forgejo
Self-hosted Git server
Examples
Simple
{config, ...}: {
nps.stacks.forgejo = {
enable = true;
lfsJwtSecretFile = config.sops.secrets."forgejo/lfs_jwt_secret".path;
secretKeyFile = config.sops.secrets."forgejo/secret_key".path;
internalTokenFile = config.sops.secrets."forgejo/internal_token".path;
jwtSecretFile = config.sops.secrets."forgejo/jwt_secret".path;
};
}With Automatic Admin Provisioning
{config, ...}: {
nps.stacks.forgejo = {
enable = true;
lfsJwtSecretFile = config.sops.secrets."forgejo/lfs_jwt_secret".path;
secretKeyFile = config.sops.secrets."forgejo/secret_key".path;
internalTokenFile = config.sops.secrets."forgejo/internal_token".path;
jwtSecretFile = config.sops.secrets."forgejo/jwt_secret".path;
adminProvisioning = {
username = "forgejo";
email = "admin@example.com";
passwordFile = config.sops.secrets."forgejo/admin_password".path;
};
};
}With OIDC Login
{config, ...}: {
nps.stacks.forgejo = {
enable = true;
lfsJwtSecretFile = config.sops.secrets."forgejo/lfs_jwt_secret".path;
secretKeyFile = config.sops.secrets."forgejo/secret_key".path;
internalTokenFile = config.sops.secrets."forgejo/internal_token".path;
jwtSecretFile = config.sops.secrets."forgejo/jwt_secret".path;
oidc = {
enable = true;
clientSecretFile = config.sops.secrets."fogejo/authelia/client_secret".path;
clientSecretHash = "$pbkdf2-sha512$...";
};
};
}With Postgres
{config, ...}: {
nps.stacks.forgejo = {
enable = true;
lfsJwtSecretFile = config.sops.secrets."forgejo/lfs_jwt_secret".path;
secretKeyFile = config.sops.secrets."forgejo/secret_key".path;
internalTokenFile = config.sops.secrets."forgejo/internal_token".path;
jwtSecretFile = config.sops.secrets."forgejo/jwt_secret".path;
db = {
type = "postgres";
passwordFile = config.sops.secrets."forgejo/db_password".path;
};
};
}Stack Options
nps.stacks.forgejo.adminProvisioning.email
Email address for the admin user
nps.stacks.forgejo.adminProvisioning.enable
Whether to automatically create an admin user on the first run.
If set to false, an admin user can be manually created using the forgejo cli.
See https://forgejo.org/docs/next/admin/command-line/#admin-user-create
nps.stacks.forgejo.adminProvisioning.passwordFile
Path to a file containing the admin password
nps.stacks.forgejo.adminProvisioning.username
Username for the admin user. Cannot be admin as that name is reserved.
nps.stacks.forgejo.containers.forgejo
Alias of {option}services.podman.containers.forgejo.
nps.stacks.forgejo.db.passwordFile
The file containing the PostgreSQL password for the database. Only used if db.type is set to "postgres".
nps.stacks.forgejo.db.type
Type of the database to use.
Can be set to "sqlite" or "postgres".
If set to "postgres", the passwordFile option must be set.
nps.stacks.forgejo.db.username
The PostgreSQL user to use for the database. Only used if db.type is set to "postgres".
nps.stacks.forgejo.enable
Whether to enable forgejo.
nps.stacks.forgejo.internalTokenFile
Path to a file containing the internal token.
Can be generated using forgejo generate secret INTERNAL_TOKEN.
See https://forgejo.org/docs/latest/admin/config-cheat-sheet/#security-security
nps.stacks.forgejo.jwtSecretFile
Path to a file containing the OAuth2 jwt secret. This is needed, even if OAuth2 is not used. See https://codeberg.org/forgejo/forgejo/issues/4570 for more information.
Can be generated using forgejo generate secret JWT_SECRET.
See https://forgejo.org/docs/latest/admin/config-cheat-sheet/#oauth2-oauth2
nps.stacks.forgejo.lfsJwtSecretFile
Path to a file containing the LFS JWT secret.
Can be generated using forgejo generate secret LFS_JWT_SECRET.
See https://forgejo.org/docs/next/admin/config-cheat-sheet/#server-server
nps.stacks.forgejo.oidc.adminGroup
Users of this group will be admin
nps.stacks.forgejo.oidc.clientSecretFile
The file containing the client secret for the OIDC client that will be registered in Authelia.
For examples on how to generate a client secret, see
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
stringconfig.sops.secrets."immich/authelia/client_secret".path"nps.stacks.forgejo.oidc.clientSecretHash
The client secret hash. For examples on how to generate a client secret, see https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
The value can be passed in multiple ways:
- As a literal string
- As an absolute path to a file containing the hash (
toFile) - As an absolute oath to a file containing the client_secret, in which case the hash will be automatically computed (
toHash) - As
null
If left unset (null), the client secret will be read from the file specified in the clientSecretFile option and hashed automatically before being passed to the Authelia container.
null or string or (submodule)null# Literal String:
"$pbkdf2-sha512$310000$cbOAIWbfz3vCVXIPIp6d2A$J0klwULa6TvPRCU1HAfuKua/dMKTl8gbTYJz2N73ejGUu0LUGz/y3kwmJLuKuAYGg3WQOT0q9ZzVHHUvpKpgvQ"
# Client secret hash stored in a file
{ fromFile = config.sops.secrets."immich/client_secret_hash".path; }
# Client secret stored in a file: Hash will be computed dynamically
{ toHash = config.sops.secrets."immich/client_secret".path; }
# Null (default): Hash will be computed automatically based on the clientSecretFile option
# Equivalent to { toHash = cfg.oidc.clientSecretFile; }
nullnps.stacks.forgejo.oidc.enable
Whether to enable OIDC login with Authelia. This will register an OIDC client in Authelia and setup the necessary configuration.
For details, see:
nps.stacks.forgejo.oidc.userGroup
Users of this group will be able to log in
nps.stacks.forgejo.secretKeyFile
Path to a file containing the global secret key.
Can be generated using forgejo generate secret SECRET_KEY.
See https://forgejo.org/docs/latest/admin/config-cheat-sheet/#security-security
nps.stacks.forgejo.settings
Additional app settings for Forgejo. For a full list of options, refer to the Forgejo documentation.
null or (attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string)))null