Cleanup, mostly Forgejo

hosts/Haven/default.nix

@@ -64,6 +64,10 @@ in
       forgejo = {
         enable = true;
         home = "/storage/services/forgejo";
+        actions = {
+          enable = true;
+          token = config.secrets.services.forgejo.runner-token;
+        };
       };
       msmtp.enable = true;
       nginx = {
@@ -87,6 +91,15 @@ in
               extraConfig = "proxy_ssl_server_name on;";
             };
           };
+          "${config.secrets.services.forgejo.url}" = {
+            useACMEHost = config.secrets.networking.primaryDomain;
+            forceSSL = true;
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:3000";
+              proxyWebsockets = true;
+              extraConfig = "proxy_ssl_server_name on;"; # required when the target is also TLS server with multiple hosts
+            };
+          };
         };
       };
       ssh = {

modules/apps/development.nix

@@ -21,14 +21,7 @@ with lib;
     (mkIf cfg.enable {
       host.ui.flatpak.enable = true;
 
-      services.flatpak.packages = [
+      services.flatpak.packages = [ "com.vscodium.codium" ];
-        "com.vscodium.codium"
-        "dev.k8slens.OpenLens"
-      ];
-
-      environment.systemPackages = with pkgs; [
-        statix # Nix linting tool
-      ];
     })
     (mkIf cfg.kubernetes.enable {
       environment.systemPackages = with pkgs; [
@@ -36,6 +29,8 @@ with lib;
         kubernetes-helm
         kubevirt # Virtctl command-line tool
       ];
+
+      services.flatpak.packages = [ "dev.k8slens.OpenLens" ];
     })
   ];
 }

modules/base/roles.nix

@@ -0,0 +1,53 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.host.role;
+in
+{
+  options = {
+    host.role = lib.mkOption {
+      type = lib.types.enum [
+        "server"
+        "workstation"
+      ];
+    };
+  };
+
+  config = lib.mkMerge [
+    # Servers
+    (lib.mkIf (cfg == "server") {
+      host.apps.tmux.enable = true;
+      environment.systemPackages = with pkgs; [
+        htop
+        mdadm
+      ];
+    })
+
+    # Workstations
+    (lib.mkIf (cfg == "workstation") {
+      host.ui = {
+        audio.enable = true;
+        bluetooth.enable = true;
+        gnome.enable = true;
+        flatpak.enable = true;
+      };
+
+      boot = {
+        # Enable Plymouth
+        plymouth.enable = true;
+        plymouth.theme = "bgrt";
+
+        # Increase minimum log level. This removes ACPI errors from the boot screen.
+        consoleLogLevel = 1;
+
+        # Add kernel parameters
+        kernelParams = [ "quiet" ];
+      };
+    })
+  ];
+}

modules/roles/default.nix

@@ -1,13 +0,0 @@
-{ lib, ... }:
-
-with lib;
-{
-  options = {
-    host.role = mkOption {
-      type = types.enum [
-        "server"
-        "workstation"
-      ];
-    };
-  };
-}

modules/roles/server.nix

@@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  modulesPath,
-  pkgs,
-  ...
-}:
-let
-  inherit (config.host) role;
-in
-with lib;
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  config = mkIf (role == "server") {
-    host.apps.tmux.enable = true;
-    environment.systemPackages = with pkgs; [
-      htop
-      mdadm
-    ];
-  };
-}

modules/roles/workstation.nix

@@ -1,35 +0,0 @@
-{
-  config,
-  lib,
-  modulesPath,
-  pkgs,
-  ...
-}:
-let
-  inherit (config.host) role;
-in
-with lib;
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  config = mkIf (role == "workstation") {
-    host.ui = {
-      audio.enable = true;
-      bluetooth.enable = true;
-      gnome.enable = true;
-      flatpak.enable = true;
-    };
-
-    boot = {
-      # Enable Plymouth
-      plymouth.enable = true;
-      plymouth.theme = "bgrt";
-
-      # Increase minimum log level. This removes ACPI errors from the boot screen.
-      consoleLogLevel = 1;
-
-      # Add kernel parameters
-      kernelParams = [ "quiet" ];
-    };
-  };
-}

modules/services/forgejo.nix

@@ -26,10 +26,31 @@ in
     host.services.forgejo = {
       autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Forgejo at boot.");
       enable = lib.mkEnableOption (lib.mdDoc "Enables Forgejo Git hosting service.");
+      domain = lib.mkOption {
+        default = "";
+        type = lib.types.str;
+        description = "The root domain that Forgejo will be hosted on.";
+        example = "example.com";
+      };
       home = lib.mkOption {
         default = "";
         type = lib.types.str;
         description = "Where to store Forgejo's files";
+        example = "/home/forgejo";
+      };
+      url = lib.mkOption {
+        default = "";
+        type = lib.types.str;
+        description = "The complete URL where Forgejo is hosted.";
+        example = "https://forgejo.example.com";
+      };
+      actions = {
+        enable = lib.mkEnableOption (lib.mdDoc "Enables a local Forgejo Actions runner.");
+        token = lib.mkOption {
+          default = "";
+          type = lib.types.str;
+          description = "Token used to authenticate the runner with Forgejo.";
+        };
       };
     };
   };
@@ -40,35 +61,25 @@ in
       pkgs.podman-tui
     ];
     services = {
-      nginx.virtualHosts."${config.secrets.services.forgejo.url}" = {
-        useACMEHost = config.secrets.networking.primaryDomain;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:3000";
-          proxyWebsockets = true;
-          extraConfig = "proxy_ssl_server_name on;"; # required when the target is also TLS server with multiple hosts
-        };
-      };
-
       forgejo = {
         enable = true;
         lfs.enable = true;
         settings.server = {
-          DOMAIN = "${config.secrets.networking.primaryDomain}";
+          DOMAIN = cfg.domain;
-          ROOT_URL = "https://code.${config.secrets.networking.primaryDomain}/";
+          ROOT_URL = cfg.url;
           HTTP_PORT = 3000;
         };
         useWizard = true;
       } // lib.optionalAttrs (cfg.home != null) { stateDir = cfg.home; };
 
       # Enable runner for CI actions
-      gitea-actions-runner = {
+      gitea-actions-runner = lib.mkIf cfg.actions.enable {
         package = pkgs.forgejo-actions-runner;
         instances.default = {
           enable = true;
           name = config.networking.hostName;
-          url = "https://${config.secrets.services.forgejo.url}";
+          url = cfg.url;
-          token = config.secrets.services.forgejo.runner-token;
+          token = cfg.actions.token;
           labels = [
             "nix:docker://nixos/nix" # Shoutout to Icewind 1991 for this syntax: https://icewind.nl/entry/gitea-actions-nix/
             "debian:docker://node:20-bullseye"
@@ -84,8 +95,12 @@ in
       };
     };
 
+    systemd.services = {
+      nginx.wants = [ config.systemd.services.forgejo.name ];
+    } // lib.optionalAttrs (!cfg.autostart) { forgejo.wantedBy = lib.mkForce [ ]; };
+
     # Enable Podman for running...uh, runners.
-    virtualisation = {
+    virtualisation = lib.mkIf cfg.actions.enable {
       containers.enable = true;
       podman = {
         enable = true;
@@ -99,13 +114,9 @@ in
     };
 
     # Allow containers to make DNS queries (https://www.reddit.com/r/NixOS/comments/199f16j/why_dont_my_podman_containers_have_internet_access/)
-    networking.firewall.interfaces.podman4 = {
+    networking.firewall.interfaces.podman4 = lib.mkIf cfg.actions.enable {
       allowedTCPPorts = [ 53 ];
       allowedUDPPorts = [ 53 ];
     };
-
-    systemd.services = {
-      nginx.wants = [ config.systemd.services.forgejo.name ];
-    } // lib.optionalAttrs (!cfg.autostart) { forgejo.wantedBy = lib.mkForce [ ]; };
   };
 }