feat(forgejo): install

modules/nixos/bundles/server.nix

@@ -12,6 +12,7 @@
     "cryptpad"
     "fi33.buzz"
     "gatus"
+    "forgejo"
     "homepage-dashboard"
     "immich"
     "jellyfin"

modules/nixos/features/forgejo.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  port = 5027;
+  certloc = "/var/lib/acme/fi33.buzz";
+  hostname = "git.fi33.buzz";
+  url = "https://git.fi33.buzz";
+in
+{
+  services = {
+    forgejo = {
+      enable = true;
+      dump = {
+        enable = true;
+        interval = "00:00";
+      };
+      lfs.enable = true;
+      settings = {
+        server = {
+          # keep-sorted start
+          DOMAIN = hostname;
+          HTTP_PORT = port;
+          ROOT_URL = url;
+          SSH_PORT = lib.head config.services.openssh.ports;
+          # keep-sorted end
+        };
+        service.DISABLE_REGISTRATION = true;
+      };
+    };
+
+    openssh.settings.AllowUsers = [ "forgejo" ];
+
+    borgbackup.jobs = {
+      onsite.paths = [ "/var/lib/forgejo" ];
+      offsite.paths = [ "/var/lib/forgejo" ];
+    };
+
+    caddy.virtualHosts.${hostname}.extraConfig = ''
+      reverse_proxy localhost:${toString port}
+      tls ${certloc}/cert.pem ${certloc}/key.pem {
+        protocols tls1.3
+      }
+    '';
+  };
+}

secrets/secrets.nix

@@ -18,6 +18,7 @@ in
   "borgbackup-offsite.age".publicKeys = users;
   "borgbackup-onsite.age".publicKeys = users;
   "copyparty.age".publicKeys = users;
+  "forgejo-read-token.age".publicKeys = users;
   "gatus.age".publicKeys = users;
   "git_signing_key.age".publicKeys = users;
   "git_signing_key.pub.age".publicKeys = users;