WIP: gitea: Migrate to forgejo

configuration/services/gitea.nix

@@ -6,12 +6,10 @@
 }: let
   domain = "gitea.${config.services.nginx.domain}";
 in {
-  services.gitea = {
+  services.forgejo = {
     enable = true;
     database.type = "postgres";
 
-    appName = "Gitea: Git with a cup of tea";
-
     settings = {
       server = {
         DOMAIN = domain;
@@ -29,18 +27,18 @@ in {
     };
   };
 
-  systemd.services.gitea.serviceConfig.ExecStartPre = let
+  systemd.services.forgejo.serviceConfig.ExecStartPre = let
     replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
-    secretPath = config.sops.secrets."gitea/metrics-token".path;
-    runConfig = "${config.services.gitea.customDir}/conf/app.ini";
+    secretPath = config.sops.secrets."forgejo/metrics-token".path;
+    runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
   in [
     "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
   ];
 
   # Set up SSL
   services.nginx.virtualHosts."${domain}" = let
-    httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
-    httpPort = config.services.gitea.settings.server.HTTP_PORT;
+    httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
+    httpPort = config.services.forgejo.settings.server.HTTP_PORT;
   in {
     forceSSL = true;
     enableACME = true;
@@ -62,40 +60,39 @@ in {
 
   # Block repeated failed login attempts
   #
-  # TODO(tlater): Update to the new regex, since apparently this one
-  # is deprecated (but the new one doesn't work on the current version
-  # of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
-  environment.etc = {
-    "fail2ban/filter.d/gitea.conf".text = ''
-      [Definition]
-      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
-      journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
-    '';
-  };
+  # TODO(tlater): Update this - we switched to forgejo, who knows what
+  # the new matches are.
+  # environment.etc = {
+  #   "fail2ban/filter.d/gitea.conf".text = ''
+  #     [Definition]
+  #     failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+  #     journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
+  #   '';
+  # };
 
-  services.fail2ban.jails = {
-    gitea = ''
-      enabled = true
-    '';
-  };
+  # services.fail2ban.jails = {
+  #   gitea = ''
+  #     enabled = true
+  #   '';
+  # };
 
-  services.backups.gitea = {
-    user = "gitea";
-    paths = [
-      "/var/lib/gitea/gitea-db.sql"
-      "/var/lib/gitea/repositories/"
-      "/var/lib/gitea/data/"
-      "/var/lib/gitea/custom/"
-      # Conf is backed up via nix
-    ];
-    preparation = {
-      packages = [config.services.postgresql.package];
-      text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql";
-    };
-    cleanup = {
-      packages = [pkgs.coreutils];
-      text = "rm /var/lib/gitea/gitea-db.sql";
-    };
-    pauseServices = ["gitea.service"];
-  };
+  # services.backups.forgejo = {
+  #   user = "forgejo";
+  #   paths = [
+  #     "/var/lib/forgejo/forgejo-db.sql"
+  #     "/var/lib/forgejo/repositories/"
+  #     "/var/lib/forgejo/data/"
+  #     "/var/lib/forgejo/custom/"
+  #     # Conf is backed up via nix
+  #   ];
+  #   preparation = {
+  #     packages = [config.services.postgresql.package];
+  #     text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
+  #   };
+  #   cleanup = {
+  #     packages = [pkgs.coreutils];
+  #     text = "rm /var/lib/forgejo/forgejo-db.sql";
+  #   };
+  #   pauseServices = ["forgejo.service"];
+  # };
 }

configuration/services/metrics/victoriametrics.nix

@@ -6,9 +6,9 @@
     ];
 
     scrapeConfigs = {
-      gitea = {
-        targets = ["127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"];
-        extraSettings.authorization.credentials_file = config.sops.secrets."gitea/metrics-token".path;
+      forgejo = {
+        targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"];
+        extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
       };
       coturn.targets = ["127.0.0.1:9641"];
     };