WIP: gitea: Migrate to forgejo

configuration/services/gitea.nix

@@ -6,12 +6,10 @@
 }: let
   domain = "gitea.${config.services.nginx.domain}";
 in {
-  services.gitea = {
+  services.forgejo = {
     enable = true;
     database.type = "postgres";
 
-    appName = "Gitea: Git with a cup of tea";
-
     settings = {
       server = {
         DOMAIN = domain;
@@ -29,18 +27,18 @@ in {
     };
   };
 
-  systemd.services.gitea.serviceConfig.ExecStartPre = let
+  systemd.services.forgejo.serviceConfig.ExecStartPre = let
     replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
-    secretPath = config.sops.secrets."gitea/metrics-token".path;
-    runConfig = "${config.services.gitea.customDir}/conf/app.ini";
+    secretPath = config.sops.secrets."forgejo/metrics-token".path;
+    runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
   in [
     "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
   ];
 
   # Set up SSL
   services.nginx.virtualHosts."${domain}" = let
-    httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
-    httpPort = config.services.gitea.settings.server.HTTP_PORT;
+    httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
+    httpPort = config.services.forgejo.settings.server.HTTP_PORT;
   in {
     forceSSL = true;
     enableACME = true;
@@ -62,40 +60,39 @@ in {
 
   # Block repeated failed login attempts
   #
-  # TODO(tlater): Update to the new regex, since apparently this one
-  # is deprecated (but the new one doesn't work on the current version
-  # of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
-  environment.etc = {
-    "fail2ban/filter.d/gitea.conf".text = ''
-      [Definition]
-      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
-      journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
-    '';
-  };
+  # TODO(tlater): Update this - we switched to forgejo, who knows what
+  # the new matches are.
+  # environment.etc = {
+  #   "fail2ban/filter.d/gitea.conf".text = ''
+  #     [Definition]
+  #     failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+  #     journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
+  #   '';
+  # };
 
-  services.fail2ban.jails = {
-    gitea = ''
-      enabled = true
-    '';
-  };
+  # services.fail2ban.jails = {
+  #   gitea = ''
+  #     enabled = true
+  #   '';
+  # };
 
-  services.backups.gitea = {
-    user = "gitea";
-    paths = [
-      "/var/lib/gitea/gitea-db.sql"
-      "/var/lib/gitea/repositories/"
-      "/var/lib/gitea/data/"
-      "/var/lib/gitea/custom/"
-      # Conf is backed up via nix
-    ];
-    preparation = {
-      packages = [config.services.postgresql.package];
-      text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql";
-    };
-    cleanup = {
-      packages = [pkgs.coreutils];
-      text = "rm /var/lib/gitea/gitea-db.sql";
-    };
-    pauseServices = ["gitea.service"];
-  };
+  # services.backups.forgejo = {
+  #   user = "forgejo";
+  #   paths = [
+  #     "/var/lib/forgejo/forgejo-db.sql"
+  #     "/var/lib/forgejo/repositories/"
+  #     "/var/lib/forgejo/data/"
+  #     "/var/lib/forgejo/custom/"
+  #     # Conf is backed up via nix
+  #   ];
+  #   preparation = {
+  #     packages = [config.services.postgresql.package];
+  #     text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
+  #   };
+  #   cleanup = {
+  #     packages = [pkgs.coreutils];
+  #     text = "rm /var/lib/forgejo/forgejo-db.sql";
+  #   };
+  #   pauseServices = ["forgejo.service"];
+  # };
 }

configuration/services/metrics/victoriametrics.nix

@@ -6,9 +6,9 @@
     ];
 
     scrapeConfigs = {
-      gitea = {
-        targets = ["127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"];
-        extraSettings.authorization.credentials_file = config.sops.secrets."gitea/metrics-token".path;
+      forgejo = {
+        targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"];
+        extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
       };
       coturn.targets = ["127.0.0.1:9641"];
     };

configuration/sops.nix

@@ -4,8 +4,8 @@
 
     secrets = {
       # Gitea
-      "gitea/metrics-token" = {
-        owner = "gitea";
+      "forgejo/metrics-token" = {
+        owner = "forgejo";
         group = "metrics";
         mode = "0440";
       };

flake.lock

@@ -41,11 +41,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1694513707,
-        "narHash": "sha256-wE5kHco3+FQjc+MwTPwLVqYz4hM7uno2CgXDXUFMCpc=",
+        "lastModified": 1703087360,
+        "narHash": "sha256-0VUbWBW8VyiDRuimMuLsEO4elGuUw/nc2WDeuO1eN1M=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "31c32fb2959103a796e07bbe47e0a5e287c343a8",
+        "rev": "b709d63debafce9f5645a5ba550c9e0983b3d1f7",
         "type": "github"
       },
       "original": {
@@ -160,11 +160,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1668681692,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -229,7 +229,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1692799911,
@@ -267,11 +267,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1691701569,
-        "narHash": "sha256-7TK+sO+JC37OGTQDTiz9TriqbB5yTgoo7fyPyLtWvd8=",
+        "lastModified": 1701473318,
+        "narHash": "sha256-QdCJN8GeNl/V8wMjrvNkrWzNXnahgfjBfCSya4qQdrc=",
         "owner": "reckenrode",
         "repo": "nix-foundryvtt",
-        "rev": "3358ccef0ea3e06faabe8c54761fb8a0862b80d4",
+        "rev": "f624c0ceabe13dd876ecff871e0dc7f55f96e993",
         "type": "github"
       },
       "original": {
@@ -345,11 +345,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1671417167,
-        "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
+        "lastModified": 1702272962,
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
         "type": "github"
       },
       "original": {
@@ -361,11 +361,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1693675694,
-        "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
+        "lastModified": 1703351344,
+        "narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
+        "rev": "7790e078f8979a9fcd543f9a47427eeaba38f268",
         "type": "github"
       },
       "original": {
@@ -377,11 +377,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1694767346,
-        "narHash": "sha256-5uH27SiVFUwsTsqC5rs3kS7pBoNhtoy9QfTP9BmknGk=",
+        "lastModified": 1703637592,
+        "narHash": "sha256-8MXjxU0RfFfzl57Zy3OfXCITS0qWDNLzlBAdwxGZwfY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ace5093e36ab1e95cb9463863491bee90d5a4183",
+        "rev": "cfc3698c31b1fb9cdcf10f36c9643460264d0ca8",
         "type": "github"
       },
       "original": {
@@ -408,16 +408,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1694937365,
-        "narHash": "sha256-iHZSGrb9gVpZRR4B2ishUN/1LRKWtSHZNO37C8z1SmA=",
+        "lastModified": 1703467016,
+        "narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5d017a8822e0907fb96f7700a319f9fe2434de02",
+        "rev": "d02d818f22c777aa4e854efc3242ec451e5d462a",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-23.05",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -556,11 +556,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1694495315,
-        "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=",
+        "lastModified": 1703387502,
+        "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415",
+        "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
         "type": "github"
       },
       "original": {
@@ -584,6 +584,21 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tlaternet-webserver": {
       "inputs": {
         "dream2nix": "dream2nix",
@@ -607,12 +622,15 @@
       }
     },
     "utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,7 +2,7 @@
   description = "tlater.net host configuration";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     deploy-rs.url = "github:serokell/deploy-rs";
     sops-nix = {

keys/production.yaml

@@ -1,5 +1,5 @@
-gitea:
-    metrics-token: ENC[AES256_GCM,data:/7/zvVl2ZOBoekrJR32vl/QQcG5XqTmltgpHEMUpbXVeqwnq29idzE2Qyjau96ZHObmSI73/ZtW95uXF6LH9Qw==,iv:iWZECCZSh1CN7wMBqstXR5QWtriR7QLKVqhekGnpXl0=,tag:HEr9km8VYmruBzf0I/5HuA==,type:str]
+forgejo:
+    metrics-token: ENC[AES256_GCM,data:WVbD5JloJlHNjeEwe1uEd4Haj6L3ilj1Pnux6yrelUQP18ZPAh90aDO1OIZHaPJR7tTeyATr8BIzZL1zkNhCuA==,iv:eTYXN3hymIN3bTX1YxNGkAYE0KVDbdz2ds8UQAHlALE=,tag:A61loGdu0pfsiez96u2Qsg==,type:str]
 grafana:
     adminPassword: ENC[AES256_GCM,data:/qw//J7cOkIGa58bG4GgdzndvKof32AmQeWB00IX8WhA22PDCOc4VdUEoB3wVJJqI/ucoHFInYyhg2rFYoYBesBjAt0QS3+O+8WblIunUuYeqlBuYJJK1TLhy6ql6+aqvfiW/rJLm4LpgA7CboyDD2OYHcAbvGSD2GWwFcHTR/Y=,iv:KK6p8GKzc9SBDZZFkEwCdIjSxriPGNMDNcr97tfbwTI=,tag:gLRNSGdJWFD+V9K5TfJvXw==,type:str]
     secretKey: ENC[AES256_GCM,data:OUXWOE6I3a26SrFEOczWNIwyR3Rx62fbsRBBcfh0xyEbxOIPhexH6lIqlVG9Ltwra9+rAldNM4/0BydtxIDj7A==,iv:fiNO/or5yZnhpDPMANDnEC5dtXmbKBZsV+BPmvCN/HI=,tag:Q0M0OtLWdWAJgQmUlL//fg==,type:str]
@@ -26,8 +26,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-10-12T18:40:26Z"
-    mac: ENC[AES256_GCM,data:F+yQ20jCtLRKeQDFVKoqrYCgtwGkXxrK6aQO0MFZTIMJAnbTVPM2ZJGQ1RxXb+Zs4T+44EEc2xN4LjeANvgpE6MfOz2VTw+sEEjcYwUyB6RcXHia9XlFLa8lh7/Wx/9DxlSFjjSrxmDkNB6r+n5UF81cdRXF2E9ibdH346ST98A=,iv:xVxFN1IDKrLskaGqnWvOWx1zUII0jRSjQxEsaTf2GNw=,tag:lnp1AvgMOXXlg1vFjHEWUQ==,type:str]
+    lastmodified: "2023-12-28T00:07:08Z"
+    mac: ENC[AES256_GCM,data:P2bNJLjzn69Kg2bJHXmofER7J8wbEj9C4jq9ePWewXBOt45GEiqgnqIaISwZkyzQmm9cxZd95Lr780ICwoKDFdtSCCcC7CdYxYEfyyhnvU3W2qzEghvkypL8JbiEtPSlQ9xOlCk7p41A9eRrV+JziIVSv5UEUs4NubrG9Mkwv3k=,iv:Yq2gANTTgx6cFxkdustUZ1MPszxGSkao/bS1KHAkzJc=,tag:kqJibocgRQXkxTJze6O5MA==,type:str]
     pgp:
         - created_at: "2022-10-12T00:46:51Z"
           enc: |
@@ -65,4 +65,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

keys/staging.yaml

@@ -1,5 +1,5 @@
-gitea:
-    metrics-token: ENC[AES256_GCM,data:T1NYXRWbruA=,iv:usgHYHwWJFbaEdHLO6JX3z/42MVheY2wu0YrXmnz2ng=,tag:W+B7pKGOc/wX/0My0dWY5w==,type:str]
+forgejo:
+    metrics-token: ENC[AES256_GCM,data:HEDV/GK/WtI=,iv:ihPEusEGVUNZjjjxz2ys6Nfag/og4n7Cqmd4rroT6Ww=,tag:Brcv7XW6HfzzgF3emtuT2A==,type:str]
 grafana:
     adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
     secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
@@ -26,8 +26,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-29T15:14:54Z"
-    mac: ENC[AES256_GCM,data:yJUprLcfw4ypsrSlhot7vsavVqzaFlJoJeEC/DdTfKDoJ0L607r6aCfXtCSg+qrR5JA2bvEATwDJM5qgA2vbMhSOqmc3zT7yBPUKC4Sk24Me3IOOum2DhNID/l/PLtxUIk3Rzz49PJZECUsIKnT7k6KvZ5nWe5sEUupCBgdKjG4=,iv:Axpml84/6wgBxld94AB+Ybdo3r/7Bym6Lsj/49P7jWE=,tag:wXAx3AoopQS7i6rbo70AYg==,type:str]
+    lastmodified: "2023-12-30T14:09:03Z"
+    mac: ENC[AES256_GCM,data:kuyzVV1Dhlb2LemqRzw2xPr9jtTWqSbFMv70LUEbRmsDpjwQsAIARgoaj32EXdDRTHYXBplTYieR7KvmxykL/8rkj0g4+IuRLY1TcbRS31Gi74FiXvV2apscHhQWXhHPHIHMbwZAfDSHdMrf8hPu28SC9QdbP3SXYNt28Imstrc=,iv:UALUiWGHlWEBmIVWeSyEa16ZdcDZvgtlpHETDV2CcRY=,tag:rxbd3ph+pPf11jup/CMEzw==,type:str]
     pgp:
         - created_at: "2023-12-29T15:25:27Z"
           enc: |