✨ [pi4] Added initial Forgejo config and Podman

hosts/pi4/default.nix

@@ -4,8 +4,10 @@
   imports = with lib.custom; [
     (relativeToBase "modules")
     ./boot.nix
+    ./forgejo.nix
     ./hardware.nix
     ./nextcloud.nix
+    ./podman.nix
     ./security
   ];
 }

hosts/pi4/forgejo.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  pkgs,
+  lib,
+  common,
+  ...
+}:
+let
+  domain = "beta.code.${common.domain}";
+  passwordKey = "forgejo/admin-pass";
+  runnerTokenKey = "forgejo/runner-token";
+in
+{
+  services = {
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      # Enable support for Git Large File Storage
+      lfs.enable = true;
+      settings = {
+        server = {
+          DOMAIN = domain;
+          # You need to specify this to remove the port from URLs in the web UI.
+          ROOT_URL = "https://${domain}/";
+          HTTP_PORT = 8002;
+        };
+        # You can temporarily allow registration to create an admin user.
+        service.DISABLE_REGISTRATION = true;
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        # Sending emails is completely optional
+        # You can send a test email from the web UI at:
+        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+        mailer = {
+          ENABLED = true;
+          SMTP_ADDR = "mail.${common.domain}";
+          FROM = "noreply-forgejo@${common.domain}";
+          USER = "noreply@${common.domain}";
+        };
+      };
+      #mailerPasswordFile = config.sops.secrets."forgejo/mailer-password".path;
+    };
+    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "monolith";
+        url = "https://${domain}";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = config.sops.secrets.${runnerTokenKey}.path;
+        labels = [
+          "docker:docker://node:20-bullseye"
+          "native:host"
+        ];
+      };
+    };
+  };
+
+  sops.secrets = {
+    ${passwordKey}.owner = "forgejo";
+    ${runnerTokenKey}.owner = "forgejo";
+  };
+
+  # Create a single admin user / update password if exists
+  systemd.services.forgejo.preStart =
+    let
+      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+      pwd = config.sops.secrets.${passwordKey};
+      user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin"
+      email = "git@${common.domain}";
+    in
+    ''
+      ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+      ## Alter an existing user
+      ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+    '';
+}

hosts/pi4/podman.nix

@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+
+{
+  virtualisation = {
+    # Enable common container config files in /etc/containers
+    containers.enable = true;
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    podman-tui # status of containers in the terminal
+    podman-compose # start group of containers for dev
+  ];
+}

shared/secrets/secrets.yaml

@@ -1,11 +1,11 @@
+forgejo:
+    admin-pass: ENC[AES256_GCM,data:RGTOw0Yo5rJGEVLGsQgyk9Wc,iv:SuN770eAgFIVd4pJ6vmPIvVCMqTW/2sBUYUbqym2cHo=,tag:YlyNR/fFchdBwzCuIsWGMA==,type:str]
+    #ENC[AES256_GCM,data:oMpYBQ30sdCTtgxEZvYxTd9oi9QM0bYp5NisMdQHYT/nF2k=,iv:H9/g7XttJScVXV38+yHdbgWNFDhBYyudjK5BKHTt5wo=,tag:FNfkKfkKWDBUAXiGXkDchw==,type:comment]
+    runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
 password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
 nextcloud:
     admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str]
 sops:
-  kms: []
-  gcp_kms: []
-  azure_kv: []
-  hc_vault: []
     age:
         - recipient: age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
           enc: |
@@ -34,8 +34,7 @@ sops:
             SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
             YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
             -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-05-27T17:56:45Z"
-  mac: ENC[AES256_GCM,data:rXUdrKF4qcuKkk9QASAti2yk+mWLRPzqHPLV85P1nJBoqa6bnLaEoWwfclwr2riTeLjK8ASRHGzi9xiY9867+lhui7+nd0ISBPZlRKTxfXNddBNMqSh+MguJ9e02mTm6OpbSVlovT5NPLiJcQyTodtI5Cvkc0LU5v8yCwRF98jI=,iv:TCSHdf4Y9QPOFNOVjKL3vro65C9SEUhSSNFXNYchzmk=,tag:wGbBdQwPXO30ymyhtAguYg==,type:str]
-  pgp: []
+    lastmodified: "2025-05-31T15:36:05Z"
+    mac: ENC[AES256_GCM,data:Um09D7CR5+c4L6bTdRvz1Cy5qHthlKfLfH6k9Z2NTuD2QY9Ua4kXV8byvXiP+GrrKgzV11c0a3Hk7zaQoutXmwatnaOJRT9EH3FIEADLGAFwbsSAgV7ZJ+oamZnIw/XSW/LGpwvPrX5gaTnc7jJJ3V3+tWqgBUmL4wNb2SigglM=,iv:wAXaPUs20wqh7cn8ZmFI7XLlaOYLkjtcVRm1sosO9U4=,tag:FwfNbEf+YoQBHsYBw5k6mw==,type:str]
     unencrypted_suffix: _unencrypted
-  version: 3.9.4
+    version: 3.10.2