tofu workflow

nixos/hosts/forgejo/forgejo.nix

@@ -16,6 +16,11 @@ in {
     user = "forgejo";
     group = "forgejo";
     stateDir = "/srv/forgejo";
+    secrets = {
+      mailer = {
+        PASSWD = ;
+      };
+    };
     settings = {
       # https://forgejo.org/docs/latest/admin/config-cheat-sheet/
       server = {
@@ -34,8 +39,7 @@ in {
 
         PROTOCOL = "smtp+starttls";
         SMTP_ADDR = "mail.procopius.dk";
-        USER = "admin@procopius.dk";
-        PASSWD = "mikael";
+        USER = "git@procopius.dk";
       };
       database = {
         DB_TYPE = lib.mkForce "postgres";
@@ -57,9 +61,9 @@ in {
         ZOMBIE_TASK_TIMEOUT = "30m";
       };
       ldap = {
-        AUTHORIZATION_NAME = "My LDAP";
-        HOST = "ldap.example.com";
-        PORT = 389;
+        AUTHORIZATION_NAME = "LLDAP";
+        HOST = "auth.lab";
+        PORT = 3890;
         ENABLE_TLS = false;
         USER_SEARCH_BASE = "ou=users,dc=example,dc=com";
         USER_FILTER = "(&(objectClass=user)(sAMAccountName=%[1]s))";
@@ -86,7 +90,6 @@ in {
 
       security = {
         INSTALL_LOCK = true;
-        SECRET_KEY = config.sops.secrets."forgejo-secret-key".path; # can be another secret
       };
     };
   };

nixos/hosts/forgejo/storage.nix

@@ -1,26 +1,12 @@
 {
-  # services.nfs.client = {
-  #   enable = true;
-  #   idmapd.enable = true;
-  # };
-
-  # environment.etc."idmapd.conf".text = ''
-  #   [General]
-  #   Domain = localdomain
-
-  #   [Mapping]
-  #   Nobody-User = nobody
-  #   Nobody-Group = nogroup
-  # '';
-
-  boot.supportedFilesystems = [ "nfs" ];
+  boot.supportedFilesystems = ["nfs"];
 
   services.rpcbind.enable = true;
 
   fileSystems."/srv/forgejo" = {
     device = "192.168.1.226:/volume1/data/forgejo";
     fsType = "nfs4";
-    options = [ "x-systemd.automount" "noatime" "_netdev" ];
+    options = ["x-systemd.automount" "noatime" "_netdev"];
   };
 
   systemd.tmpfiles.rules = [

nixos/hosts/sandbox/host.nix

@@ -1,15 +0,0 @@
-{
-  config,
-  pkgs,
-  modulesPath,
-  lib,
-  ...
-}: {
-  imports = [
-    ../../templates/base.nix
-    ./networking.nix
-    ./storage.nix
-    ./sandbox.nix
-    ./warpgate.nix
-  ];
-}

nixos/hosts/sandbox/networking.nix

@@ -1,6 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  networking.hostName = "sandbox";
-  networking.interfaces.ens18.useDHCP = true;
-  networking.defaultGateway = "192.168.1.1";
-}

nixos/hosts/sandbox/sandbox.nix

@@ -1,4 +0,0 @@
-{ config, pkgs, modulesPath, lib, ... }:
-
-{
-}

nixos/hosts/sandbox/storage.nix

@@ -1,11 +0,0 @@
-{
-  boot.supportedFilesystems = ["nfs"];
-
-  services.rpcbind.enable = true;
-
-  # fileSystems."/mnt/nas" = {
-  #   device = "192.168.1.226:/volume1/docker";
-  #   fsType = "nfs";
-  #   options = [ "noatime" "vers=4" "rsize=8192" "wsize=8192" ];
-  # };
-}

nixos/hosts/sandbox/warpgate.nix

@@ -1,35 +0,0 @@
-{
-  virtualisation = {
-    containers.enable = true;
-    oci-containers.backend = "podman";
-
-    podman = {
-      enable = true;
-
-      # Create a `docker` alias for podman, to use it as a drop-in replacement
-      dockerCompat = true;
-
-      # Required for containers under podman-compose to be able to talk to each other.
-      defaultNetwork.settings.dns_enabled = true;
-    };
-  };
-  virtualisation.oci-containers.containers = {
-    warpgate = {
-      image = "ghcr.io/warp-tech/warpgate";
-      ports = [
-        "2222:2222"
-        "8888:8888"
-      ];
-      volumes = [
-        "/srv/warpgate/data:/data"
-      ];
-    };
-  };
-
-  systemd.tmpfiles.rules = [
-    "d /srv/warpgate 0755 root root -"
-    "d /srv/warpgate/data 0755 root root -"
-  ];
-
-  networking.firewall.allowedTCPPorts = [8888];
-}