gerd.forgejo: now uses authelia for authentication + patches for signin

2024-08-12 13:56:34 +02:00 · 2024-08-12 13:56:34 +02:00 · 5d94967c48
commit 5d94967c48
parent d459fa895e
11 changed files with 243 additions and 118 deletions
--- a/machines/gerd/services/forgejo/forgejo.nix
+++ b/machines/gerd/services/forgejo/forgejo.nix
@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+let
+  svc_domain = "git.${config.mine.settings.domain}";
+
+in {
+  services.forgejo = {
+    enable = true;
+
+    package = pkgs.forgejo.overrideAttrs (old: {
+      patches = old.patches ++ [
+        ./patches/signin-template.patch
+        ./patches/link-accounts-template.patch
+      ];
+    });
+
+    stateDir = config.mine.zfsMounts."rpool/safe/svcs/forgejo";
+
+    settings = {
+      server = {
+        DOMAIN = svc_domain;
+        ROOT_URL = "https://${svc_domain}";
+        HTTPPORT = 3000;
+      };
+
+      # sync ldap and forgejo
+      "cron.sync_external_users" = {
+        RUN_AT_START = true;
+        SCHEDULE = "@every 15m";
+        UPDATE_EXISTING = true;
+      };
+
+      # disable registration, only account linking is possible
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+
+  # TODO(eyJhb): remove after our ban expires (and nginx config)
+  # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z
+  security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ];
+
+  services.nginx.virtualHosts."${svc_domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      client_max_body_size 512M;
+    '';
+    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTPPORT}";
+  };
+
+  # settings
+  mine.settings.forgejo.domain = svc_domain;
+}