WIP: gitea: Migrate to forgejo

configuration/services/gitea.nix

@@ -6,12 +6,10 @@
 }: let
   domain = "gitea.${config.services.nginx.domain}";
 in {
-  services.gitea = {
+  services.forgejo = {
     enable = true;
     database.type = "postgres";
 
-    appName = "Gitea: Git with a cup of tea";
-
     settings = {
       server = {
         DOMAIN = domain;
@@ -29,18 +27,18 @@ in {
     };
   };
 
-  systemd.services.gitea.serviceConfig.ExecStartPre = let
+  systemd.services.forgejo.serviceConfig.ExecStartPre = let
     replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
-    secretPath = config.sops.secrets."gitea/metrics-token".path;
-    runConfig = "${config.services.gitea.customDir}/conf/app.ini";
+    secretPath = config.sops.secrets."forgejo/metrics-token".path;
+    runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
   in [
     "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
   ];
 
   # Set up SSL
   services.nginx.virtualHosts."${domain}" = let
-    httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
-    httpPort = config.services.gitea.settings.server.HTTP_PORT;
+    httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
+    httpPort = config.services.forgejo.settings.server.HTTP_PORT;
   in {
     forceSSL = true;
     enableACME = true;
@@ -62,40 +60,39 @@ in {
 
   # Block repeated failed login attempts
   #
-  # TODO(tlater): Update to the new regex, since apparently this one
-  # is deprecated (but the new one doesn't work on the current version
-  # of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
-  environment.etc = {
-    "fail2ban/filter.d/gitea.conf".text = ''
-      [Definition]
-      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
-      journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
-    '';
-  };
+  # TODO(tlater): Update this - we switched to forgejo, who knows what
+  # the new matches are.
+  # environment.etc = {
+  #   "fail2ban/filter.d/gitea.conf".text = ''
+  #     [Definition]
+  #     failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+  #     journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
+  #   '';
+  # };
 
-  services.fail2ban.jails = {
-    gitea = ''
-      enabled = true
-    '';
-  };
+  # services.fail2ban.jails = {
+  #   gitea = ''
+  #     enabled = true
+  #   '';
+  # };
 
-  services.backups.gitea = {
-    user = "gitea";
-    paths = [
-      "/var/lib/gitea/gitea-db.sql"
-      "/var/lib/gitea/repositories/"
-      "/var/lib/gitea/data/"
-      "/var/lib/gitea/custom/"
-      # Conf is backed up via nix
-    ];
-    preparation = {
-      packages = [config.services.postgresql.package];
-      text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql";
-    };
-    cleanup = {
-      packages = [pkgs.coreutils];
-      text = "rm /var/lib/gitea/gitea-db.sql";
-    };
-    pauseServices = ["gitea.service"];
-  };
+  # services.backups.forgejo = {
+  #   user = "forgejo";
+  #   paths = [
+  #     "/var/lib/forgejo/forgejo-db.sql"
+  #     "/var/lib/forgejo/repositories/"
+  #     "/var/lib/forgejo/data/"
+  #     "/var/lib/forgejo/custom/"
+  #     # Conf is backed up via nix
+  #   ];
+  #   preparation = {
+  #     packages = [config.services.postgresql.package];
+  #     text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
+  #   };
+  #   cleanup = {
+  #     packages = [pkgs.coreutils];
+  #     text = "rm /var/lib/forgejo/forgejo-db.sql";
+  #   };
+  #   pauseServices = ["forgejo.service"];
+  # };
 }

configuration/services/metrics/victoriametrics.nix

@@ -6,9 +6,9 @@
     ];
 
     scrapeConfigs = {
-      gitea = {
-        targets = ["127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"];
-        extraSettings.authorization.credentials_file = config.sops.secrets."gitea/metrics-token".path;
+      forgejo = {
+        targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"];
+        extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
       };
       coturn.targets = ["127.0.0.1:9641"];
     };

configuration/sops.nix

@@ -4,8 +4,8 @@
 
     secrets = {
       # Gitea
-      "gitea/metrics-token" = {
-        owner = "gitea";
+      "forgejo/metrics-token" = {
+        owner = "forgejo";
         group = "metrics";
         mode = "0440";
       };

keys/production.yaml

@@ -1,5 +1,5 @@
-gitea:
-    metrics-token: ENC[AES256_GCM,data:/7/zvVl2ZOBoekrJR32vl/QQcG5XqTmltgpHEMUpbXVeqwnq29idzE2Qyjau96ZHObmSI73/ZtW95uXF6LH9Qw==,iv:iWZECCZSh1CN7wMBqstXR5QWtriR7QLKVqhekGnpXl0=,tag:HEr9km8VYmruBzf0I/5HuA==,type:str]
+forgejo:
+    metrics-token: ENC[AES256_GCM,data:WVbD5JloJlHNjeEwe1uEd4Haj6L3ilj1Pnux6yrelUQP18ZPAh90aDO1OIZHaPJR7tTeyATr8BIzZL1zkNhCuA==,iv:eTYXN3hymIN3bTX1YxNGkAYE0KVDbdz2ds8UQAHlALE=,tag:A61loGdu0pfsiez96u2Qsg==,type:str]
 grafana:
     adminPassword: ENC[AES256_GCM,data:/qw//J7cOkIGa58bG4GgdzndvKof32AmQeWB00IX8WhA22PDCOc4VdUEoB3wVJJqI/ucoHFInYyhg2rFYoYBesBjAt0QS3+O+8WblIunUuYeqlBuYJJK1TLhy6ql6+aqvfiW/rJLm4LpgA7CboyDD2OYHcAbvGSD2GWwFcHTR/Y=,iv:KK6p8GKzc9SBDZZFkEwCdIjSxriPGNMDNcr97tfbwTI=,tag:gLRNSGdJWFD+V9K5TfJvXw==,type:str]
     secretKey: ENC[AES256_GCM,data:OUXWOE6I3a26SrFEOczWNIwyR3Rx62fbsRBBcfh0xyEbxOIPhexH6lIqlVG9Ltwra9+rAldNM4/0BydtxIDj7A==,iv:fiNO/or5yZnhpDPMANDnEC5dtXmbKBZsV+BPmvCN/HI=,tag:Q0M0OtLWdWAJgQmUlL//fg==,type:str]
@@ -26,8 +26,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-10-12T18:40:26Z"
-    mac: ENC[AES256_GCM,data:F+yQ20jCtLRKeQDFVKoqrYCgtwGkXxrK6aQO0MFZTIMJAnbTVPM2ZJGQ1RxXb+Zs4T+44EEc2xN4LjeANvgpE6MfOz2VTw+sEEjcYwUyB6RcXHia9XlFLa8lh7/Wx/9DxlSFjjSrxmDkNB6r+n5UF81cdRXF2E9ibdH346ST98A=,iv:xVxFN1IDKrLskaGqnWvOWx1zUII0jRSjQxEsaTf2GNw=,tag:lnp1AvgMOXXlg1vFjHEWUQ==,type:str]
+    lastmodified: "2023-12-28T00:07:08Z"
+    mac: ENC[AES256_GCM,data:P2bNJLjzn69Kg2bJHXmofER7J8wbEj9C4jq9ePWewXBOt45GEiqgnqIaISwZkyzQmm9cxZd95Lr780ICwoKDFdtSCCcC7CdYxYEfyyhnvU3W2qzEghvkypL8JbiEtPSlQ9xOlCk7p41A9eRrV+JziIVSv5UEUs4NubrG9Mkwv3k=,iv:Yq2gANTTgx6cFxkdustUZ1MPszxGSkao/bS1KHAkzJc=,tag:kqJibocgRQXkxTJze6O5MA==,type:str]
     pgp:
         - created_at: "2022-10-12T00:46:51Z"
           enc: |
@@ -65,4 +65,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

keys/staging.yaml

@@ -1,5 +1,5 @@
-gitea:
-    metrics-token: ENC[AES256_GCM,data:T1NYXRWbruA=,iv:usgHYHwWJFbaEdHLO6JX3z/42MVheY2wu0YrXmnz2ng=,tag:W+B7pKGOc/wX/0My0dWY5w==,type:str]
+forgejo:
+    metrics-token: ENC[AES256_GCM,data:HEDV/GK/WtI=,iv:ihPEusEGVUNZjjjxz2ys6Nfag/og4n7Cqmd4rroT6Ww=,tag:Brcv7XW6HfzzgF3emtuT2A==,type:str]
 grafana:
     adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
     secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
@@ -26,8 +26,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-29T15:14:54Z"
-    mac: ENC[AES256_GCM,data:yJUprLcfw4ypsrSlhot7vsavVqzaFlJoJeEC/DdTfKDoJ0L607r6aCfXtCSg+qrR5JA2bvEATwDJM5qgA2vbMhSOqmc3zT7yBPUKC4Sk24Me3IOOum2DhNID/l/PLtxUIk3Rzz49PJZECUsIKnT7k6KvZ5nWe5sEUupCBgdKjG4=,iv:Axpml84/6wgBxld94AB+Ybdo3r/7Bym6Lsj/49P7jWE=,tag:wXAx3AoopQS7i6rbo70AYg==,type:str]
+    lastmodified: "2023-12-30T14:09:03Z"
+    mac: ENC[AES256_GCM,data:kuyzVV1Dhlb2LemqRzw2xPr9jtTWqSbFMv70LUEbRmsDpjwQsAIARgoaj32EXdDRTHYXBplTYieR7KvmxykL/8rkj0g4+IuRLY1TcbRS31Gi74FiXvV2apscHhQWXhHPHIHMbwZAfDSHdMrf8hPu28SC9QdbP3SXYNt28Imstrc=,iv:UALUiWGHlWEBmIVWeSyEa16ZdcDZvgtlpHETDV2CcRY=,tag:rxbd3ph+pPf11jup/CMEzw==,type:str]
     pgp:
         - created_at: "2023-12-29T15:25:27Z"
           enc: |