Start working on Forgejo config

hosts/cube/forgejo.nix

@@ -0,0 +1,91 @@
+{ config, ulib, ... }: with ulib;
+
+let
+  inherit (config.networking) domain;
+
+  fqdn = "git.${domain}";
+in serverSystemConfiguration {
+  age.secrets."cube/password.mail.forgejo".owner = "forgejo";
+
+  services.postgresql = {
+    ensureDatabases = [ "forgejo" ];
+    ensureUsers     = [{
+      name = "forgejo";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  services.forgejo = enabled {
+    lfs = enabled {};
+
+    mailerPasswordFile = config.age.secrets."cube/password.mail.forgejo".path;
+
+    database = {
+      socket = "/run/postgresql";
+      type   = "postgres";
+    };
+
+    settings = {
+      default.APP_NAME = "RGBCube's Forge of Shitty Software";
+
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "https://${fqdn}";
+      };
+
+      attachment.ALLOWED_TYPES = "*/*";
+
+      cache.ENABLED = true;
+
+      mailer = {
+        ENABLED = true;
+
+        PROTOCOL = "smtps";
+        SMTP_ADDR = config.mailserver.fqdn;
+        USER = "git@${domain}";
+      };
+
+      other = {
+        SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+        SHOW_FOOTER_VERSION            = false;
+      };
+
+      packages.ENABLED = false;
+
+      repository = {
+        DEFAULT_BRANCH     = "master";
+        PREFERRED_LICENSES = "MIT,GPL-3.0,GPL-2.0,LGPL-3.0,LGPL-2.1";
+      };
+
+      "repository.upload" = {
+        FILE_MAX_SIZE = 100;
+        MAX_FILES = 10;
+      };
+
+      server = {
+        DOMAIN       = domain;
+        ROOT_URL     = "https://${fqdn}/";
+        LANDING_PAGE = "/explore";
+
+        HTTP_ADDR = "::";
+        HTTP_PORT = 8004;
+
+        SSH_CREATE_AUTHORIZED_KEYS_FILE = true;
+        SSH_PORT                        = builtins.elemAt config.services.openssh.ports 0;
+
+        DISABLE_ROUTER_LOG = true;
+      };
+
+      service.DISABLE_REGISTRATION = true;
+
+      session = {
+        COOKIE_SECURE = true;
+        SAME_SITE     = "strict";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts.${fqdn} = (sslTemplate domain) // {
+    locations."/".proxyPass = "http://[::]:${toString config.services.forgejo.settings.server.HTTP_PORT}";
+  };
+}

hosts/cube/matrix-synapse.nix

@@ -58,9 +58,6 @@ in serverSystemConfiguration {
       enable_metrics = true;
       metrics_flags.known_servers = true;
 
-      allow_guest_access  = false;
-      enable_registration = false;
-
       expire_access_token = true;
       url_preview_enabled = true;
 

secrets/cube/password.mail.forgejo.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw k4u86tbxSaZTIr9QzN2P+md9WwGvn93jOXqR2JHWy30
+tG7p/GaP0MhTqbAin3KmIMCrE67Ls3NYoztcJT8r7po
+--- cmz8sBFqHk8RyAae/gBqrWgjCyHrVtngjZGn1xQOze8
+9rgM’Ð׶9±¬¹¥òíªgù<67>šÉzã<7A>
+ý@ÕÙðuO·Þê0×¥ôa

secrets/secrets.nix

@@ -15,6 +15,8 @@ in with keys; {
 
   "cube/password.acme.age".publicKeys = key cube;
 
+  "cube/password.mail.forgejo.age".publicKeys = key cube;
+
   "cube/password.grafana.age".publicKeys      = key cube;
   "cube/password.mail.grafana.age".publicKeys = key cube;