DATA_PATH = "/data/gitea"; + DOMAIN = "git.kun.is"; + SSH_DOMAIN = "ssh.git.kun.is"; + HTTP_PORT = 3000; + ROOT_URL = "https://git.kun.is"; + DISABLE_SSH = false; + SSH_PORT = 56287; + SSH_LISTEN_PORT = 22; + LFS_START_SERVER = true; + LFS_JWT_SECRET = "ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret"; + OFFLINE_MODE = false; + }; + + database = { + PATH = "/data/gitea/gitea.db"; + DB_TYPE = "sqlite3"; + HOST = "localhost:3306"; + NAME = "gitea"; + USER = "root"; + PASSWD = ""; + LOG_SQL = false; + SCHEMA = ""; + SSL_MODE = "disable"; + CHARSET = "utf8"; + }; + + indexer = { + ISSUE_INDEXER_PATH = "/data/gitea/indexers/issues.bleve"; + ISSUE_INDEXER_TYPE = "db"; + }; + + session = { + PROVIDER_CONFIG = "/data/gitea/sessions"; + PROVIDER = "file"; + }; + + picture = { + AVATAR_UPLOAD_PATH = "/data/gitea/avatars"; + REPOSITORY_AVATAR_UPLOAD_PATH = "/data/gitea/repo-avatars"; + ENABLE_FEDERATED_AVATAR = false; + }; + + log = { + MODE = "console"; + LEVEL = "info"; + "logger.router.MODE" = "console"; + ROOT_PATH = "/data/gitea/log"; + "logger.access.MODE" = "console"; + }; + + security = { + INSTALL_LOCK = true; + SECRET_KEY = ""; + REVERSE_PROXY_LIMIT = 1; + REVERSE_PROXY_TRUSTED_PROXIES = "*"; + INTERNAL_TOKEN = "ref+sops://secrets/sops.yaml#/forgejo/internalToken"; + PASSWORD_HASH_ALGO = "pbkdf2"; + }; + + service = { + DISABLE_REGISTRATION = true; + REQUIRE_SIGNIN_VIEW = false; + REGISTER_EMAIL_CONFIRM = false; + ENABLE_NOTIFY_MAIL = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + ENABLE_CAPTCHA = false; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + DEFAULT_ALLOW_CREATE_ORGANIZATION = true; + DEFAULT_ENABLE_TIMETRACKING = true; + NO_REPLY_ADDRESS = "noreply.localhost"; + }; + + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = false; + }; +} diff --git a/kubenix-modules/forgejo.nix b/kubenix-modules/forgejo/default.nix similarity index 57% rename from kubenix-modules/forgejo.nix rename to kubenix-modules/forgejo/default.nix index cea6e7b..fadafec 100644 --- a/kubenix-modules/forgejo.nix +++ b/kubenix-modules/forgejo/default.nix @@ -1,117 +1,9 @@ -{ myLib, ... }: { +{ lib, myLib, ... }: { kubernetes.resources = { secrets.runner-secret.stringData.token = "ref+sops://secrets/sops.yaml#/forgejo/runnerToken"; configMaps = { - forgejo-config.data = { - # TODO: Generate from nix code? - config = '' - APP_NAME = Forgejo: Beyond coding. We forge. - RUN_MODE = prod - RUN_USER = git - WORK_PATH=/data/gitea - - [repository] - ROOT = /data/git/repositories - DEFAULT_BRANCH = master - - [repository.local] - LOCAL_COPY_PATH = /data/gitea/tmp/local-repo - - [repository.upload] - TEMP_PATH = /data/gitea/uploads - - [server] - APP_DATA_PATH = /data/gitea - DOMAIN = git.kun.is - SSH_DOMAIN = ssh.git.kun.is - HTTP_PORT = 3000 - ROOT_URL = https://git.kun.is - DISABLE_SSH = false - SSH_PORT = 56287 - SSH_LISTEN_PORT = 22 - LFS_START_SERVER = true - LFS_JWT_SECRET = ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret - OFFLINE_MODE = false - - [database] - PATH = /data/gitea/gitea.db - DB_TYPE = sqlite3 - HOST = localhost:3306 - NAME = gitea - USER = root - PASSWD = - LOG_SQL = false - SCHEMA = - SSL_MODE = disable - CHARSET = utf8 - - [indexer] - ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve - ISSUE_INDEXER_TYPE = db - - [session] - PROVIDER_CONFIG = /data/gitea/sessions - PROVIDER = file - - [picture] - AVATAR_UPLOAD_PATH = /data/gitea/avatars - REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars - ENABLE_FEDERATED_AVATAR = false - - [attachment] - PATH = /data/gitea/attachments - - [log] - MODE = console - LEVEL = info - logger.router.MODE = console - ROOT_PATH = /data/gitea/log - logger.access.MODE=console - - [security] - INSTALL_LOCK = true - SECRET_KEY = - REVERSE_PROXY_LIMIT = 1 - REVERSE_PROXY_TRUSTED_PROXIES = * - INTERNAL_TOKEN = ref+sops://secrets/sops.yaml#/forgejo/internalToken - PASSWORD_HASH_ALGO = pbkdf2 - - [service] - DISABLE_REGISTRATION = true - REQUIRE_SIGNIN_VIEW = false - REGISTER_EMAIL_CONFIRM = false - ENABLE_NOTIFY_MAIL = false - ALLOW_ONLY_EXTERNAL_REGISTRATION = false - ENABLE_CAPTCHA = false - DEFAULT_KEEP_EMAIL_PRIVATE = true - DEFAULT_ALLOW_CREATE_ORGANIZATION = true - DEFAULT_ENABLE_TIMETRACKING = true - NO_REPLY_ADDRESS = noreply.localhost - - [lfs] - PATH = /data/git/lfs - - [mailer] - ENABLED = false - - [openid] - ENABLE_OPENID_SIGNIN = true - ENABLE_OPENID_SIGNUP = false - - [repository.pull-request] - DEFAULT_MERGE_STYLE = merge - - [repository.signing] - DEFAULT_TRUST_MODEL = committer - - [ui] - DEFAULT_THEME = forgejo-light - - [oauth2] - ENABLE=false - ''; - }; + forgejo-config.data.config = lib.generators.toINI { } (import ./config.nix); forgejo-env.data = { USER_UID = "1000"; @@ -193,11 +85,6 @@ spec = { restartPolicy = "Always"; - volumes = { - docker-certs.emptyDir = { }; - runner-data.emptyDir = { }; - }; - initContainers.runner-register = { image = "code.forgejo.org/forgejo/runner:3.2.0"; command = [ "forgejo-runner" "register" "--no-interactive" "--token" "$(RUNNER_SECRET)" "--name" "$(RUNNER_NAME)" "--instance" "$(FORGEJO_INSTANCE_URL)" ]; @@ -217,7 +104,7 @@ }; volumeMounts = [{ - name = "runner-data"; + name = "data"; mountPath = "/data"; }]; }; @@ -235,12 +122,12 @@ volumeMounts = [ { - name = "docker-certs"; - mountPath = "/certs"; + name = "data"; + mountPath = "/data"; } { - name = "runner-data"; - mountPath = "/data"; + name = "certs"; + mountPath = "/certs"; } ]; }; @@ -251,11 +138,16 @@ env.DOCKER_TLS_CERTDIR.value = "/certs"; volumeMounts = [{ - name = "docker-certs"; + name = "certs"; mountPath = "/certs"; }]; }; }; + + volumes = { + data.persistentVolumeClaim.claimName = "forgejo-runner-data"; + certs.persistentVolumeClaim.claimName = "forgejo-runner-certs"; + }; }; }; }; @@ -289,7 +181,11 @@ }; lab = { - nfsVolumes.forgejo.path = "forgejo"; + nfsVolumes = { + forgejo.path = "forgejo/data"; + forgejo-runner-data.path = "forgejo/runner/data"; + forgejo-runner-certs.path = "forgejo/runner/certs"; + }; ingresses.forgejo = { host = "git.kun.is"; diff --git a/nixos-modules/data-sharing.nix b/nixos-modules/data-sharing.nix index c164e55..771438e 100644 --- a/nixos-modules/data-sharing.nix +++ b/nixos-modules/data-sharing.nix @@ -11,7 +11,9 @@ let "/pihole/dnsmasq" "/hedgedoc/uploads" "/traefik/acme" - "/forgejo" + "/forgejo/data" + "/forgejo/runner/data" + "/forgejo/runner/certs" "/kitchenowl/data" "/syncthing/config" "/paperless-ngx/data"