Factor out domain in caddy config

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1703433843,
-        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
+        "lastModified": 1707830867,
+        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
+        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
         "type": "github"
       },
       "original": {
@@ -52,11 +52,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1703087360,
-        "narHash": "sha256-0VUbWBW8VyiDRuimMuLsEO4elGuUw/nc2WDeuO1eN1M=",
+        "lastModified": 1708091384,
+        "narHash": "sha256-dTGGw2y8wvfjr+J9CjQbfdulOq72hUG17HXVNxpH1yE=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "b709d63debafce9f5645a5ba550c9e0983b3d1f7",
+        "rev": "0a0187794ac7f7a1e62cda3dabf8dc041f868790",
         "type": "github"
       },
       "original": {
@@ -156,11 +156,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1704538339,
-        "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=",
+        "lastModified": 1707956935,
+        "narHash": "sha256-ZL2TrjVsiFNKOYwYQozpbvQSwvtV/3Me7Zwhmdsfyu4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701",
+        "rev": "a4d4fe8c5002202493e87ec8dbc91335ff55552c",
         "type": "github"
       },
       "original": {

modules/caddy.nix

@@ -2,7 +2,9 @@
 
 with lib;
 
-{
+let
+  domain = "tecosaur.net";
+in {
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   networking.firewall.allowedUDPPorts = [ 443 ];
 
@@ -15,7 +17,7 @@ with lib;
            version = "ef9d0ab232f4fe5d7e86312cbba45ff8afea98a1";}
         ];
       };
-      virtualHosts."tecosaur.net".extraConfig = ''
+      virtualHosts."${domain}".extraConfig = ''
 respond "__        __   _
 \ \      / /__| | ___ ___  _ __ ___   ___
  \ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
@@ -24,7 +26,7 @@ respond "__        __   _
 
 This is an in-progress replacement for tecosaur.com, done better.
 
-For now, you can find an increasing number of my projects on git.tecosaur.net,
+For now, you can find an increasing number of my projects on code.${domain},
 this includes the setup for this server, which is being constructed using:
 + NixOS (with flakes and deploy-rs)
 + Caddy (web server)
@@ -38,11 +40,11 @@ In future, the following may be set up too:
 + Koel (music streaming)
 "
   '';
-    virtualHosts."blog.tecosaur.net".extraConfig = ''
+    virtualHosts."blog.${domain}".extraConfig = ''
 redir /tmio /tmio/
 handle_path /tmio/* {
     file_server {
-        fs git /var/lib/gitea/repositories/tec/this-month-in-org.git html
+        fs git ${config.services.forgejo.stateDir}/repositories/tec/this-month-in-org.git html
     }
 }
 handle {
@@ -51,7 +53,7 @@ handle {
   '';
     }
     (mkIf config.services.syncthing.enable {
-      virtualHosts."syncthing.tecosaur.net".extraConfig =
+      virtualHosts."syncthing.${domain}".extraConfig =
         ''
 reverse_proxy ${config.services.syncthing.guiAddress} {
     header_up Host {upstream_hostport}
@@ -59,21 +61,24 @@ reverse_proxy ${config.services.syncthing.guiAddress} {
 '';
     })
     (mkIf config.services.syncthing.enable {
-      virtualHosts."public.tecosaur.net".extraConfig =
+      virtualHosts."public.${domain}".extraConfig =
         ''
         root * ${config.services.syncthing.dataDir}/public/.build
         file_server
         '';
     })
-    (mkIf config.services.gitea.enable {
-      virtualHosts."git.tecosaur.net".extraConfig =
+    (mkIf config.services.forgejo.enable {
+      virtualHosts."git.tecosaur.net".extraConfig = "redir https://code.${domain}{uri} 301";
+    })
+    (mkIf config.services.forgejo.enable {
+      virtualHosts."code.${domain}".extraConfig =
       ''
 @not_tec {
     not path /tec/*
     not header Cookie *caddy_tec_redirect=true*
 }
 handle @not_tec {
-    reverse_proxy localhost:${toString config.services.gitea.settings.server.HTTP_PORT} {
+    reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT} {
         @404 status 404
         handle_response @404 {
             header +Set-Cookie "caddy_tec_redirect=true; Max-Age=5"
@@ -86,7 +91,7 @@ handle @not_tec {
     header Cookie *caddy_tec_redirect=true*
 }
 handle @tec_redirect {
-    reverse_proxy localhost:${toString config.services.gitea.settings.server.HTTP_PORT} {
+    reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT} {
         @404 status 404
         handle_response @404 {
             header +Set-Cookie "caddy_tec_redirect=true; Max-Age=0"
@@ -97,7 +102,7 @@ handle @tec_redirect {
     }
 }
 handle {
-    reverse_proxy localhost:${toString config.services.gitea.settings.server.HTTP_PORT}
+    reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
 }
 '';
     })
@@ -105,7 +110,7 @@ handle {
 
   users.users.caddy = {
     extraGroups =
-      lib.optional config.services.syncthing.enable "syncthing" ++
-      lib.optional config.services.gitea.enable "gitea";
+      lib.optional config.services.syncthing.enable config.services.syncthing.user ++
+      lib.optional config.services.forgejo.enable   config.services.forgejo.user;
   };
 }

modules/forgejo/default.nix

@@ -1,40 +1,45 @@
 { config, pkgs, ... }:
 
-{
+let
+  forgejo-user = "git";
+in {
   age.secrets.postgres-gitea = {
-    owner = "gitea";
+    owner = forgejo-user;
     group = "users";
     file = ../../secrets/postgres-gitea.age;
   };
 
   age.secrets.fastmail = {
-    owner = "gitea";
+    owner = forgejo-user;
     group = "users";
     file = ../../secrets/fastmail.age;
   };
 
-  services.gitea = {
-    package  = pkgs.forgejo;
+  services.forgejo = {
     enable = true;
-    user = "gitea";
-    appName = "Code by TEC";
+    user = forgejo-user;
+    group = forgejo-user;
+    stateDir = "/var/lib/forgejo";
     database = {
       type = "postgres";
+      name = forgejo-user;
+      user = forgejo-user;
       passwordFile = config.age.secrets.postgres-gitea.path;
     };
     lfs.enable = true;
     mailerPasswordFile = config.age.secrets.fastmail.path;
     settings = {
+      DEFAULT.APP_NAME = "Code by TEC";
       server = {
-        DOMAIN = "git.tecosaur.net";
-        ROOT_URL = "https://git.tecosaur.net";
+        DOMAIN = "code.tecosaur.net";
+        ROOT_URL = "https://code.tecosaur.net";
         HTTP_ADDRESS = "0.0.0.0";
         HTTP_PORT = 3000;
       };
       mailer = {
         ENABLED = true;
         PROTOCOL = "smtp+startls";
-        FROM = "forgejo@git.tecosaur.net";
+        FROM = "forgejo@code.tecosaur.net";
         USER = "tec@tecosaur.net";
         SMTP_ADDR = "smtp.fastmail.com:587";
       };
@@ -56,6 +61,9 @@
       # "repository.mimetype_mapping" = {
       #   ".org" = "text/org";
       # };
+      # actions = {
+      #   ENABLED = true;
+      # };
       ui = {
         GRAPH_MAX_COMMIT_NUM = 200;
         DEFAULT_THEME = "auto";
@@ -70,15 +78,14 @@
     };
   };
 
-  # users.users.gitea.uid = 997;
-  # users.enforceIdUniqueness = false;
-  # users.users.git = {
-  #   uid = config.users.users.gitea.uid;
-  #   home = config.services.gitea.stateDir;
-  #   useDefaultShell = true;
-  #   group = "gitea";
-  #   isSystemUser = true;
-  # };
+  users.users.${forgejo-user} = {
+    home = config.services.forgejo.stateDir;
+    useDefaultShell = true;
+    group = forgejo-user;
+    isSystemUser = true;
+  };
+
+  users.groups.${forgejo-user} = {};
 
   systemd.tmpfiles.rules = [
     "L+ ${config.services.gitea.stateDir}/custom/templates/home.tmpl - - - - ${./template-home.tmpl}"

packages/caddy.nix

@@ -7,7 +7,7 @@
 , testers
 , installShellFiles
 , externalPlugins ? []
-, vendorHash ? "sha256-O0j6LwUQGa+NnotR2QpSIbNH+RI9y8mRrNoxbJqTw8k="
+, vendorHash ? "sha256-uLmOv8//ZlgF9fB91whmwJMmI/n+/MMnLW4E6j2qeSk="
 }:
 
 let