feat(home-server): add forgejo admin user

2025-01-17 13:58:03 +01:00 · 2025-01-17 13:58:03 +01:00 · 933d7b6994
parent e45c34c465
commit 933d7b6994
4 changed files with 40 additions and 5 deletions
--- a/secrets/forgejo/admin-password.age
+++ b/secrets/forgejo/admin-password.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA Qs+kBM/8cOSTJ9TsZ4WhcYGyj07RRP//jEXA/LrSeQA
+lJ328T6kcUea2pkS/M/GFV7/x7dym7870/7ZlsRHMKU
+-> ssh-ed25519 72ij7w fHAFoSMZxmLTyUHlXF3/7uQgx844CBK8WeNtLrq4vBo
+P05jEPm+s6nzmoGjZatrL0WT3iY6iQEXqp0kh9mNRfs
+--- r5uZPQFW02c8VbgrHSuESjgHm1hHRAT2mtzzbrd2Srs
+"§¼{B=.d¯ì1e€ëJ‚Vzo<7A>»j‡RJô¾
«ß  ,Öœí9^"Æ“•þÐþÚ†ñÔFgd–Ç›”2eEi@
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -124,6 +124,10 @@ in
    felschr
    home-server
  ];
+  "forgejo/admin-password.age".publicKeys = [
+    felschr
+    home-server
+  ];
  "hass/secrets.age".publicKeys = [
    felschr
    home-server
--- a/services/forgejo/default.nix
+++ b/services/forgejo/default.nix
@ -1,10 +1,22 @@
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:

 let
  domain = "git.felschr.com";
  sshPort = 2222;
+  cfg = config.services.forgejo;
 in
 {
+  age.secrets.forgejo-admin-password = {
+    file = ../../secrets/forgejo/admin-password.age;
+    owner = cfg.user;
+    inherit (cfg) group;
+  };
+
  services.forgejo = {
    enable = true;
    database.type = "postgres";
@ -42,4 +54,16 @@ in
    '';
    locations."/".proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
  };
+
+  systemd.services.forgejo.preStart =
+    let
+      adminCmd = "${lib.getExe cfg.package} admin user";
+      passwordFile = config.age.secrets.forgejo-admin-password.path;
+      user = "felschr";
+    in
+    ''
+      ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${passwordFile})" || true
+      ## uncomment this line to change an admin user which was already created
+      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${passwordFile})" || true
+    '';
 }
--- a/system/server.nix
+++ b/system/server.nix
@ -15,14 +15,14 @@
    table inet allow-incoming-traffic {
      chain allow-incoming {
        type filter hook input priority -100; policy accept;
-        tcp dport {80, 443} meta mark set 0x80000;
-        udp dport {80, 443} meta mark set 0x80000;
+        tcp dport {80, 443, 2222} meta mark set 0x80000;
+        udp dport {80, 443, 2222} meta mark set 0x80000;
      }

      chain allow-outgoing {
        type route hook output priority -100; policy accept;
-        tcp sport {80, 443} meta mark set 0x80000;
-        udp sport {80, 443} meta mark set 0x80000;
+        tcp sport {80, 443, 2222} meta mark set 0x80000;
+        udp sport {80, 443, 2222} meta mark set 0x80000;
      }
    }
  '';