first commit

hosts/hetzner/forego.nix

@@ -0,0 +1,74 @@
+{
+  domain,
+  isProd,
+  config,
+  pkgs,
+  ...
+}:
+{
+  # 1. Access the Secret
+  sops.secrets.forgejo_db_password = { 
+    owner = "forgejo"; 
+    # Restart forgejo if the password changes
+    restartUnits = [ "forgejo.service" ];
+  };
+
+  services.forgejo = {
+    enable = true;
+    
+    # 2. STORAGE (SSD)
+    stateDir = "/mnt/data/forgejo";
+    
+    # 3. DATABASE (Shared Postgres)
+    database = {
+      type = "postgres";
+      name = "forgejo";
+      user = "forgejo";
+      createDatabase = false; # We let NixOS manage this below
+      socket = "/run/postgresql"; # Ultra-fast socket connection
+      passwordFile = config.sops.secrets.forgejo_db_password.path;
+    };
+
+    # 4. SETTINGS
+    settings = {
+      server = {
+        DOMAIN = "git.${domain}";
+        ROOT_URL = "https://git.${domain}/"; 
+        HTTP_PORT = 3000;
+        # Run internal SSH on 2222 so it doesn't block your Admin SSH (22)
+        SSH_PORT = 2222;
+        START_SSH_SERVER = true;
+      };
+      # Disable registration to prevent random internet people from joining
+      service.DISABLE_REGISTRATION = true; 
+      
+      # Optional: Metrics for Grafana later
+      metrics.ENABLED = true;
+    };
+  };
+
+  # 5. POSTGRESQL PROVISIONING
+  # This automatically creates the DB and User when you deploy
+  services.postgresql = {
+    ensureDatabases = [ "forgejo" ];
+    ensureUsers = [
+      {
+        name = "forgejo";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  # 6. REVERSE PROXY
+  services.nginx.virtualHosts."git.${domain}" = {
+    forceSSL = isProd;
+    enableACME = isProd;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:3000";
+    };
+  };
+  
+  # 7. FIREWALL
+  # Allow Git-over-SSH on the custom port
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+}