forgejo up and running with pocket id

2026-01-10 17:34:05 -05:00 · 2025-11-07 13:37:55 -05:00 · 2025-11-07 13:37:55 -05:00 · 2fe39ada39
commit 2fe39ada39
parent d722de69b5
3 changed files with 43 additions and 7 deletions
--- a/modules/services/forgejo/default.nix
+++ b/modules/services/forgejo/default.nix
@ -1,8 +1,27 @@
+{ inputs, config, ... }:
+let
+  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
+in
 {
  services.caddy.virtualHosts."git.wanderingcrow.net".extraConfig = ''
    reverse_proxy http://localhost:3000
  '';

+  sops.secrets = {
+    "forgejo/mailer/server" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "forgejo/mailer/port" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "forgejo/mailer/user" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "forgejo/mailer/pass" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+  };
+
  services.forgejo = {
    enable = true;
    lfs.enable = true;
@ -17,11 +36,27 @@
        HTTP_PORT = 3000;
      };
      service = {
-        DISABLE_REGISTRATION = false;
+        REGISTER_EMAIL_CONFIRM = true;
+        ENABLE_NOTIFY_MAIL = true;
+        # I want to offload account security to OIDC provider
+        REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = false;
+        ENABLE_INTERNAL_SIGNIN = false;
+        EMAIL_DOMAIN_BLOCK_DISPOSABLE = true;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = true;
+        WHITELISTED_URIS = "auth.wanderingcrow.net";
      };
-      actions = {
+      mailer = {
        ENABLED = true;
-        DEFAULT_ACTIONS_URL = "github";
+      };
+    };
+    secrets = {
+      mailer = {
+        SMTP_ADDR = config.sops.secrets."forgejo/mailer/server".path;
+        SMTP_PORT = config.sops.secrets."forgejo/mailer/port".path;
+        USER = config.sops.secrets."forgejo/mailer/user".path;
+        PASSWD = config.sops.secrets."forgejo/mailer/pass".path;
      };
    };
  };