nixos/services: swap gitea with forgejo

also makes adds gitea persistence

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -1,3 +1,4 @@
 # Nix
-/result
 /*.qcow2
+/.direnv
+/result

assets/forgejo/templates/home.tmpl

@@ -0,0 +1,12 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}"
+   class="page-content home tw-mb-8 tw-px-8 center" style="height: 100%; flex-direction: column; display: flex; align-items: center; justify-content: space-around;">
+   <img width="500" height="500" src="{{AssetUrlPrefix}}/images/full-logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
+   <div class="hero">
+      <h1 class="ui icon header title">
+         {{AppName}}
+      </h1>
+      <!-- <h2>My own gitea server 😎</h2> -->
+   </div>
+</div>
+{{template "base/footer" .}}

assets/forgejo/theme.css

@@ -0,0 +1,51 @@
+@import "/assets/css/theme-forgejo-dark.css";
+
+/* :root { */
+/*   --is-dark-theme: true; */
+
+/*   --accent-color: 221, 85, 85; */
+/*   /1* #d55 *1/ */
+/*   --gitea-color-primary-dark-4: 221, 85, 85; */
+/*   --accent-color-secondary: 96, 72, 10; */
+/*   --accent-color-hover: 170, 68, 68; */
+/*   --color-primary: rgb(var(--accent-color)); */
+/*   --color-secondary: rgb(var(--accent-color-secondary)); */
+/*   --button-color: rgb(var(--accent-color)); */
+/*   --button-color-hover: rgb(var(--accent-color-hover)); */
+/* } */
+
+:root {
+  --is-dark-theme: true;
+
+  --color-primary: #d162a4;
+  --color-primary-contrast: #fff;
+  --color-primary-dark-1: #ba3283;
+  --color-primary-dark-2: #b55690;
+  --color-primary-dark-3: #ac2c79;
+  --color-primary-dark-4: #a30262;
+  --color-primary-dark-5: #8a0253;
+  --color-primary-dark-6: #710144;
+  --color-primary-dark-7: #570135;
+  --color-primary-light-1: #d776af;
+  --color-primary-light-2: #dd89bb;
+  --color-primary-light-3: #e29dc6;
+  --color-primary-light-4: #e8b1d2;
+  --color-primary-light-5: #eec5dd;
+  --color-primary-light-6: #f4d8e9;
+  --color-primary-light-7: #f9ecf4;
+  --color-primary-alpha-10: #d162a419;
+  --color-primary-alpha-20: #d162a433;
+  --color-primary-alpha-30: #d162a44b;
+  --color-primary-alpha-40: #d162a466;
+  --color-primary-alpha-50: #d162a480;
+  --color-primary-alpha-60: #d162a499;
+  --color-primary-alpha-70: #d162a4b3;
+  --color-primary-alpha-80: #d162a4cc;
+  --color-primary-alpha-90: #d162a4e1;
+}
+
+.navbar-left > #navbar-logo.item,
+.navbar-right > #navbar-logo.item,
+.navbar-mobile-right > #navbar-logo.item {
+  padding: 3px;
+}

nixos/modules/default.nix

@@ -3,7 +3,7 @@
     ./acme.nix
     ./dns.nix
     ./fail2ban.nix
-    ./gitea.nix
+    ./forgejo.nix
     ./host.nix
     ./nginx.nix
     ./snapper.nix

nixos/modules/forgejo.nix

@@ -0,0 +1,125 @@
+{ config, pkgs, ... }:
+let
+  inherit (config.networking) fqdn;
+
+  acmeEnabled = config.acme.enable;
+
+  themeName = "tuxcord";
+  forgejoPublic = pkgs.linkFarm "forgejo-public" [
+    {
+      name = "assets/css/theme-${themeName}.css";
+      path = ../../assets/forgejo/theme.css;
+    }
+    {
+      name = "assets/img";
+      path = makeForgejoImages {
+        big = ../../assets/branding/logo.svg;
+        small = ../../assets/branding/logo-head.svg;
+        rasterWidth = 1024;
+      };
+    }
+    {
+      name = "assets/images/full-logo.svg";
+      path = ../../assets/branding/logo.svg;
+    }
+  ];
+  forgejoTemplates = ../../assets/forgejo/templates;
+
+  makeForgejoImages =
+    {
+      big,
+      small,
+      rasterWidth,
+    }:
+    pkgs.stdenv.mkDerivation rec {
+      name = "forgejo-images";
+
+      srcs = [
+        big
+        small
+      ];
+      unpackPhase = "true";
+
+      buildInputs = with pkgs; [
+        inkscape
+      ];
+
+      # https://forgejo.org/docs/next/contributor/customization/#changing-the-logo
+      buildPhase = ''
+        mkdir -p $out
+
+        cp "${big}" $out/logo.svg
+        inkscape -w ${toString rasterWidth} ${big} -o $out/logo.png
+
+        cp "${small}" $out/favicon.svg
+        inkscape -w ${toString rasterWidth} ${small} -o $out/favicon.png
+      '';
+    };
+in
+{
+  services.forgejo = {
+    enable = true;
+
+    database.type = "mysql";
+
+    lfs.enable = true;
+
+    settings = {
+      DEFAULT = {
+        APP_NAME = "TuxCord Code Forge";
+      };
+
+      server = {
+        DOMAIN = fqdn;
+        ROOT_URL = "${if acmeEnabled then "https" else "http"}://${fqdn}/";
+        HTTP_PORT = 3000;
+      };
+
+      service = {
+        DISABLE_REGISTRATION = true;
+        REQUIRE_SIGNIN_VIEW = false;
+      };
+
+      repository = {
+        ENABLE_PUSH_CREATE_USER = true;
+        ENABLE_PUSH_CREATE_ORG = true;
+        DEFAULT_BRANCH = "main";
+      };
+
+      ui = {
+        DEFAULT_THEME = themeName;
+      };
+
+      # TODO: once we have email setup this would be nice
+      mailer.ENABLED = true;
+
+      actions = {
+        ENABLED = true;
+        # DEFAULT_ACTIONS_URL = "github";
+      };
+    };
+  };
+
+  systemd.services.forgejo-branding = {
+    enable = true;
+
+    wantedBy = [ "forgejo.service" ];
+    before = [ "forgejo.service" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "forgejo-branding.oneshot" ''
+        ${pkgs.rsync}/bin/rsync -rl --chown forgejo:forgejo --delete ${forgejoPublic}/ ${config.services.forgejo.customDir}/public
+        ${pkgs.rsync}/bin/rsync -rl --chown forgejo:forgejo --delete ${forgejoTemplates}/ ${config.services.forgejo.customDir}/templates
+      '';
+    };
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.forgejo.stateDir;
+      group = "forgejo";
+      user = "forgejo";
+    }
+  ];
+}

nixos/modules/gitea.nix

@@ -1,40 +0,0 @@
-{ config, ... }:
-let
-  inherit (config.networking) fqdn;
-
-  acmeEnabled = config.acme.enable;
-in
-{
-  services.gitea = {
-    enable = true;
-
-    appName = "TuxCord Gitea";
-    database.type = "mysql";
-
-    lfs.enable = true;
-
-    settings = {
-      server = {
-        DOMAIN = fqdn;
-        ROOT_URL = "${if acmeEnabled then "https" else "http"}://${fqdn}/";
-        HTTP_PORT = 3000;
-      };
-
-      service = {
-        DISABLE_REGISTRATION = true;
-        REQUIRE_SIGNIN_VIEW = false;
-      };
-
-      repository = {
-        ENABLE_PUSH_CREATE_USER = true;
-        ENABLE_PUSH_CREATE_ORG = true;
-        DEFAULT_BRANCH = "main";
-      };
-
-      # ui.DEFAULT_THEME = "...";
-
-      # TODO: once we have email setup this would be nice
-      mailer.ENABLED = true;
-    };
-  };
-}

nixos/modules/nginx.nix

@@ -58,7 +58,7 @@ in
       };
 
       "git.${fqdn}" = mkVhost { } {
-        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+        "/" = mkProxy config.services.forgejo.settings.server.HTTP_PORT;
       };
     };
   };

nixos/openssh.nix

@@ -1,3 +1,4 @@
+{ config, ... }:
 {
   services.openssh = {
     enable = true;
@@ -12,5 +13,5 @@
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 22 ];
+  networking.firewall.allowedTCPPorts = config.services.openssh.ports;
 }

npins/default.nix

@@ -9,8 +9,15 @@
 */
 # Generated by npins. Do not modify; will be overwritten regularly
 let
-  data = builtins.fromJSON (builtins.readFile ./sources.json);
-  version = data.version;
+  # Backwards-compatibly make something that previously didn't take any arguments take some
+  # The function must return an attrset, and will unfortunately be eagerly evaluated
+  # Same thing, but it catches eval errors on the default argument so that one may still call it with other arguments
+  mkFunctor =
+    fn:
+    let
+      e = builtins.tryEval (fn { });
+    in
+    (if e.success then e.value else { error = fn { }; }) // { __functor = _self: fn; };
 
   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
   range =
@@ -21,7 +28,6 @@ let
 
   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
   stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
-  concatMapStrings = f: list: concatStrings (map f list);
   concatStrings = builtins.concatStringsSep "";
 
   # If the environment variable NPINS_OVERRIDE_${name} is set, then use
@@ -48,41 +54,90 @@ let
 
   mkSource =
     name: spec:
+    {
+      pkgs ? null,
+    }:
     assert spec ? type;
     let
+      # Unify across builtin and pkgs fetchers.
+      # `fetchGit` requires a wrapper because of slight API differences.
+      fetchers =
+        if pkgs == null then
+          {
+            inherit (builtins) fetchTarball fetchurl;
+            # Frustratingly, due to flakes and `fetchTree`, `fetchGit`
+            # has a different signature than the other builtin
+            # fetchers
+            fetchGit = args: (builtins.fetchGit args).outPath;
+          }
+        else
+          {
+            fetchTarball =
+              {
+                url,
+                sha256,
+              }:
+              pkgs.fetchzip {
+                inherit url sha256;
+                extension = "tar";
+              };
+            inherit (pkgs) fetchurl;
+            fetchGit =
+              {
+                url,
+                submodules,
+                rev,
+                name,
+                lfs,
+                narHash,
+              }:
+              pkgs.fetchgit {
+                inherit url rev name lfs;
+                fetchSubmodules = submodules;
+                hash = narHash;
+              };
+          };
+
       path =
         if spec.type == "Git" then
-          mkGitSource spec
+          mkGitSource fetchers spec
         else if spec.type == "GitRelease" then
-          mkGitSource spec
+          mkGitSource fetchers spec
         else if spec.type == "PyPi" then
-          mkPyPiSource spec
+          mkPyPiSource fetchers spec
         else if spec.type == "Channel" then
-          mkChannelSource spec
-        else if spec.type == "Tarball" then
-          mkTarballSource spec
+          mkChannelSource fetchers spec
+        else if spec.type == "Url" || spec.type == "MutableUrl" then
+          mkUrlSource fetchers spec
+        else if spec.type == "Container" then
+          mkContainerSource pkgs spec
         else
           builtins.throw "Unknown source type ${spec.type}";
     in
     spec // { outPath = mayOverride name path; };
 
   mkGitSource =
+    {
+      fetchTarball,
+      fetchGit,
+      ...
+    }:
     {
       repository,
       revision,
       url ? null,
       submodules,
       hash,
-      branch ? null,
+      lfs,
       ...
     }:
     assert repository ? type;
     # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
     # In the latter case, there we will always be an url to the tarball
     if url != null && !submodules then
-      builtins.fetchTarball {
+      fetchTarball {
         inherit url;
-        sha256 = hash; # FIXME: check nix version & use SRI hashes
+        sha256 = hash;
       }
     else
       let
@@ -93,6 +148,8 @@ let
             "https://github.com/${repository.owner}/${repository.repo}.git"
           else if repository.type == "GitLab" then
             "${repository.server}/${repository.repo_path}.git"
+          else if repository.type == "Forgejo" then
+            "${repository.server}/${repository.owner}/${repository.repo}.git"
           else
             throw "Unrecognized repository type ${repository.type}";
         urlToName =
@@ -107,40 +164,96 @@ let
           "${if matched == null then "source" else builtins.head matched}${appendShort}";
         name = urlToName url revision;
       in
-      builtins.fetchGit {
+      fetchGit {
         rev = revision;
-        inherit name;
-        # hash = hash;
-        inherit url submodules;
+        narHash = hash;
+
+        inherit name submodules url lfs;
       };
 
   mkPyPiSource =
-    { url, hash, ... }:
-    builtins.fetchurl {
+    { fetchurl, ... }:
+    {
+      url,
+      hash,
+      ...
+    }:
+    fetchurl {
       inherit url;
       sha256 = hash;
     };
 
   mkChannelSource =
-    { url, hash, ... }:
-    builtins.fetchTarball {
+    { fetchTarball, ... }:
+    {
+      url,
+      hash,
+      ...
+    }:
+    fetchTarball {
       inherit url;
       sha256 = hash;
     };
 
-  mkTarballSource =
+  mkUrlSource =
+    {
+      fetchTarball,
+      fetchurl,
+      ...
+    }:
     {
       url,
-      locked_url ? url,
+      hash,
+      unpack,
+      ...
+    }:
+    (if unpack then fetchTarball else fetchurl) {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkContainerSource =
+    pkgs:
+    {
+      image_name,
+      image_tag,
+      image_digest,
       hash,
       ...
     }:
-    builtins.fetchTarball {
-      url = locked_url;
-      sha256 = hash;
-    };
+    if pkgs == null then
+      builtins.throw "container sources require passing in a Nixpkgs value: https://github.com/andir/npins/blob/master/README.md#using-the-nixpkgs-fetchers"
+    else
+      pkgs.dockerTools.pullImage {
+        imageName = image_name;
+        imageDigest = image_digest;
+        finalImageTag = image_tag;
+        hash = hash;
+      };
+
 in
-if version == 5 then
-  builtins.mapAttrs mkSource data.pins
-else
-  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
+mkFunctor (
+  {
+    input ? ./sources.json,
+  }:
+  let
+    data =
+      if builtins.isPath input then
+        # while `readFile` will throw an error anyways if the path doesn't exist,
+        # we still need to check beforehand because *our* error can be caught but not the one from the builtin
+        # See: <https://git.lix.systems/lix-project/lix/issues/1098>
+        if builtins.pathExists input then
+          builtins.fromJSON (builtins.readFile input)
+        else
+          throw "Input path ${toString input} does not exist"
+      else if builtins.isAttrs input then
+        input
+      else
+        throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset";
+    version = data.version;
+  in
+  if version == 8 then
+    builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins
+  else
+    throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
+)

npins/sources.json

@@ -8,10 +8,11 @@
       },
       "branch": "main",
       "submodules": false,
+      "lfs": true,
       "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
       "url": null,
-      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
+      "hash": "sha256-xYH9RXYZDVotUW8fKIEC9u0GJeEg2nV/23aQlEyeQso="
     }
   },
-  "version": 5
+  "version": 8
 }

shells/default.nix

@@ -2,6 +2,26 @@
 {
   perSystem =
     { pkgs, ... }:
+    let
+      npins' = pkgs.npins.overrideAttrs (
+        final: old: {
+          src = pkgs.fetchFromGitHub {
+            owner = "javalsai";
+            repo = "npins";
+            rev = "f3def7dfeecc16884cb0601f6c904d5142f47383";
+            hash = "sha256-ejeOGmDw+D4KddFJ5OAPradqoS+p2eAhhS4fOLQOWOk=";
+          };
+
+          cargoHash = null;
+          cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
+            src = final.src;
+            hash = "sha256-mG4UClFBgiWBraWQ12N3CSyapaIpuXI9F8wQGwh/ooQ=";
+          };
+
+          cargoBuildFeatures = [ ];
+        }
+      );
+    in
     {
       devShells.default = pkgs.mkShell {
         name = "configuration.nix";
@@ -33,7 +53,7 @@
           jujutsu
           nix-output-monitor
           nixfmt
-          npins
+          npins'
           parted
           smartmontools
           statix