From c863aa7354fb53abd316cb13ac3ae3af4f4945b8 Mon Sep 17 00:00:00 2001
From: Christoph Hollizeck <christoph.hollizeck@hey.com>
Date: Fri, 31 Oct 2025 00:24:07 +0100
Subject: [PATCH] loptland: more modules

---
 modules/base/system/default.nix    |  1 -
 modules/hosts/loptland/default.nix | 24 +++++-----
 modules/hosts/loptland/nginx.nix   |  8 ++--
 modules/server/forgejo.nix         | 76 ++++++++++++++++++++++++++++++
 4 files changed, 90 insertions(+), 19 deletions(-)
 create mode 100644 modules/server/forgejo.nix

diff --git a/modules/base/system/default.nix b/modules/base/system/default.nix
index 0f6c9fc..1dd8290 100644
--- a/modules/base/system/default.nix
+++ b/modules/base/system/default.nix
@@ -50,7 +50,6 @@
             defaultSopsFile = ../../../secrets/secrets.yaml;
             defaultSopsFormat = "yaml";
 
-            # age.keyFile = "/home/cholli/.config/sops/age/keys.txt";
             age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
           };
 
diff --git a/modules/hosts/loptland/default.nix b/modules/hosts/loptland/default.nix
index e80226e..5c8f685 100644
--- a/modules/hosts/loptland/default.nix
+++ b/modules/hosts/loptland/default.nix
@@ -14,8 +14,8 @@ in
       ...
     }:
     let
+      domainName = "christophhollizeck.dev";
       sopsFile = ../../../secrets/secrets-loptland.yaml;
-
     in
     {
       nixpkgs.config.allowUnfree = true;
@@ -31,6 +31,7 @@ in
           base
           server
           hydra
+          forgejo
           factorio-server
 
           # apps
@@ -55,19 +56,16 @@ in
 
         ];
 
-      sops = {
-        secrets = {
-          "forgejo/db/password" = {
-            inherit sopsFile;
-          };
-          "forgejo/mail/password" = {
-            inherit sopsFile;
-          };
-          "forgejo/mail/passwordHash" = {
-            inherit sopsFile;
-          };
-        };
+      services.tailscale = {
+        enable = true;
+        useRoutingFeatures = "client";
       };
 
+      networking.firewall.allowedTCPPorts = [
+        3000
+        80
+        443
+      ];
+
     };
 }
diff --git a/modules/hosts/loptland/nginx.nix b/modules/hosts/loptland/nginx.nix
index 9f374ed..99215ff 100644
--- a/modules/hosts/loptland/nginx.nix
+++ b/modules/hosts/loptland/nginx.nix
@@ -8,8 +8,6 @@
     }:
     let
       domainName = "christophhollizeck.dev";
-      forgejoPort = 3000;
-      hydraPort = 2000;
     in
     {
       services.nginx = {
@@ -17,7 +15,7 @@
         recommendedProxySettings = true;
 
         virtualHosts = {
-          "git.${domainName}" = {
+          "git.${domainName}" = lib.mkIf config.services.forgejo.enable {
             forceSSL = true;
             useACMEHost = domainName;
 
@@ -25,7 +23,7 @@
               extraConfig = ''
                 client_max_body_size 200M;
               '';
-              proxyPass = "http://localhost:${toString forgejoPort}/";
+              proxyPass = "http://localhost:${toString 3000}/";
             };
           };
 
@@ -34,7 +32,7 @@
             useACMEHost = domainName;
 
             locations."/" = {
-              proxyPass = "http://localhost:${toString hydraPort}/";
+              proxyPass = "http://localhost:${toString config.services.hydra.port}/";
             };
           };
 
diff --git a/modules/server/forgejo.nix b/modules/server/forgejo.nix
new file mode 100644
index 0000000..caaf9b3
--- /dev/null
+++ b/modules/server/forgejo.nix
@@ -0,0 +1,76 @@
+{
+  flake.modules.nixos.forgejo =
+    { config, inputs, ... }:
+    let
+      domainName = "christophhollizeck.dev";
+      forgejoPort = 3000;
+      sopsFile = ../../secrets/secrets-loptland.yaml;
+    in
+    {
+      imports = [
+        inputs.simple-nixos-mailserver.nixosModules.default
+      ];
+
+      sops = {
+        secrets = {
+          "forgejo/db/password" = {
+            inherit sopsFile;
+          };
+          "forgejo/mail/password" = {
+            inherit sopsFile;
+          };
+          "forgejo/mail/passwordHash" = {
+            inherit sopsFile;
+          };
+        };
+      };
+
+      services.forgejo = {
+        enable = true;
+        database.type = "postgres";
+        lfs.enable = true;
+        database = {
+          passwordFile = config.sops.secrets."forgejo/db/password".path;
+        };
+
+        settings = {
+          server = {
+            DOMAIN = "git.${domainName}";
+            ROOT_URL = "https://git.${domainName}";
+            HTTP_PORT = forgejoPort;
+          };
+
+          mailer = {
+            ENABLED = true;
+            PROTOCOL = "smtps";
+            FROM = "no-reply@${domainName}";
+            SMTP_ADDR = "mail.${domainName}";
+            USER = "forgejo@${domainName}";
+          };
+
+          service.DISABLE_REGISTRATION = true;
+        };
+
+        secrets = {
+          mailer.PASSWD = config.sops.secrets."forgejo/mail/password".path;
+        };
+      };
+
+      mailserver = {
+        enable = true;
+        fqdn = "mail.${domainName}";
+        domains = [ domainName ];
+
+        loginAccounts = {
+          "forgejo@${domainName}" = {
+            hashedPasswordFile = config.sops.secrets."forgejo/mail/passwordHash".path;
+            aliases = [ "no-reply@${domainName}" ];
+          };
+        };
+
+        certificateScheme = "acme-nginx";
+        stateVersion = 3;
+      };
+
+    };
+}