Cleanup, mostly Forgejo

2024-06-04 14:18:45 -04:00 · 2024-06-04 14:18:45 -04:00 · bdefed51cf
parent 5d0721716f
commit bdefed51cf
7 changed files with 101 additions and 99 deletions
--- a/hosts/Haven/default.nix
+++ b/hosts/Haven/default.nix
@ -64,6 +64,10 @@ in
      forgejo = {
        enable = true;
        home = "/storage/services/forgejo";
+        actions = {
+          enable = true;
+          token = config.secrets.services.forgejo.runner-token;
+        };
      };
      msmtp.enable = true;
      nginx = {
@ -87,6 +91,15 @@ in
              extraConfig = "proxy_ssl_server_name on;";
            };
          };
+          "${config.secrets.services.forgejo.url}" = {
+            useACMEHost = config.secrets.networking.primaryDomain;
+            forceSSL = true;
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:3000";
+              proxyWebsockets = true;
+              extraConfig = "proxy_ssl_server_name on;"; # required when the target is also TLS server with multiple hosts
+            };
+          };
        };
      };
      ssh = {
--- a/modules/apps/development.nix
+++ b/modules/apps/development.nix
@ -21,14 +21,7 @@ with lib;
    (mkIf cfg.enable {
      host.ui.flatpak.enable = true;

-      services.flatpak.packages = [
-        "com.vscodium.codium"
-        "dev.k8slens.OpenLens"
-      ];
-
-      environment.systemPackages = with pkgs; [
-        statix # Nix linting tool
-      ];
+      services.flatpak.packages = [ "com.vscodium.codium" ];
    })
    (mkIf cfg.kubernetes.enable {
      environment.systemPackages = with pkgs; [
@ -36,6 +29,8 @@ with lib;
        kubernetes-helm
        kubevirt # Virtctl command-line tool
      ];
+
+      services.flatpak.packages = [ "dev.k8slens.OpenLens" ];
    })
  ];
 }
--- a/modules/base/roles.nix
+++ b/modules/base/roles.nix
@ -0,0 +1,53 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.host.role;
+in
+{
+  options = {
+    host.role = lib.mkOption {
+      type = lib.types.enum [
+        "server"
+        "workstation"
+      ];
+    };
+  };
+
+  config = lib.mkMerge [
+    # Servers
+    (lib.mkIf (cfg == "server") {
+      host.apps.tmux.enable = true;
+      environment.systemPackages = with pkgs; [
+        htop
+        mdadm
+      ];
+    })
+
+    # Workstations
+    (lib.mkIf (cfg == "workstation") {
+      host.ui = {
+        audio.enable = true;
+        bluetooth.enable = true;
+        gnome.enable = true;
+        flatpak.enable = true;
+      };
+
+      boot = {
+        # Enable Plymouth
+        plymouth.enable = true;
+        plymouth.theme = "bgrt";
+
+        # Increase minimum log level. This removes ACPI errors from the boot screen.
+        consoleLogLevel = 1;
+
+        # Add kernel parameters
+        kernelParams = [ "quiet" ];
+      };
+    })
+  ];
+}
--- a/modules/roles/default.nix
+++ b/modules/roles/default.nix
@ -1,13 +0,0 @@
-{ lib, ... }:
-
-with lib;
-{
-  options = {
-    host.role = mkOption {
-      type = types.enum [
-        "server"
-        "workstation"
-      ];
-    };
-  };
-}
--- a/modules/roles/server.nix
+++ b/modules/roles/server.nix
@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  modulesPath,
-  pkgs,
-  ...
-}:
-let
-  inherit (config.host) role;
-in
-with lib;
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  config = mkIf (role == "server") {
-    host.apps.tmux.enable = true;
-    environment.systemPackages = with pkgs; [
-      htop
-      mdadm
-    ];
-  };
-}
--- a/modules/roles/workstation.nix
+++ b/modules/roles/workstation.nix
@ -1,35 +0,0 @@
-{
-  config,
-  lib,
-  modulesPath,
-  pkgs,
-  ...
-}:
-let
-  inherit (config.host) role;
-in
-with lib;
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  config = mkIf (role == "workstation") {
-    host.ui = {
-      audio.enable = true;
-      bluetooth.enable = true;
-      gnome.enable = true;
-      flatpak.enable = true;
-    };
-
-    boot = {
-      # Enable Plymouth
-      plymouth.enable = true;
-      plymouth.theme = "bgrt";
-
-      # Increase minimum log level. This removes ACPI errors from the boot screen.
-      consoleLogLevel = 1;
-
-      # Add kernel parameters
-      kernelParams = [ "quiet" ];
-    };
-  };
-}
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -26,10 +26,31 @@ in
    host.services.forgejo = {
      autostart = lib.mkEnableOption (lib.mdDoc "Automatically starts Forgejo at boot.");
      enable = lib.mkEnableOption (lib.mdDoc "Enables Forgejo Git hosting service.");
+      domain = lib.mkOption {
+        default = "";
+        type = lib.types.str;
+        description = "The root domain that Forgejo will be hosted on.";
+        example = "example.com";
+      };
      home = lib.mkOption {
        default = "";
        type = lib.types.str;
        description = "Where to store Forgejo's files";
+        example = "/home/forgejo";
+      };
+      url = lib.mkOption {
+        default = "";
+        type = lib.types.str;
+        description = "The complete URL where Forgejo is hosted.";
+        example = "https://forgejo.example.com";
+      };
+      actions = {
+        enable = lib.mkEnableOption (lib.mdDoc "Enables a local Forgejo Actions runner.");
+        token = lib.mkOption {
+          default = "";
+          type = lib.types.str;
+          description = "Token used to authenticate the runner with Forgejo.";
+        };
      };
    };
  };
@ -40,35 +61,25 @@ in
      pkgs.podman-tui
    ];
    services = {
-      nginx.virtualHosts."${config.secrets.services.forgejo.url}" = {
-        useACMEHost = config.secrets.networking.primaryDomain;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:3000";
-          proxyWebsockets = true;
-          extraConfig = "proxy_ssl_server_name on;"; # required when the target is also TLS server with multiple hosts
-        };
-      };
-
      forgejo = {
        enable = true;
        lfs.enable = true;
        settings.server = {
-          DOMAIN = "${config.secrets.networking.primaryDomain}";
-          ROOT_URL = "https://code.${config.secrets.networking.primaryDomain}/";
+          DOMAIN = cfg.domain;
+          ROOT_URL = cfg.url;
          HTTP_PORT = 3000;
        };
        useWizard = true;
      } // lib.optionalAttrs (cfg.home != null) { stateDir = cfg.home; };

      # Enable runner for CI actions
-      gitea-actions-runner = {
+      gitea-actions-runner = lib.mkIf cfg.actions.enable {
        package = pkgs.forgejo-actions-runner;
        instances.default = {
          enable = true;
          name = config.networking.hostName;
-          url = "https://${config.secrets.services.forgejo.url}";
-          token = config.secrets.services.forgejo.runner-token;
+          url = cfg.url;
+          token = cfg.actions.token;
          labels = [
            "nix:docker://nixos/nix" # Shoutout to Icewind 1991 for this syntax: https://icewind.nl/entry/gitea-actions-nix/
            "debian:docker://node:20-bullseye"
@ -84,8 +95,12 @@ in
      };
    };

+    systemd.services = {
+      nginx.wants = [ config.systemd.services.forgejo.name ];
+    } // lib.optionalAttrs (!cfg.autostart) { forgejo.wantedBy = lib.mkForce [ ]; };
+
    # Enable Podman for running...uh, runners.
-    virtualisation = {
+    virtualisation = lib.mkIf cfg.actions.enable {
      containers.enable = true;
      podman = {
        enable = true;
@ -99,13 +114,9 @@ in
    };

    # Allow containers to make DNS queries (https://www.reddit.com/r/NixOS/comments/199f16j/why_dont_my_podman_containers_have_internet_access/)
-    networking.firewall.interfaces.podman4 = {
+    networking.firewall.interfaces.podman4 = lib.mkIf cfg.actions.enable {
      allowedTCPPorts = [ 53 ];
      allowedUDPPorts = [ 53 ];
    };
-
-    systemd.services = {
-      nginx.wants = [ config.systemd.services.forgejo.name ];
-    } // lib.optionalAttrs (!cfg.autostart) { forgejo.wantedBy = lib.mkForce [ ]; };
  };
 }