From 81fda64f42c29ea2c3647757a82419825ed4b303 Mon Sep 17 00:00:00 2001
From: Fabrice Bellamy <12b@distrilab.fr>
Date: Fri, 20 Dec 2024 18:56:01 +0100
Subject: [PATCH] add forgejo to arachnide server

---
 config/arachnide/configuration.nix | 19 ++++++++
 modules/forgejo.nix                | 78 ++++++++++++++++++++++++++++++
 modules/reverse-proxy.nix          |  3 +-
 3 files changed, 98 insertions(+), 2 deletions(-)
 create mode 100644 modules/forgejo.nix

diff --git a/config/arachnide/configuration.nix b/config/arachnide/configuration.nix
index 790617d..e5e008b 100644
--- a/config/arachnide/configuration.nix
+++ b/config/arachnide/configuration.nix
@@ -10,6 +10,7 @@
       /var/src/modules/reverse-proxy.nix
       /var/src/modules/nginx.nix
       /var/src/modules/nixin-web.nix
+      /var/src/modules/forgejo.nix
     ];
 
   # Bootloader.
@@ -41,6 +42,24 @@
     http-port = 8081;
   };
 
+  nixin.forge = {
+    http-port = 8082;
+    domain = "forge.lab12.fr";
+    smtp-addr = "lab12.org";
+    smtp-user = "mr.robot@lab12.org";
+    smtp-from = "no-reply@lab12.org";
+    smtp-pwd-file = toString <secrets/smtp>;
+    #smtp-pwd = let 
+    #  pwd = builtins.readFile <secrets/smtp>;
+    #in lib.strings.trim pwd;
+    admin-email = "sysadmin@lab12.fr";
+    admin-user = "operator";
+    admin-pwd = let 
+      pwd = builtins.readFile <secrets/forgejo>;
+    in lib.strings.trim pwd;
+  };
+
+
   # Enable ip forwarding to route packets for the local network connected to enp3s0  
   boot.kernel.sysctl = {
     "net.ipv4.ip_forward" = 1;
diff --git a/modules/forgejo.nix b/modules/forgejo.nix
new file mode 100644
index 0000000..aae3e1e
--- /dev/null
+++ b/modules/forgejo.nix
@@ -0,0 +1,78 @@
+# Forgejo
+{ config, pkgs, lib, ... }:
+
+let
+  inherit (lib) mkOption mkDefault;
+in
+{
+  options = {
+    nixin.forge = {
+      http-port = mkOption { type = lib.types.int; };
+      domain = mkOption { type = lib.types.str; };
+      smtp-addr = mkOption { type = lib.types.str; };
+      smtp-user = mkOption { type = lib.types.str; };
+      smtp-from = mkOption { type = lib.types.str; };
+      #smtp-pwd = mkOption { type = lib.types.str; };
+      smtp-pwd-file = mkOption { type = lib.types.str; };
+      admin-email = mkOption { type = lib.types.str; };
+      admin-user = mkOption { type = lib.types.str; };
+      admin-pwd = mkOption { type = lib.types.str; };
+    };
+  };
+
+  config = {
+    services.forgejo = {
+      enable = true;
+      database.type = "postgres";
+      # Enable support for Git Large File Storage
+      lfs.enable = true;
+      settings = {
+        server = {
+          DOMAIN = "${config.nixin.forge.domain}";
+          # You need to specify this to remove the port from URLs in the web UI.
+          ROOT_URL = "https://${config.nixin.forge.domain}/";
+          HTTP_PORT = config.nixin.forge.http-port;
+        };
+        # You can temporarily allow registration to create an admin user.
+        service.DISABLE_REGISTRATION = true;
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        # Sending emails is completely optional
+        # You can send a test email from the web UI at:
+        # Profile Picture > Site Administration > Configuration > Mailer Configuration
+        mailer = {
+          ENABLED = true;
+          PROTOCOL = "smtp+starttls";
+          SMTP_ADDR = "${config.nixin.forge.smtp-addr}";
+          FROM = "${config.nixin.forge.smtp-from}";
+          USER = "${config.nixin.forge.smtp-user}";
+          #PASSWD = "${config.nixin.forge.smtp-pwd}";
+        };
+      };
+      secrets.mailer.PASSWD = "${config.nixin.forge.smtp-pwd-file}";
+    };
+
+    systemd.services.forgejo.preStart = let 
+      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+    in ''
+      env >/tmp/debug
+      ${adminCmd} create --admin --email "${config.nixin.forge.admin-email}" --username "${config.nixin.forge.admin-user}" --password "${config.nixin.forge.admin-pwd}" || true
+      ## uncomment this line to change an admin user which was already created
+      # ${adminCmd} change-password --username ${config.nixin.forge.admin-user} --password "${config.nixin.forge.admin-pwd}" || true
+    '';
+
+
+    services.traefik.dynamicConfigOptions.http.services."service-forgejo" = {
+      loadBalancer.servers = [
+        { url = "http://localhost:${toString config.nixin.forge.http-port}"; }
+      ];
+    };
+    services.traefik.dynamicConfigOptions.http.routers."router-forgejo" = {
+      rule = "Host(`${config.nixin.forge.domain}`)";
+      service = "service-forgejo";
+    };
+  };
+}
diff --git a/modules/reverse-proxy.nix b/modules/reverse-proxy.nix
index 3d34dba..5d66075 100644
--- a/modules/reverse-proxy.nix
+++ b/modules/reverse-proxy.nix
@@ -22,13 +22,12 @@ in
     api.insecure = false;
 
     # Enable logs
-    #log.filePath = "/var/log/traefik/traefik.log";
     log = {
       level = "INFO";
       filePath = "${config.services.traefik.dataDir}/traefik.log";
       format = "json";
     };
-    accessLog.filePath = "/var/log/traefik/accessLog.log";
+    accessLog.filePath = "${config.services.traefik.dataDir}/accessLog.log";
 
     # Enable Docker provider
     providers.docker = {