even more backups of things

hosts/lithium/services/forgejo.nix

@@ -41,6 +41,7 @@ in
       server = {
         DOMAIN = svcDomain;
         ROOT_URL = "https://${svcDomain}";
+        HTTP_PORT = 3000;
       };
       # NOTE: Actions support is based on: https://github.com/nektos/act
       #actions = {
@@ -49,6 +50,7 @@ in
       #};
       actions.ENABLED = false;
       # NOTE: Registration is handled with kanidm.
+      # Registration button link is at /user/sign_up
       service = {
         REGISTER_EMAIL_CONFIRM = false;
         DISABLE_REGISTRATION = false;
@@ -87,13 +89,15 @@ in
   services.kanidm.provision.systems.oauth2.forgejo = {
     displayName = "forgejo";
     # TODO: Get this from Forgejo
-    originUrl = "https://git.${homelabDomain}/user/oauth2/${homelabDomain}/callback";
+    # originUrl = "https://git.${homelabDomain}/user/oauth2/${homelabDomain}/callback";
+    originUrl = "${config.services.forgejo.settings.server.ROOT_URL}/user/oauth2/kanidm/callback";
     originLanding = "https://git.${homelabDomain}/";
     #basicSecretFile = "TODO!SETME";
     scopeMaps."git.users" = [
       "openid"
       "email"
       "profile"
+      "groups"
     ];
     # WARNING: PKCE is currently not supported by gitea/forgejo,
     # see https://github.com/go-gitea/gitea/issues/21376
@@ -137,5 +141,5 @@ in
   # TODO: Consider automatically creating admin account and password...
   # https://wiki.nixos.org/wiki/Forgejo#Ensure_users
   # Might be necessary to generate a token for kanidm
-  #sops.secrets.forgejo-admin-password.owner = "forgejo";
+  sops.secrets."forgejo/admin-password".owner = "forgejo";
 }