feat: fw final switch to forgejo

2026-02-01 15:23:10 +01:00 · 2026-02-01 15:23:10 +01:00 · f5a0bc582d
commit f5a0bc582d
parent 25580ded3b
6 changed files with 10 additions and 24 deletions
--- a/hosts/fw/configuration.nix
+++ b/hosts/fw/configuration.nix
@ -32,7 +32,6 @@
    # microvm
    ./modules/microvm.nix
    ./modules/gitea-vm.nix
    ./modules/forgejo-runner.nix
    ./modules/dev-microvm.nix
    # ./modules/vscode-server.nix  # Add VS Code Server microvm
@ -45,8 +44,7 @@
    ./modules/web
    # git
-    ./modules/gitea.nix
+    ./modules/forgejo.nix
    ./modules/forgejo.nix  # Migration: autoStart=false, start after migration script
    # ./modules/fwmetrics.nix
    # ha customers
@ -81,7 +79,7 @@
  networkPrefix = "10.42";
  # Systemd services to monitor
-  services.victoriametrics.monitoredServices = [ "ai-mailer" "container@git" "microvm@git-runner-" "microvm@fj-runner-" ];
+  services.victoriametrics.monitoredServices = [ "ai-mailer" "container@forgejo" "microvm@fj-runner-" ];
  nixpkgs.overlays = [
    (import ./utils/overlays/packages.nix)
--- a/hosts/fw/modules/dnsmasq.nix
+++ b/hosts/fw/modules/dnsmasq.nix
@ -103,8 +103,7 @@
        "/mopidy.cloonar.com/${config.networkPrefix}.97.21"
        "/snapcast.cloonar.com/${config.networkPrefix}.97.21"
        "/lms.cloonar.com/${config.networkPrefix}.97.21"
-        "/git.cloonar.com/${config.networkPrefix}.97.50"
+        "/git.cloonar.com/${config.networkPrefix}.97.55"
        "/forgejo.cloonar.com/${config.networkPrefix}.97.55"
        "/feeds.cloonar.com/188.34.191.144"
        "/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112"
        "/allywatch.cloonar.com/${config.networkPrefix}.97.5"
--- a/hosts/fw/modules/firewall.nix
+++ b/hosts/fw/modules/firewall.nix
@ -118,7 +118,7 @@
              iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 tcp dport { 1883 } counter accept
              # Forward to git server
-              oifname "server" ip daddr ${config.networkPrefix}.97.50 tcp dport { 22 } counter accept 
+              oifname "server" ip daddr ${config.networkPrefix}.97.55 tcp dport { 22 } counter accept 
              oifname "server" ip daddr ${config.networkPrefix}.97.5 tcp dport { 80, 443 } counter accept 
              # lan and vpn to any
@ -167,7 +167,7 @@
            chain prerouting {
              type nat hook prerouting priority filter; policy accept;
              iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255
-              iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.50
+              iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.55
              iifname "wan" tcp dport { 80, 443 } dnat to ${config.networkPrefix}.97.5
              iifname "wan" tcp dport { 5000 } dnat to ${config.networkPrefix}.97.51
              iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to ${config.networkPrefix}.97.201
--- a/hosts/fw/modules/forgejo-runner.nix
+++ b/hosts/fw/modules/forgejo-runner.nix
@ -51,7 +51,7 @@ in {
      services.gitea-actions-runner.instances.${runner} = {
        enable = true;
-        url = "https://forgejo.cloonar.com";
+        url = "https://git.cloonar.com";
        name = runner;
        tokenFile = "/run/secrets/forgejo-runner-token";
        labels = [
--- a/hosts/fw/modules/forgejo.nix
+++ b/hosts/fw/modules/forgejo.nix
@ -19,13 +19,12 @@ in
  users.users.forgejo = user;
  users.groups.forgejo = group;
-  # Reuse the existing git.cloonar.com ACME cert from gitea.nix
+  security.acme.certs."git.cloonar.com" = {
  security.acme.certs."forgejo.cloonar.com" = {
    group = "nginx";
  };
  containers.forgejo = {
-    autoStart = false;  # Don't start until migration is complete
+    autoStart = true;
    ephemeral = false; # because of ssh key
    privateNetwork = true;
    hostBridge = "server";
@ -37,8 +36,7 @@ in
        isReadOnly = false;
      };
      "/var/lib/acme/forgejo/" = {
-        # hostPath = config.security.acme.certs.${domain}.directory;
+        hostPath = config.security.acme.certs.${domain}.directory;
        hostPath = config.security.acme.certs."forgejo.cloonar.com".directory;
        isReadOnly = true;
      };
      "/run/secrets/forgejo-mailer-password" = {
@ -146,7 +144,6 @@ in
  sops.secrets.forgejo-mailer-password = {
    owner = "forgejo";
-    # restartUnits removed - would start the container even with autoStart=false
+    restartUnits = [ "container@forgejo.service" ];
    # Re-add after migration: restartUnits = [ "container@forgejo.service" ];
  };
 }
--- a/hosts/fw/modules/web/proxies.nix
+++ b/hosts/fw/modules/web/proxies.nix
@ -1,13 +1,5 @@
 { config, lib, ... }: {
  services.nginx.virtualHosts."git.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;
    locations."/" = {
      proxyPass = "https://git.cloonar.com/";
    };
  };
  services.nginx.virtualHosts."forgejo.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;