add keycloak for OAuth, runbooks, and finish forgejo setup

author: Franck Cuny <franck@fcuny.net> 2025-08-14 10:18:27 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-08-14 10:18:27 -0700
commit: 1ccee14d3cfd66d8bd17270118f55662bb42d91d (patch)
tree: ff32b89c292c65b2d2f1d561b4b7c00abd33c206 /machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
parent: initial setup for forgejo and caddy (diff)
download: infra-1ccee14d3cfd66d8bd17270118f55662bb42d91d.tar.gz
1 files changed, 72 insertions, 3 deletions
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
index b9dac30..a323981 100644
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
@@ -1,23 +1,92 @@
-{ ... }:
+{ self, config, ... }:
 {
+  age.secrets.forgejo-fastmail = {
+    file = "${self}/secrets/forgejo-fastmail.age";
+  };
+
   services.forgejo = {
     enable = true;
     database.type = "postgres";
     lfs.enable = false;
+    secrets = {
+      mailer.PASSWD = config.age.secrets.forgejo-fastmail.path;
+    };
     settings = {
-      session.COOKIE_SECURE = true;
+      DEFAULT.APP_NAME = "¯\\_(ツ)_/¯";
+      session = {
+        COOKIE_SECURE = true;
+        PROVIDER = "db";
+        PROVIDER_CONFIG = "";
+        SESSION_LIFE_TIME = 86400 * 5;
+      };
       server = {
         DOMAIN = "code.fcuny.net";
         ROOT_URL = "https://code.fcuny.net";
         HTTP_PORT = 3000;
         HTTP_ADDR = "10.100.0.40";
+        LANDING_PAGE = "explore";
+      };
+      mailer = {
+        ENABLED = true;
+        PROTOCOL = "smtp+starttls";
+        FROM = "code <forgejo@code.fcuny.net>";
+        USER = "franck@fcuny.net";
+        SMTP_ADDR = "smtp.fastmail.com";
       };
       metrics = {
         ENABLED = true;
         ENABLED_ISSUE_BY_LABEL = true;
         ENABLED_ISSUE_BY_REPOSITORY = true;
       };
-      service.DISABLE_REGISTRATION = true;
+      service = {
+        REGISTER_EMAIL_CONFIRM = true;
+        DISABLE_REGISTRATION = true;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        SHOW_REGISTRATION_BUTTON = true;
+      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = true;
+      };
+      oauth2_client = {
+        REGISTER_EMAIL_CONFIRM = false;
+        ENABLE_AUTO_REGISTRATION = true;
+        USERNAME = "preferred_username";
+        ACCOUNT_LINKING = "auto";
+      };
+      repository = {
+        DEFAULT_PRIVATE = "public";
+        DEFAULT_PUSH_CREATE_PRIVATE = true;
+        ENABLE_PUSH_CREATE_USER = true;
+        PREFERRED_LICENSES = "GPL-3.0-or-later,MIT";
+        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
+        DISABLE_STARS = true; # self-hosting so, doesn't make sense
+      };
+      "service.explore" = {
+        DISABLE_USERS_PAGE = true;
+      };
+      federation = {
+        ENABLED = true;
+      };
+      ui = {
+        # To protect privacy of users.
+        SHOW_USER_EMAIL = false;
+      };
     };
   };
+
+  my.modules.backups = {
+    local.paths = [ "/var/lib/forgejo" ];
+    local.exclude = [
+      "/var/lib/forgejo/data/indexers"
+      "/var/lib/forgejo/data/repo-archive"
+      "/var/lib/forgejo/data/tmp"
+    ];
+    remote.paths = [ "/var/lib/forgejo" ];
+    remote.exclude = [
+      "/var/lib/forgejo/data/indexers"
+      "/var/lib/forgejo/data/repo-archive"
+      "/var/lib/forgejo/data/tmp"
+    ];
+  };
 }
author	Franck Cuny <franck@fcuny.net>	2025-08-14 10:18:27 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-08-14 10:18:27 -0700
commit	1ccee14d3cfd66d8bd17270118f55662bb42d91d (patch)
tree	ff32b89c292c65b2d2f1d561b4b7c00abd33c206 /machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
parent	initial setup for forgejo and caddy (diff)
download	infra-1ccee14d3cfd66d8bd17270118f55662bb42d91d.tar.gz