add forgejo and postgresql services and nixos-container for forgejo

nixos/configurations/Cape/default.nix

@@ -4,6 +4,7 @@
 }:
 {
   imports = [
+    ./forgejo.nix
     ./networking.nix
     ./stylix.nix
     ./hardware-configuration.nix

nixos/configurations/Cape/forgejo.nix

@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+  youthlic.containers.forgejo = {
+    enable = true;
+    domain = "forgejo.youthlic.fun";
+    sshPort = 2222;
+    httpPort = 8480;
+    interface = "ens3";
+  };
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+  services.caddy.virtualHosts = {
+    "forgejo.${config.youthlic.programs.caddy.baseDomain}" = {
+      extraConfig = ''
+        reverse_proxy 10.231.136.102:8480
+      '';
+    };
+  };
+}

nixos/modules/containers/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./forgejo.nix
+  ];
+}

nixos/modules/containers/forgejo.nix

@@ -0,0 +1,120 @@
+{ config, lib, ... }:
+let
+  cfg = config.youthlic.containers.forgejo;
+in
+{
+  options = {
+    youthlic.containers.forgejo = {
+      enable = lib.mkEnableOption "forgejo container";
+      domain = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        example = "forgejo.example.com";
+      };
+      sshPort = lib.mkOption {
+        type = lib.types.port;
+        default = 2222;
+      };
+      httpPort = lib.mkOption {
+        type = lib.types.port;
+        default = 8480;
+      };
+      interface = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        example = "ens3";
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.nat = {
+      enable = true;
+      internalInterfaces = [ "ve-+" ];
+      externalInterface = cfg.interface;
+      enableIPv6 = true;
+    };
+    containers."forgejo" = {
+      ephemeral = true;
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "10.231.136.1";
+      localAddress = "10.231.136.102";
+      bindMounts = {
+        "/var/lib/forgejo" = {
+          hostPath = "/mnt/containers/forgejo/state";
+          isReadOnly = false;
+        };
+        "/var/lib/postgresql" = {
+          hostPath = "/mnt/containers/forgejo/dataset";
+          isReadOnly = false;
+        };
+      };
+      forwardPorts = [
+        {
+          containerPort = cfg.sshPort;
+          hostPort = 2222;
+          protocol = "tcp";
+        }
+        {
+          containerPort = cfg.sshPort;
+          hostPort = 2222;
+          protocol = "udp";
+        }
+      ];
+
+      config =
+        { lib, ... }:
+        {
+          imports = [
+            ./../forgejo.nix
+            ./../postgresql.nix
+          ];
+
+          systemd.tmpfiles.rules = [
+            "d /var/lib/forgejo 770 forgejo forgejo -"
+            "d /var/lib/postgresql 770 postgres postgres -"
+          ];
+
+          youthlic.programs = {
+            forgejo = {
+              enable = true;
+              domain = cfg.domain;
+              sshPort = cfg.sshPort;
+              httpPort = cfg.httpPort;
+              database = {
+                user = "forgejo";
+              };
+            };
+            postgresql = {
+              enable = true;
+              database = "forgejo";
+              auth_method = "peer";
+              version = "17";
+            };
+          };
+
+          systemd.services.forgejo = {
+            wants = [ "postgresql.service" ];
+            requires = [ "postgresql.service" ];
+            after = [ "postgresql.service" ];
+            wantedBy = [ "default.target" ];
+          };
+
+          networking = {
+            firewall = {
+              enable = true;
+              allowedTCPPorts = [
+                cfg.httpPort
+                cfg.sshPort
+              ];
+              allowedUDPPorts = [
+                cfg.httpPort
+                cfg.sshPort
+              ];
+            };
+            useHostResolvConf = lib.mkForce false;
+          };
+          services.resolved.enable = true;
+          system.stateVersion = "24.11";
+        };
+    };
+  };
+}

nixos/modules/default.nix

@@ -16,6 +16,9 @@
       disko.nixosModules.disko
     ])
     ++ [
+      ./containers
+      ./postgresql.nix
+      ./forgejo.nix
       ./deploy
       ./nix.nix
       ./home.nix

nixos/modules/forgejo.nix

@@ -0,0 +1,105 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.youthlic.programs.forgejo;
+in
+{
+  options = {
+    youthlic.programs.forgejo = {
+      enable = lib.mkEnableOption "forgejo";
+      domain = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        example = "example.com";
+        description = ''
+          which domain does the server use
+        '';
+      };
+      sshPort = lib.mkOption {
+        type = lib.types.port;
+        default = 2222;
+      };
+      httpPort = lib.mkOption {
+        type = lib.types.port;
+        default = 8480;
+      };
+      database = {
+        user = lib.mkOption {
+          type = lib.types.nonEmptyStr;
+          example = "forgejo";
+        };
+        socket = lib.mkOption {
+          type = lib.types.nonEmptyStr;
+          default = "/run/postgresql";
+        };
+      };
+    };
+  };
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      services.forgejo = {
+        enable = true;
+        lfs = {
+          enable = true;
+        };
+        group = "postgres";
+        database = {
+          type = "postgres";
+          user = cfg.database.user;
+          socket = cfg.database.socket;
+          createDatabase = false;
+        };
+        settings = {
+          DEFAULT = {
+            RUN_MODE = "prod";
+          };
+          cron = {
+            ENABLE = true;
+            RUN_AT_START = true;
+            SCHEDULE = "@every 24h";
+          };
+          repository = {
+            DEFAULT_PRIVATE = "last";
+            DEFAULT_BRANCH = "master";
+          };
+          service = {
+            DISABLE_REGISTRATION = true;
+          };
+          mailer = {
+            ENABLED = true;
+            MAILER_TYPE = "sendmail";
+            FROM = "do-not-reply@${config.services.forgejo.settings.server.DOMAIN}";
+            SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+          };
+          other = {
+            SHOW_FOOTER_VERSION = false;
+          };
+          server = {
+            PROTOCOL = "http";
+            DOMAIN = "${cfg.domain}";
+            START_SSH_SERVER = true;
+            SSH_PORT = cfg.sshPort;
+            HTTP_PORT = cfg.httpPort;
+          };
+        };
+      };
+    })
+    (
+      let
+        caddy-cfg = config.youthlic.programs.caddy;
+      in
+      lib.mkIf (cfg.enable && caddy-cfg.enable) {
+        services.caddy.virtualHosts = {
+          "forgejo.${caddy-cfg.baseDomain}" = {
+            extraConfig = ''
+              reverse_proxy 127.0.0.1:${cfg.httpPort}
+            '';
+          };
+        };
+      }
+    )
+  ];
+}

nixos/modules/postgresql.nix

@@ -0,0 +1,46 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.youthlic.programs.postgresql;
+in
+{
+  options = {
+    youthlic.programs.postgresql = {
+      enable = lib.mkEnableOption "postgresql";
+      database = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        example = "forgejo";
+      };
+      auth_method = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        example = "peer";
+      };
+      version = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        example = "17";
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    # default socket: /var/lib/postgresql
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ cfg.database ];
+      ensureUsers = [
+        {
+          name = "${cfg.database}";
+          ensureDBOwnership = true;
+        }
+      ];
+      package = pkgs."postgresql_${cfg.version}";
+      authentication = ''
+        #type database DBuser auth-method
+        local sameuser all    ${cfg.auth_method}
+      '';
+    };
+  };
+}