move keycloak and forgejo on rivendell

I had to rekey all the secrets. Updated the documentation for both how
to setup forgejo and keycloak.

2 files changed, 123 insertions, 0 deletions

diff --git a/profiles/forgejo.nix b/profiles/forgejo.nix
new file mode 100644
index 0000000..70af185
--- /dev/null
+++ b/profiles/forgejo.nix
@@ -0,0 +1,104 @@
+{ config, pkgs, ... }:
+let
+  # convenience wrapper for admin commands
+  forgejo-admin = pkgs.writeShellScriptBin "forgejo-admin" ''
+    sudo -u forgejo ${pkgs.forgejo}/bin/gitea -c ${config.services.forgejo.customDir}/conf/app.ini admin "$@"
+  '';
+in
+{
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+
+  age.secrets.forgejo-fastmail = {
+    file = ../secrets/forgejo-fastmail.age;
+  };
+
+  environment.systemPackages = [ forgejo-admin ];
+
+  services.forgejo = {
+    enable = true;
+    dump = {
+      enable = true;
+    };
+    database.type = "postgres";
+    lfs.enable = false;
+    secrets = {
+      mailer.PASSWD = config.age.secrets.forgejo-fastmail.path;
+    };
+    settings = {
+      DEFAULT.APP_NAME = "¯\\_(ツ)_/¯";
+      session = {
+        COOKIE_SECURE = true;
+        PROVIDER = "db";
+        PROVIDER_CONFIG = "";
+        SESSION_LIFE_TIME = 86400 * 5;
+      };
+      server = {
+        DOMAIN = "code.fcuny.net";
+        ROOT_URL = "https://code.fcuny.net";
+        HTTP_PORT = 3000;
+        LANDING_PAGE = "explore";
+      };
+      mailer = {
+        ENABLED = true;
+        PROTOCOL = "smtp+starttls";
+        FROM = "code <forgejo@code.fcuny.net>";
+        USER = "franck@fcuny.net";
+        SMTP_ADDR = "smtp.fastmail.com";
+      };
+      metrics = {
+        ENABLED = true;
+        ENABLED_ISSUE_BY_LABEL = true;
+        ENABLED_ISSUE_BY_REPOSITORY = true;
+      };
+      service = {
+        REGISTER_EMAIL_CONFIRM = true;
+        DISABLE_REGISTRATION = true;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        SHOW_REGISTRATION_BUTTON = true;
+      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = true;
+      };
+      oauth2_client = {
+        REGISTER_EMAIL_CONFIRM = false;
+        ENABLE_AUTO_REGISTRATION = true;
+        USERNAME = "preferred_username";
+        ACCOUNT_LINKING = "auto";
+      };
+      repository = {
+        DEFAULT_PRIVATE = "public";
+        DEFAULT_PUSH_CREATE_PRIVATE = true;
+        ENABLE_PUSH_CREATE_USER = true;
+        PREFERRED_LICENSES = "GPL-3.0-or-later,MIT";
+        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
+        DISABLE_STARS = true; # self-hosting so, doesn't make sense
+      };
+      "service.explore" = {
+        DISABLE_USERS_PAGE = true;
+      };
+      federation = {
+        ENABLED = true;
+      };
+      ui = {
+        # To protect privacy of users.
+        SHOW_USER_EMAIL = false;
+      };
+    };
+  };
+
+  # my.modules.backups = {
+  #   local.paths = [ "/var/lib/forgejo" ];
+  #   local.exclude = [
+  #     "/var/lib/forgejo/data/indexers"
+  #     "/var/lib/forgejo/data/repo-archive"
+  #     "/var/lib/forgejo/data/tmp"
+  #   ];
+  #   remote.paths = [ "/var/lib/forgejo" ];
+  #   remote.exclude = [
+  #     "/var/lib/forgejo/data/indexers"
+  #     "/var/lib/forgejo/data/repo-archive"
+  #     "/var/lib/forgejo/data/tmp"
+  #   ];
+  # };
+}
diff --git a/profiles/keycloak.nix b/profiles/keycloak.nix
new file mode 100644
index 0000000..7aac133
--- /dev/null
+++ b/profiles/keycloak.nix
@@ -0,0 +1,19 @@
+{ config, ... }:
+{
+  age.secrets.keycloak-db-password = {
+    file = ../secrets/keycloak-db-password.age;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+
+  services.keycloak = {
+    enable = true;
+    database.passwordFile = config.age.secrets.keycloak-db-password.path;
+    settings = {
+      hostname = "id.fcuny.net";
+      http-port = 8080;
+      proxy-headers = "xforwarded";
+      http-enabled = true;
+    };
+  };
+}