From 8e42f81a191c7914c93bd76d7774a386884be70b Mon Sep 17 00:00:00 2001
From: Maxiem Geldhof <author@maxiemgeldhof.com>
Date: Fri, 31 Oct 2025 17:23:17 +0100
Subject: [PATCH] Add forgejo

---
 modules/servermodules/forgejo/forgejo.nix | 36 +++++++++
 modules/servermodules/nginx.nix           | 91 ++++++++++++++---------
 systems/selene/system.nix                 | 11 ++-
 3 files changed, 102 insertions(+), 36 deletions(-)
 create mode 100644 modules/servermodules/forgejo/forgejo.nix

diff --git a/modules/servermodules/forgejo/forgejo.nix b/modules/servermodules/forgejo/forgejo.nix
new file mode 100644
index 0000000..e82db47
--- /dev/null
+++ b/modules/servermodules/forgejo/forgejo.nix
@@ -0,0 +1,36 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
+{
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    # Enable support for Git Large File Storage
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.maxiemgeldhof.com";
+        # You need to specify this to remove the port from URLs in the web UI.
+        ROOT_URL = "https://${srv.DOMAIN}/";
+        HTTP_PORT = 3028;
+      };
+      # You can temporarily allow registration to create an admin user.
+      service.DISABLE_REGISTRATION = true;
+      # Add support for actions, based on act: https://github.com/nektos/act
+      actions = {
+        ENABLED = false;
+      };
+
+      metrics = {
+        ENABLED = true;
+      };
+    };
+  };
+}
diff --git a/modules/servermodules/nginx.nix b/modules/servermodules/nginx.nix
index cde8030..4cd70b6 100644
--- a/modules/servermodules/nginx.nix
+++ b/modules/servermodules/nginx.nix
@@ -1,39 +1,37 @@
-rootdomain:
-{
+rootdomain: {
   systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ];
   services.nginx.enable = true;
   services.nginx.commonHttpConfig = ''
-      log_format myformat '$remote_addr - $remote_user [$time_local] '
-                      '$host "$request" $status $body_bytes_sent '
-                      '"$http_referer" "$http_user_agent"';
-      '';
+    log_format myformat '$remote_addr - $remote_user [$time_local] '
+                    '$host "$request" $status $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent"';
+  '';
 
   services.nginx.virtualHosts."default" = {
-      enableACME = false;
-      rejectSSL = true;
-      default = true;
+    enableACME = false;
+    rejectSSL = true;
+    default = true;
 
-      locations."/" = {
-        return = 404;
-      };
-      extraConfig = ''
-        access_log /logs/nginx/nginx-access.log myformat;
-      '';
+    locations."/" = {
+      return = 404;
+    };
+    extraConfig = ''
+      access_log /logs/nginx/nginx-access.log myformat;
+    '';
   };
 
-
   services.nginx.virtualHosts."grafana.${rootdomain}" = {
-      enableACME = true;
-      forceSSL = true;
+    enableACME = true;
+    forceSSL = true;
 
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:3000";
-        proxyWebsockets = true;
-        recommendedProxySettings = true;
-      };
-      extraConfig = ''
-        access_log /logs/nginx/nginx-access.log myformat;
-      '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:3000";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+    };
+    extraConfig = ''
+      access_log /logs/nginx/nginx-access.log myformat;
+    '';
   };
 
   services.nginx.virtualHosts."jellyfin.${rootdomain}" = {
@@ -50,11 +48,11 @@ rootdomain:
       proxyPass = "http://127.0.0.1:8096/metrics";
       recommendedProxySettings = true;
       extraConfig = ''
-      allow 127.0.0.1;
-      allow 192.168.0.0/16;
-      allow 10.0.0.0/8;
-      allow 172.16.0.0/12;
-      deny all;
+        allow 127.0.0.1;
+        allow 192.168.0.0/16;
+        allow 10.0.0.0/8;
+        allow 172.16.0.0/12;
+        deny all;
       '';
     };
 
@@ -68,9 +66,34 @@ rootdomain:
     defaults.email = "admin@${rootdomain}";
   };
 
+  services.nginx.virtualHosts."git.${rootdomain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:3028";
+      recommendedProxySettings = true;
+    };
+
+    locations."/metrics" = {
+      proxyPass = "http://127.0.0.1:3028/metrics";
+      recommendedProxySettings = true;
+      extraConfig = ''
+        allow 127.0.0.1;
+        allow 192.168.0.0/16;
+        allow 10.0.0.0/8;
+        allow 172.16.0.0/12;
+        deny all;
+      '';
+    };
+
+    extraConfig = ''
+      access_log /logs/nginx/nginx-access.log myformat;
+    '';
+  };
+
   systemd.tmpfiles.rules = [
-  # Type  Path           Mode    User   Group  Age  Argument
-  "d /logs/nginx        0755    nginx  nginx  -    -"
+    # Type  Path           Mode    User   Group  Age  Argument
+    "d /logs/nginx        0755    nginx  nginx  -    -"
   ];
 }
-
diff --git a/systems/selene/system.nix b/systems/selene/system.nix
index bc87a1b..a48777f 100644
--- a/systems/selene/system.nix
+++ b/systems/selene/system.nix
@@ -1,5 +1,11 @@
-{ agenix, jellyfin-exporter, nixpkgs, self, ... }:
-let 
+{
+  agenix,
+  jellyfin-exporter,
+  nixpkgs,
+  self,
+  ...
+}:
+let
   system = "aarch64-linux";
 in
 nixpkgs.lib.nixosSystem {
@@ -19,6 +25,7 @@ nixpkgs.lib.nixosSystem {
     ../../modules/servermodules/jellyfin/jellyfin.nix
     (import ../../modules/servermodules/wireguard/wireguard-server.nix).serverModule
     ./volumes.nix
+    ../../modules/servermodules/forgejo/forgejo.nix
     agenix.nixosModules.default
   ];
 }