🔧 renamed forgejo-runners

components/network/sshd/known-hosts-manual.nix

@@ -15,11 +15,18 @@ in
     services.openssh.knownHosts = {
       orbi = {
         hostNames = [
-          "git.ingolf-wagner.de"
           "95.216.66.212"
         ];
         publicKey = publicKey "orbi";
       };
+
+      forgejo = {
+        hostNames = [
+          "[git.ingolf-wagner.de]:2222"
+        ];
+        publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQVomwXedtY4ZAKA1Bcsz6Ud2Ys3mjjGJXLcWQLceXKmmAQfOWqqLrTddhrLjmZImS3HTexGK7iNmYYCd/lG+7j1rMebmk3cddH6qr/4WB5SSexbLV4/vlk18kia6O+52ybrMzejwcfr9qNEg+bkrmc4btsWcT/w21vRyOzsmRRnk+S54prLGtiCypFqwGYnyr6HPXO3lqCLHIR/XurcFvh/aM/RGusWh889TXA39FezDcV6OZisZTTC4BBoUAS8r6XJnrIahZJmfEHp/FbKJV0pShCCQXtpkUBu7g6B2T+8u91fY4kc8O293XhaxjTBfkZH2lGodppGG12vAQSeznppbzlT82uTx80jyt7Hw/IAjn9j8D+iKC7fA9qawVz+p1UtqHQd43+8gOSiHILOUMhVxp7ZrfhYmaiOKrkR4+Juc9P2UsqrAvxS1WaYT4KaEZfze7/DCdK0h2SSY2jgCU9sNeJG6M4s/pPj+iI/O+AagHfBZ+bF2y+OKEZOW4J+OpqnEY3lANdxsMsD9PwBpAVAn9FAJzAy+gfXINu0wqGhtA3qWM0QVjcSXsfQJQ2XrbMPd9+pvOl1Ej5SSbjXYcPt9dXWl+L69dbU5qb8WRGl2ZxloUaRcOrOkmhybwI/61LfaGzLslnNn8ARjJgzu9xSipT5D4cZ1FgB9ezqC73Q==";
+      };
+
     };
 
   };

flake.lock

@@ -1034,12 +1034,12 @@
         "rev": "24639d955322eac0efc8a2418c4dd9aa181f8c91",
         "revCount": 79,
         "type": "git",
-        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-parts.git"
+        "url": "ssh://forgejo@git.ingolf-wagner.de:2222/palo/nixos-private-parts.git"
       },
       "original": {
         "ref": "main",
         "type": "git",
-        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-parts.git"
+        "url": "ssh://forgejo@git.ingolf-wagner.de:2222/palo/nixos-private-parts.git"
       }
     },
     "retiolum": {

flake.nix

@@ -33,7 +33,7 @@
     permown.url = "github:mrVanDalo/module.permown";
     polygon-art.url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
     private-parts.inputs.nixpkgs.follows = "nixpkgs"; # only private input
-    private-parts.url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-parts.git?ref=main";
+    private-parts.url = "git+ssh://forgejo@git.ingolf-wagner.de:2222/palo/nixos-private-parts.git?ref=main";
     #private-parts.url = "git+file:///home/palo/dev/nixos/nixos-private-parts";
     retiolum.url = "github:Mic92/retiolum";
     srvos.url = "github:nix-community/srvos";

machines/orbi/hardware-configuration/disko-config.nix

@@ -137,6 +137,18 @@ in
               #"com.sun:auto-snapshot:monthly" = toString true;
             };
           };
+          "forgejo" = {
+            type = "zfs_fs";
+            mountpoint = "/var/lib/nixos-containers/forgejo";
+            options = {
+              mountpoint = "legacy";
+              compression = "lz4";
+              "com.sun:auto-snapshot:hourly" = toString true;
+              "com.sun:auto-snapshot:daily" = toString true;
+              #"com.sun:auto-snapshot:weekly" = toString true;
+              #"com.sun:auto-snapshot:monthly" = toString true;
+            };
+          };
           "taskchampion" = {
             type = "zfs_fs";
             mountpoint = config.services.taskchampion-sync-server.dataDir;

machines/orbi/service-forgejo-runner.nix

@@ -30,12 +30,12 @@ in
       prompt = "please enter your gitea-runner password";
       path = with pkgs; [ coreutils ];
       script = ''
-        echo "$prompt_value" > "$secrets"/gitea-runner.token
+        echo "TOKEN=$prompt_value" > "$secrets"/gitea-runner.token
       '';
     };
   };
 
-  systemd.services."gitea-runner-${escapeSystemdPath "git.ingolf-wagner.de"}" = {
+  systemd.services."gitea-runner-orbi" = {
     serviceConfig = {
       DynamicUser = lib.mkForce false;
     };
@@ -43,7 +43,7 @@ in
 
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;
-    instances."git.ingolf-wagner.de" = {
+    instances."orbi" = {
       enable = true;
       settings = {
         runner = {
@@ -64,7 +64,8 @@ in
       ];
       url = "https://git.ingolf-wagner.de";
       tokenFile = config.clan.core.facts.services.gitea-runner.secret."gitea-runner.token".path;
-      name = "fick_deine_mudda";
+      name = "orbi";
+
       labels = [
         # provide a debian base with nodejs for actions
         #"debian-latest:docker://node:18-bullseye"

machines/orbi/service-forgejo.nix

@@ -2,14 +2,29 @@
   config,
   lib,
   pkgs,
+  components,
+  inputs,
   ...
 }:
+let
+  mysqlPort = 3333;
+  sshPort = 2222;
+  mysqlPackage = pkgs.mysql;
+  forgejoPort = 3000;
+in
 {
 
   healthchecks.http.forgejjo = {
     url = "https://git.ingolf-wagner.de/explore/repos";
     expectedContent = "palo/nixos-config";
   };
+  healthchecks.closed.public.ports.forgejo = [
+    mysqlPort
+    forgejoPort
+  ];
+  networking.firewall.allowedTCPPorts = [ sshPort ];
+  networking.firewall.allowedUDPPorts = [ sshPort ];
+  # todo : make a healthcheck on open ssh port
 
   services.nginx = {
     enable = true;
@@ -25,20 +40,89 @@
     };
   };
 
-  services.forgejo = {
+  containers.forgejo = {
-    enable = true;
+    privateNetwork = false;
-    package = pkgs.forgejo;
+    autoStart = true;
-    settings = {
+    specialArgs = {
-      server.ROOT_URL = "https://git.ingolf-wagner.de/";
+      inherit components;
-      server.DOMAIN = "git.ingolf-wagner.de";
-      DEFAULT.APP_NAME = "git.ingolf-wagner.de";
-      service.DISABLE_REGISTRATION = true;
-      session.COOKIE_SECURE = true;
-      log.LEVEL = "Warn";
-      other = {
-        SHOW_FOOTER_VERSION = false;
-      };
     };
+
+    config =
+      {
+        config,
+        lib,
+        components,
+        ...
+      }:
+      {
+        nixpkgs.pkgs = pkgs;
+        imports = [
+          "${components}/monitor/container.nix"
+          inputs.nix-topology.nixosModules.default
+        ];
+        system.stateVersion = "24.11";
+        services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
+
+        # ssh server (not really needed)
+        # ------------------------------
+        #services.openssh = {
+        #  enable = true;
+        #  ports = [ sshPort ];
+        #  settings.X11Forwarding = false;
+        #  settings.PasswordAuthentication = false;
+        #};
+
+        # forgejo
+        # -------
+        services.forgejo = {
+          enable = true;
+          package = pkgs.forgejo;
+          database = {
+            type = "mysql";
+            port = mysqlPort;
+          };
+          settings = {
+            server.SSH_PORT = sshPort;
+            server.START_SSH_SERVER = true;
+            server.HTTP_PORT = forgejoPort;
+            server.ROOT_URL = "https://git.ingolf-wagner.de/";
+            server.DOMAIN = "git.ingolf-wagner.de";
+            DEFAULT.APP_NAME = "git.ingolf-wagner.de";
+            service.DISABLE_REGISTRATION = true;
+            session.COOKIE_SECURE = true;
+            log.LEVEL = "Warn";
+            other = {
+              SHOW_FOOTER_VERSION = false;
+            };
+          };
+        };
+
+        # MySQL Database
+        # --------------
+        services.mysql = {
+          enable = true;
+          package = mysqlPackage;
+          settings.mysqld.port = mysqlPort;
+          ensureDatabases = [ config.services.forgejo.database.name ];
+          ensureUsers = [
+            {
+              name = config.services.forgejo.database.user;
+              ensurePermissions = {
+                "${config.services.forgejo.database.name}.*" = "ALL PRIVILEGES";
+              };
+            }
+          ];
+        };
+
+        # Backup Database
+        # ---------------
+        services.mysqlBackup = {
+          enable = false;
+          databases = config.services.mysql.ensureDatabases;
+          singleTransaction = true;
+        };
+
+      };
   };
 
 }

machines/orbi/service-photoprism.nix

@@ -16,7 +16,10 @@ in
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ];
   # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];
 
-  healthchecks.closed.public.ports.photoprism = [ photoprismPort ];
+  healthchecks.closed.public.ports.photoprism = [
+    photoprismPort
+    mysqlPort
+  ];
   healthchecks.http.photoprism = {
     url = "http://10.100.0.1:2342/library/login";
     expectedContent = "AI-Powered Photos App";