dot013/spacestation
1
0
Fork 0
Code Issues Pull Requests Activity

feat(capytal,forgejo): use S3 as object storage

Browse Source
This commit is contained in:
Guz
2025-09-17 22:26:17 -03:00
parent 11688778bf
commit 8847517d07
3 changed files with 42 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
capytal/forgejo.nix
View File

@@ -15,10 +15,10 @@ in {
DEFAULT = { DEFAULT = {
APP_NAME = "Capytal Code"; APP_NAME = "Capytal Code";
}; };
server = rec { admin = {
HTTP_PORT = 9960; DISABLE_REGULAR_ORG_CREATION = true;
DOMAIN = "forge.capytal.company"; USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
ROOT_URL = "https://${DOMAIN}"; EXTERNAL_USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
}; };
repository = { repository = {
DEFAULT_REPO_UNITS = initList [ DEFAULT_REPO_UNITS = initList [
@@ -27,21 +27,34 @@ in {
"repo.pulls" "repo.pulls"
]; ];
}; };
admin = { security = {
DISABLE_REGULAR_ORG_CREATION = true; REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys"; };
EXTERNAL_USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys"; server = rec {
HTTP_PORT = 9960;
DOMAIN = "forge.capytal.company";
ROOT_URL = "https://${DOMAIN}";
}; };
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = true;
}; };
security = { storage = {
REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128"; STORAGE_TYPE = "minio";
MINIO_USE_SSL = false;
MINIO_ENDPOINT = "127.0.0.1:3461";
MINIO_BUCKET = "forgejo";
MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region;
}; };
ui = { ui = {
# DEFAULT_THEME = "capytal-dark"; # DEFAULT_THEME = "capytal-dark";
}; };
}; };
secrets = {
storage = {
MINIO_ACCESS_KEY_ID = "${config.sops.secrets."forgejo/s3/key".path}";
MINIO_SECRET_ACCESS_KEY = "${config.sops.secrets."forgejo/s3/secret".path}";
};
};
}; };
services.anubis.instances."forgejo" = { services.anubis.instances."forgejo" = {

18
secrets.nix
View File

@@ -20,6 +20,18 @@ with lib; {
sops.secrets = { sops.secrets = {
"cloudflared/tunnel-env" = {}; "cloudflared/tunnel-env" = {};
"forgejo/anubis/hexFile" = {
owner = config.services.anubis.instances."forgejo".user;
};
"forgejo/git-password" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user;
};
"forgejo/s3/key" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user;
};
"forgejo/s3/secret" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user;
};
"forgejo/user1/name" = mkIf config.services.forgejo.enable { "forgejo/user1/name" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user; owner = config.services.forgejo.user;
}; };
@@ -29,12 +41,6 @@ with lib; {
"forgejo/user1/email" = mkIf config.services.forgejo.enable { "forgejo/user1/email" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user; owner = config.services.forgejo.user;
}; };
"forgejo/git-password" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user;
};
"forgejo/anubis/hexFile" = {
owner = config.services.anubis.instances."forgejo".user;
};
"garage/admin_key" = mkIf config.services.garage.enable { "garage/admin_key" = mkIf config.services.garage.enable {
owner = config.systemd.services.garage.serviceConfig.User; owner = config.systemd.services.garage.serviceConfig.User;

11
secrets.yaml
View File

@@ -1,13 +1,16 @@
cloudflared: cloudflared:
tunnel-env: ENC[AES256_GCM,data:jYtDMez3w5BzSH3/xwqEsAtPo6EMxx6dBcd3bnfdCOm/eZzampXPyUfPsqkO4mtL2dGmjT7W+3prGxrEQtC/Eu9R7ojCflbJBFyH8+BDusomQdqjr5d0Utur/oK7ElKgpl0OF17n8sOngxEXZBtWHTbKoL+v50QzHEO07hPHjhrF5n/P+0I78rXPn9OEvJ1B5u0dg3XxXg3l4rtmkYdSwu+2+cUh6pe0AWNTigkkwy70hwKKaz+5Lb5mAp1mpl4r7xaCUqvP,iv:PVmrMzTq2upZXgu5fHPQMis0cXNipMbXahevF1/zJSU=,tag:F75o8plR7XMAv1ngL65ntQ==,type:str] tunnel-env: ENC[AES256_GCM,data:jYtDMez3w5BzSH3/xwqEsAtPo6EMxx6dBcd3bnfdCOm/eZzampXPyUfPsqkO4mtL2dGmjT7W+3prGxrEQtC/Eu9R7ojCflbJBFyH8+BDusomQdqjr5d0Utur/oK7ElKgpl0OF17n8sOngxEXZBtWHTbKoL+v50QzHEO07hPHjhrF5n/P+0I78rXPn9OEvJ1B5u0dg3XxXg3l4rtmkYdSwu+2+cUh6pe0AWNTigkkwy70hwKKaz+5Lb5mAp1mpl4r7xaCUqvP,iv:PVmrMzTq2upZXgu5fHPQMis0cXNipMbXahevF1/zJSU=,tag:F75o8plR7XMAv1ngL65ntQ==,type:str]
forgejo: forgejo:
anubis:
hexFile: ENC[AES256_GCM,data:6hMIQUiSYYNkhrGGHHHIF6Ur+dQeXDuUTHZR4Tnl3O/T/phC7q881Gta6LCUJVvgQJ8hF2aKafggTUDsjcaI3g==,iv:3aGmqM8gV5YsdFNGCgZ4L9t8r9c0zubqZOE1eDBAong=,tag:/nB357mXDJJMRNoQ4E/KQQ==,type:str]
git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str] git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str]
s3:
key: ENC[AES256_GCM,data:kdzRs/3kBXJt+jOVlFAm5EaRHNWq5XnK/Ts=,iv:qcqXQsxJXX9JlJwCuoz9y6izR9b1gs3xhnhO3tTpwK0=,tag:ikx95iSB/kGZ6/RFL+rvjg==,type:str]
secret: ENC[AES256_GCM,data:DVF4DB6dnWpVGK4QwStjMcYbvNQlnJn84xmRxI86r5tqDnyPbFDYN8RNlLyjulBQzJH6pMUkfk5vShNpaLaffA==,iv:5aUuyVnNK20y/NTAw2VZNxE+EaN6tfciwtyb7e/vJGg=,tag:+McVG3UdgEp0OfuuKsmOFw==,type:str]
user1: user1:
name: ENC[AES256_GCM,data:UL3g,iv:+ftGx57fhzN06DuLItxZTc7lXX2g4MhqrEqnDjk4Aug=,tag:ZNpwWuPYhBzDjRQBKikCDA==,type:str] name: ENC[AES256_GCM,data:UL3g,iv:+ftGx57fhzN06DuLItxZTc7lXX2g4MhqrEqnDjk4Aug=,tag:ZNpwWuPYhBzDjRQBKikCDA==,type:str]
password: ENC[AES256_GCM,data:9nMuj2/VIB7Pbw==,iv:+96/NZ+gmRkpXr05nFuUfRl2rGqElUA/LuMBYBQHCHQ=,tag:hMEO40iGeyWsMd8VPOV4Yg==,type:str] password: ENC[AES256_GCM,data:9nMuj2/VIB7Pbw==,iv:+96/NZ+gmRkpXr05nFuUfRl2rGqElUA/LuMBYBQHCHQ=,tag:hMEO40iGeyWsMd8VPOV4Yg==,type:str]
email: ENC[AES256_GCM,data:e6GOwBzRBxa00CHYHgV8,iv:oerF3kJWzjzOatND8Tngp3MADw2kaBKyigeFxtH/ypQ=,tag:1q093JG9hRDxs6OzOIU3vw==,type:str] email: ENC[AES256_GCM,data:e6GOwBzRBxa00CHYHgV8,iv:oerF3kJWzjzOatND8Tngp3MADw2kaBKyigeFxtH/ypQ=,tag:1q093JG9hRDxs6OzOIU3vw==,type:str]
anubis:
hexFile: ENC[AES256_GCM,data:6hMIQUiSYYNkhrGGHHHIF6Ur+dQeXDuUTHZR4Tnl3O/T/phC7q881Gta6LCUJVvgQJ8hF2aKafggTUDsjcaI3g==,iv:3aGmqM8gV5YsdFNGCgZ4L9t8r9c0zubqZOE1eDBAong=,tag:/nB357mXDJJMRNoQ4E/KQQ==,type:str]
garage: garage:
admin_key: ENC[AES256_GCM,data:ORtjXzJrbWITofjNpVsTHE1gHcwNhBcbMNM=,iv:99XCuu5hGa3ZnAqbOsmgjeMouC8EnTzsJ0HuOoHwKEE=,tag:eJVx+A8MJ4g1xXr2F5hTkg==,type:str] admin_key: ENC[AES256_GCM,data:ORtjXzJrbWITofjNpVsTHE1gHcwNhBcbMNM=,iv:99XCuu5hGa3ZnAqbOsmgjeMouC8EnTzsJ0HuOoHwKEE=,tag:eJVx+A8MJ4g1xXr2F5hTkg==,type:str]
admin_secret: ENC[AES256_GCM,data:7hMOXJwIr0pkCFBBh5vnDy//R9UwD+eTlddT1VGOpqYaA0andf0jRfGOr0efcX0x/EvlDOrfFqn8ME8icZRRbw==,iv:KGxqXhzNWFWiwBHRSP+aov2fCNHgFuUtpBF4nd40mGw=,tag:ixcehvjzs6CfVyAAl315dw==,type:str] admin_secret: ENC[AES256_GCM,data:7hMOXJwIr0pkCFBBh5vnDy//R9UwD+eTlddT1VGOpqYaA0andf0jRfGOr0efcX0x/EvlDOrfFqn8ME8icZRRbw==,iv:KGxqXhzNWFWiwBHRSP+aov2fCNHgFuUtpBF4nd40mGw=,tag:ixcehvjzs6CfVyAAl315dw==,type:str]
@@ -37,7 +40,7 @@ sops:
amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO
4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg== 4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-16T19:15:12Z" lastmodified: "2025-09-17T22:34:52Z"
mac: ENC[AES256_GCM,data:MhCHZ9QyaA6KlMmienux8Ceznew40vIEw+dACUJ8ewBXB3oGCDQI4dTPEAZH1C4NgVEJZOWUItv6mt8D/WbreoxuGuIkIOOSAeySuM6rUpy+aguTAMcVij9tqgqhoUMovq43YulOzt5pBirWzNtAOsfP6gQMVTjZAi9kiPmJJS0=,iv:6TzDpqPQ55juqjKT3Tlvo2fUd4xguvN8buoGA6oggmE=,tag:LFYv1edoFSmvZupvj3zzFA==,type:str] mac: ENC[AES256_GCM,data:qCQgzoxRMowRqG8oWUGm3uryAh60HGjgUGsX6piZuBY1mrgzXABDE5AoD5YA5k7d2Nxv7Auzzz/xOSPUcxO+aqYDsjwu9bc6Sl6XzoR3SlFSl/PURPbfSmABlX0iJBfUcOtGlnIDPbIuHASRCFcRpuneQ3+VeQS6MaD5n7BBCRY=,iv:Br2T8/Wq44h6RzO9ht6bUthUt5yL/MFQME0LlTaO7gE=,tag:jdznhfhgBGfqi8hOVJhKkw==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2