ready for runners

nixos/hosts/forgejo/database.nix

@@ -21,11 +21,6 @@
     '';
   };
 
-  services.prometheus.exporters.postgres = {
-    enable = true;
-    listenAddress = "0.0.0.0";
-    port = 9187;
-  };
-  networking.firewall.allowedTCPPorts = [ 9187 ];
-
+  services.prometheus.exporters.postgres.enable = true;
+  services.prometheus.exporters.postgres.openFirewall = true;
 }

nixos/hosts/forgejo/forgejo.nix

@@ -47,14 +47,11 @@ in
 
       security = {
         INSTALL_LOCK = true;
-        SECRET_KEY = "changeme";  # can be another secret
+        SECRET_KEY = config.sops.secrets."forgejo-secret-key".path; # can be another secret
       };
     };
   };
 
-  sops.secrets.forgejo-admin-password.owner = "forgejo";
-  sops.secrets.forgejo-db-password.owner = "forgejo";
-
   systemd.services.forgejo.preStart = let
     adminCmd = "${lib.getExe cfg.package} admin user";
     user = "plasmagoat"; # Note, Forgejo doesn't allow creation of an account named "admin"

nixos/hosts/forgejo/host.nix

@@ -1,12 +0,0 @@
-{ config, pkgs, modulesPath, lib, ... }:
-
-{
-  imports = [
-    ../../templates/base.nix
-    ../../secrets/sops.nix
-    ./networking.nix
-    ./storage.nix
-    ./forgejo.nix
-    ./database.nix
-  ];
-}

nixos/hosts/forgejo/networking.nix

@@ -1,6 +1,4 @@
-{ config, lib, pkgs, ... }: {
-
-  networking = {
-    hostName = "forgejo";
-  };
+{ config, lib, pkgs, ... }:
+{
+  networking.hostName = "forgejo";
 }

nixos/hosts/forgejo/sops.nix

@@ -0,0 +1,19 @@
+let
+  forgejoSops = ../../secrets/forgejo/secrets.yml;
+in
+{
+  sops.secrets = {
+    "forgejo-admin-password" = {
+      sopsFile = forgejoSops;
+      owner = "forgejo";
+    };
+    "forgejo-db-password" = {
+      sopsFile = forgejoSops;
+      owner = "forgejo";
+    };
+    "forgejo-secret-key" = {
+      sopsFile = forgejoSops;
+      owner = "forgejo";
+    };
+  };
+}