🏗️ forgejo: sqlite -> mysql

2024-10-13 01:25:39 +09:00 · 2024-10-13 01:25:39 +09:00 · f026fa1fdc
commit f026fa1fdc
parent 05fbad21e1
2 changed files with 110 additions and 13 deletions
--- a/machines/orbi/hardware-configuration/disko-config.nix
+++ b/machines/orbi/hardware-configuration/disko-config.nix
@ -137,6 +137,18 @@ in
              #"com.sun:auto-snapshot:monthly" = toString true;
            };
          };
+          "forgejo" = {
+            type = "zfs_fs";
+            mountpoint = "/var/lib/nixos-containers/forgejo";
+            options = {
+              mountpoint = "legacy";
+              compression = "lz4";
+              "com.sun:auto-snapshot:hourly" = toString true;
+              "com.sun:auto-snapshot:daily" = toString true;
+              #"com.sun:auto-snapshot:weekly" = toString true;
+              #"com.sun:auto-snapshot:monthly" = toString true;
+            };
+          };
          "taskchampion" = {
            type = "zfs_fs";
            mountpoint = config.services.taskchampion-sync-server.dataDir;
--- a/machines/orbi/service-forgejo.nix
+++ b/machines/orbi/service-forgejo.nix
@ -2,14 +2,30 @@
  config,
  lib,
  pkgs,
+  components,
+  inputs,
  ...
 }:
+let
+  mysqlPort = 3333;
+  sshPort = 2222;
+  mysqlPackage = pkgs.mysql;
+  forgejoPort = 3000;
+in
 {

  healthchecks.http.forgejjo = {
    url = "https://git.ingolf-wagner.de/explore/repos";
    expectedContent = "palo/nixos-config";
  };
+  healthchecks.closed.public.ports.forgejo = [
+    mysqlPort
+    sshPort
+    forgejoPort
+  ];
+  networking.firewall.allowedTCPPorts = [ sshPort ];
+  networking.firewall.allowedUDPPorts = [ sshPort ];
+  # todo : make a healthcheck on open ssh port

  services.nginx = {
    enable = true;
@ -25,20 +41,89 @@
    };
  };

-  services.forgejo = {
-    enable = true;
-    package = pkgs.forgejo;
-    settings = {
-      server.ROOT_URL = "https://git.ingolf-wagner.de/";
-      server.DOMAIN = "git.ingolf-wagner.de";
-      DEFAULT.APP_NAME = "git.ingolf-wagner.de";
-      service.DISABLE_REGISTRATION = true;
-      session.COOKIE_SECURE = true;
-      log.LEVEL = "Warn";
-      other = {
-        SHOW_FOOTER_VERSION = false;
-      };
+  containers.forgejo = {
+    privateNetwork = false;
+    autoStart = true;
+    specialArgs = {
+      inherit components;
    };
+
+    config =
+      {
+        config,
+        lib,
+        components,
+        ...
+      }:
+      {
+        nixpkgs.pkgs = pkgs;
+        imports = [
+          "${components}/monitor/container.nix"
+          inputs.nix-topology.nixosModules.default
+        ];
+        system.stateVersion = "24.11";
+        services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
+
+        # ssh server (not really needed)
+        # ------------------------------
+        #services.openssh = {
+        #  enable = true;
+        #  ports = [ sshPort ];
+        #  settings.X11Forwarding = false;
+        #  settings.PasswordAuthentication = false;
+        #};
+
+        # forgejo
+        # -------
+        services.forgejo = {
+          enable = true;
+          package = pkgs.forgejo;
+          database = {
+            type = "mysql";
+            port = mysqlPort;
+          };
+          settings = {
+            server.SSH_PORT = sshPort;
+            server.START_SSH_SERVER = true;
+            server.HTTP_PORT = forgejoPort;
+            server.ROOT_URL = "https://git.ingolf-wagner.de/";
+            server.DOMAIN = "git.ingolf-wagner.de";
+            DEFAULT.APP_NAME = "git.ingolf-wagner.de";
+            service.DISABLE_REGISTRATION = true;
+            session.COOKIE_SECURE = true;
+            log.LEVEL = "Warn";
+            other = {
+              SHOW_FOOTER_VERSION = false;
+            };
+          };
+        };
+
+        # MySQL Database
+        # --------------
+        services.mysql = {
+          enable = true;
+          package = mysqlPackage;
+          settings.mysqld.port = mysqlPort;
+          ensureDatabases = [ config.services.forgejo.database.name ];
+          ensureUsers = [
+            {
+              name = config.services.forgejo.database.user;
+              ensurePermissions = {
+                "${config.services.forgejo.database.name}.*" = "ALL PRIVILEGES";
+              };
+            }
+          ];
+        };
+
+        # Backup Database
+        # ---------------
+        services.mysqlBackup = {
+          enable = false;
+          databases = config.services.mysql.ensureDatabases;
+          singleTransaction = true;
+        };
+
+      };
  };

 }