parent
f1f2295806
commit
0c43fa3396
9 changed files with 185 additions and 35 deletions
15
flake.nix
15
flake.nix
|
@ -3,8 +3,8 @@
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
# Nixpkgs and unstable
|
# Nixpkgs and unstable
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
|
||||||
|
|
||||||
# impermanence
|
# impermanence
|
||||||
# https://github.com/nix-community/impermanence
|
# https://github.com/nix-community/impermanence
|
||||||
|
@ -17,13 +17,20 @@
|
||||||
# https://github.com/nix-community
|
# https://github.com/nix-community
|
||||||
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
||||||
|
|
||||||
# home-manager - home user+dotfile manager
|
# home-manager - unstable
|
||||||
# https://github.com/nix-community/home-manager
|
# https://github.com/nix-community/home-manager
|
||||||
home-manager = {
|
home-manager = {
|
||||||
url = "github:nix-community/home-manager/release-23.11";
|
url = "github:nix-community/home-manager/master";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# home-manager - stable
|
||||||
|
# https://github.com/nix-community/home-manager
|
||||||
|
home-manager-stable = {
|
||||||
|
url = "github:nix-community/home-manager/release-23.11";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs-stable";
|
||||||
|
};
|
||||||
|
|
||||||
# sops-nix - secrets with mozilla sops
|
# sops-nix - secrets with mozilla sops
|
||||||
# https://github.com/Mic92/sops-nix
|
# https://github.com/Mic92/sops-nix
|
||||||
sops-nix = {
|
sops-nix = {
|
||||||
|
|
|
@ -97,7 +97,7 @@ in
|
||||||
update_path ${homeDirectory}/.cargo/bin
|
update_path ${homeDirectory}/.cargo/bin
|
||||||
update_path ${homeDirectory}/.local/bin
|
update_path ${homeDirectory}/.local/bin
|
||||||
|
|
||||||
set -gx EDITOR "nvim"
|
set -gx EDITOR "vim"
|
||||||
|
|
||||||
set -gx EZA_COLORS "da=1;34:gm=1;34"
|
set -gx EZA_COLORS "da=1;34:gm=1;34"
|
||||||
set -gx EZA_COLORS 'da=1;34:gm=1;34;di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'
|
set -gx EZA_COLORS 'da=1;34:gm=1;34;di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'
|
||||||
|
|
|
@ -28,4 +28,12 @@
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
mySystem = {
|
||||||
|
security.acme.enable = true;
|
||||||
|
services = {
|
||||||
|
forgejo.enable = true;
|
||||||
|
nginx.enable = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,14 +19,13 @@ in
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
"security/acme/env".sopsFile = ./secrets.sops.yaml;
|
"security/acme/env".sopsFile = ./secrets.sops.yaml;
|
||||||
"security/acme/env".restartUnits = [ "${app}.service" ];
|
"security/acme/env".restartUnits = [ "lego.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable {
|
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable {
|
||||||
directories = [ "/var/lib/acme" ];
|
directories = [ "/var/lib/acme" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults.email = "admin@${config.networking.domain}";
|
defaults.email = "admin@${config.networking.domain}";
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
security:
|
security:
|
||||||
acme:
|
acme:
|
||||||
env: ENC[AES256_GCM,data:xOsM9gewm+R6rB74IK7vKQ==,iv:Pc/+RZbIm3cljBrHX666NOoaWyavSTfchG42KgZGHi8=,tag:4ZYPeMVZc0FW4QMqQen/4A==,type:str]
|
env: ENC[AES256_GCM,data:ZdtHl/MTYH1Hiw5Euf6PudZi74rFapfjbUlgEpUXA+H1kbqhZ8SdxEad1Pp8bAhEMpjK72uIAwHtGzz3HgElp4g=,iv:I5q2Ntn7Fh34VQd6ALH8NjKJI21V+fGBdw9RIEd8ksg=,tag:Y5mlPUq0QEAdXeU4Y4cheg==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -10,41 +10,41 @@ sops:
|
||||||
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
|
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRlNxNmp0a05HR1Z5NExm
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WjhEaW54SEpGRGgwT0ly
|
||||||
Ym1tcWRra0I5eVdqN0lBbDAvSHI4YWhDekJzClZhVmh0WnhjMEpRbXorZS9nWEly
|
REVkS2xvOGxhT1puRm5Gc0N1Y1FHWko1ekcwCml5MHFWWG1qNjNZbkY1TldORFdm
|
||||||
N094c1ZmUkkxQ3hCUzZ2dlVXMmNzL2MKLS0tIFdRY0hkM3FTbWl5dnpZYjJ3NEFQ
|
YWRMTjJwODFYZFhXcHNxWUViNCtVcUEKLS0tIGlpdVdwc01XUmpsT0VFSWJXa01J
|
||||||
eGxDZmhBSFNtMENySnBFMXdqWFJDR28K6VIwYHAOSgoHOgMuK39S1YomMdBZDOQ9
|
bHoxZnBPZFFjQ0FCdWJrVGwzcEEzakEKNLWXfzWIQqaciDQ9ZQc3qnF9lnZew1D6
|
||||||
cHFR/jDzLLIobP+J12PJW57IwjO0ZlquhFvZqcnPDih650Hwn370gw==
|
q3vHQJ6rEagGh/EsHzdDzo8y5NOj7L5e+Igi9rwtoS7+Xle55i3T+Q==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
|
- recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM1U1MlFhMXZKcTd2czFI
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbUUzc1BHbWkxQlJqcDZs
|
||||||
N3ZyL1UxRU5aNEpuWmJ2NGNnYUZCYlpEUW5ZCktsQlhyYUFxeC9sd2ZXUnpadWQ2
|
aVhrYkdzM054R3hkT2g4Tm90WTNseEdlR21VCkF3NkJqSVIrYzJZUHVNNVJncEla
|
||||||
WEFBTi9UR0FodWpTS1pJQ2krdUhFeFEKLS0tIFZMS2RlOEl4aUt6VXk5VUl1b21n
|
RnVDcG1OTWlQa2l4dEVhdEQ3dWRTa3MKLS0tIEpnQ3pqb090N0Jta0QzdEhrNUFy
|
||||||
dTVXRzEyd3EreXZOS0wvK0dqK1JHVkUKbOGwJEtp8QJ1Y0oUZUR69bP/fvyQCDAy
|
eU9iZ0xzSUcrVG1VV3BQbnUxSll1ZWsKeSVfkJgoPnSiW0rguTwUFvbYdA2LETIR
|
||||||
WJQfP/H8oRwq8YkWOcusmYd5zpY2guAkAraxiXT04jWr2Knci+UvTA==
|
OePUhnczLMJL6Qj+uolCJB5cedLPpmOuPILKU1BI0eZEmH8HsarCdQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
|
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UU0yT01hRkNja01JOVRL
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudk1BWGVWY1IwSXhOZVNX
|
||||||
TDRkM2twOWo4K2czT2E1NUFJbzdSbEZpTkdnCnFxS3hCakllOHlBOGVRYWY2L2dX
|
bHFQQ0pYaWo3R3B1bXFpbndRMTdBRHdndlNvClJSTjN6WTQ4b2V2NHdISXVTMDZj
|
||||||
SjJLWEFMalVVdkpmTGIwWldUM0ZkK3MKLS0tIDZoV2JxUWRob3dTR0xoell4cVJJ
|
MkFrQnhMUmIxWnJGZjFRT3VDeWVZQW8KLS0tIENlTUM1TEdnOEh6UFVjSWREYW5q
|
||||||
d1Vja1o1S29sNU9YTnFZRUw5cmx1Z2cKn1NlVWpkhY5UCCNUeusQP1mqmf4r4jfj
|
THhhdG5oYm96QlUwZW42YUJDeDdTbW8KNRwQ/ENQPgeJiXNggFxcgkymhVQy66TO
|
||||||
IFTA+cQObz5ID5UKXHOtUsNR/P3holDDWqbWycParrnccink+bJvQg==
|
IRzxYmmo/MlBhDWQlk0EBFHYudmC8lF7n/pTvM8pz6V/5tc0Y1R9ow==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
|
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4NUx4b2dnYzhDWHRHdXdU
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWDgwSXowMG5pM2dzbDJJ
|
||||||
L0U5VXJiaVY4TTlLRENtZGhJcExESDBQRFdnClNrcVlwbU9kYVRTTitWQW1nUjR0
|
clNFM2UvcVZWT0o4UVZQdnlxc25BeXR4V1hjClVzZHlXaHQvN0NiT0JoWG9EWmRz
|
||||||
MVJ2dHFOYXNESkMzR0VBdDR0dFF5R0UKLS0tIGo3RWljNlQyOHBFWHJYZFZ5bVl0
|
VDAyTkxod0FGVENOZndMTE9aZnM1UmcKLS0tIHAzWFRoZVdXNnIya0gyMFVXa1Va
|
||||||
WWxiKzM3SXpJdmZKMzI3ZGNKSzRYV0EKjOQnIihgj+fPUbjdz83Vng1xHQOmeY5F
|
SUtQblFtK2RSR1F6WFphUWlXRmJCeDgKbvve6CId6RF/F90Px5sl6FdJH6VhLR4w
|
||||||
oyFvCTyZaXpb1GlOcx/MKrjlcteCuBgJ1VNq65KgVy7IQBCBMOkVow==
|
K52iqxq1or/YKUn69dC9l21UwW2u1dJ7g9lTXcRll/clmh8LtDXZXw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-05-11T03:03:13Z"
|
lastmodified: "2024-05-13T03:24:35Z"
|
||||||
mac: ENC[AES256_GCM,data:woOIDwPLTaNDmxI5OJiXuDh2UiSiEEEMRqL61mXdfURSVEtr/ZRF7GsEwW3m243Ztbxp7k+i2KE7ydzQtyJJB4+xSg+BL2F/99ld7XLCPUrH6PjugzSu26G1H42Ir/v/BaFyPNNHzJdA3YpT++o1yVIZqvx9xf2pOwDzIf/0o/Y=,iv:NUrbxRxn1w/Q3WMkplObO0GU6APhdZNjtaZytQ1yzbE=,tag:/7QsYDRBZrNFALYlA8hL+w==,type:str]
|
mac: ENC[AES256_GCM,data:Gz8uMG1pYseVsD1ooCuT48euPjed47su97ycdtKFsy8r3fLRvXUIfP8YPxSJ/OPGPm0yXBoNGRCovoey1N3B8NQXqWmQ78pmHIEVN6EqM8DvKLUn3a4XR52g0mURGqgFqJJXJCxn/UN4SMs1Kbl3Ahc9cXf17J1MoScVRqhpDWE=,iv:xYX7OUtaKDwjRohYN3q0mdrFfjop3XtzxAjQrMFrydk=,tag:sawX4x4KFzHJoPAeE18dag==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
|
@ -28,5 +28,6 @@
|
||||||
./miniflux
|
./miniflux
|
||||||
./calibre-web
|
./calibre-web
|
||||||
./rss-bridge
|
./rss-bridge
|
||||||
|
./forgejo
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
89
nixos/modules/nixos/services/forgejo/default.nix
Normal file
89
nixos/modules/nixos/services/forgejo/default.nix
Normal file
|
@ -0,0 +1,89 @@
|
||||||
|
{ lib, pkgs, config, ... }:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.mySystem.services.forgejo;
|
||||||
|
app = "forgejo";
|
||||||
|
port = 443;
|
||||||
|
http_port = 3000;
|
||||||
|
serviceUser = "forgejo";
|
||||||
|
domain = "git.hsn.dev";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.forgejo = {
|
||||||
|
enable = mkEnableOption "Forgejo";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts.${domain} = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = config.networking.domain;
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 512M;
|
||||||
|
'';
|
||||||
|
locations."/".proxyPass = "http://127.0.0.1:${toString http_port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.forgejo = {
|
||||||
|
enable = true;
|
||||||
|
database.type = "postgres";
|
||||||
|
# Enable support for Git Large File Storage
|
||||||
|
lfs.enable = true;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
DOMAIN = domain;
|
||||||
|
# You need to specify this to remove the port from URLs in the web UI.
|
||||||
|
ROOT_URL = "https://${domain}/";
|
||||||
|
HTTP_PORT = http_port;
|
||||||
|
# Default landing page on 'explore'
|
||||||
|
LANDING_PAGE = "explore";
|
||||||
|
};
|
||||||
|
# You can temporarily allow registration to create an admin user.
|
||||||
|
service = {
|
||||||
|
DISABLE_REGISTRATION = true;
|
||||||
|
ENABLE_NOTIFY_MAIL = true;
|
||||||
|
REGISTER_EMAIL_CONFIRM = true;
|
||||||
|
REQUIRE_SIGNIN_VIEW = false;
|
||||||
|
};
|
||||||
|
indexer = {
|
||||||
|
REPO_INDEXER_ENABLED = true;
|
||||||
|
REPO_INDEXER_PATH = "indexers/repos.bleve";
|
||||||
|
MAX_FILE_SIZE = 1048576;
|
||||||
|
REPO_INDEXER_INCLUDE = "";
|
||||||
|
REPO_INDEXER_EXCLUDE = "resources/bin/**";
|
||||||
|
};
|
||||||
|
picture = {
|
||||||
|
AVATAR_UPLOAD_PATH = "/var/lib/forgejo/data/avatars";
|
||||||
|
REPOSITORY_AVATAR_UPLOAD_PATH = "/var/lib/forgejo/data/repo-avatars";
|
||||||
|
};
|
||||||
|
# Add support for actions, based on act: https://github.com/nektos/act
|
||||||
|
actions = {
|
||||||
|
ENABLED = true;
|
||||||
|
};
|
||||||
|
# Sending emails is completely optional
|
||||||
|
# You can send a test email from the web UI at:
|
||||||
|
# Profile Picture > Site Administration > Configuration > Mailer Configuration
|
||||||
|
mailer = {
|
||||||
|
ENABLED = true;
|
||||||
|
SMTP_ADDR = "smtp.mailgun.org";
|
||||||
|
FROM = "git@hsn.dev";
|
||||||
|
USER = "git@mg.hsn.dev";
|
||||||
|
SMTP_PORT = 587;
|
||||||
|
};
|
||||||
|
session = {
|
||||||
|
COOKIE_SECURE = true;
|
||||||
|
COOKIE_NAME = "session";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
mailerPasswordFile = config.sops.secrets."services/forgejo/smtp/password".path;
|
||||||
|
};
|
||||||
|
# sops
|
||||||
|
sops.secrets."services/forgejo/smtp/password" = {
|
||||||
|
sopsFile = ./secrets.sops.yaml;
|
||||||
|
owner = serviceUser;
|
||||||
|
mode = "400";
|
||||||
|
restartUnits = [ "forgejo.service" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
51
nixos/modules/nixos/services/forgejo/secrets.sops.yaml
Normal file
51
nixos/modules/nixos/services/forgejo/secrets.sops.yaml
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
services:
|
||||||
|
forgejo:
|
||||||
|
smtp:
|
||||||
|
password: ENC[AES256_GCM,data:WL+v0tKArR90bzbZ04lL6ODADSMXGHAEYAnNrhdgCShEcNjUwJXVHV8bsOIdiAsXoic=,iv:+KPPzcHrHPee2EhQCQzGsCNzLQa9t2MCdXHF3O8zZ+M=,tag:FuxrUg1/qS0WvD222wbfkw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByQmVLNjhPNThZa3dLd3ha
|
||||||
|
a0VCa1JDaGJXLzQwck1Ga2wvVWU0K1BCbkVRCjdlL3B0cUZVZEtFalFkb2lTWktL
|
||||||
|
cGZGcjR1KzVEYzZKakZHMnlBR0FvM2MKLS0tIHpRZm5nbGpVZmVpVVkrZVVSKzlk
|
||||||
|
ZUx0c29QMWpTRHJ0U3B1V2lkdEJvUk0KVK8GKsSl8uXhw8zbxpW4An/E7UI8yW6u
|
||||||
|
0MELMJtmskLQnCUKKbeE8nAHW2MMGt6schoXwqsAEkspeaf+AC2G1A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Mk1UVzJQM044aG9BRmg3
|
||||||
|
QnUrdURwNGhONUxnR2Jjbjc1TitWWXEvb2dBCmlGSVh0Y0VNcExUYk9ER3JsNUgx
|
||||||
|
d1BCQWI2L0I0TGZoYUdmamg0aTBVbjQKLS0tIE52elRkSjd3eUlWempGSFBvbHoy
|
||||||
|
U1hZT2FVeEtkSDUvUERRYWpyanI2UUUKO7EHrVbhMFqZdwnIlK0Fnd5cLUVJ9Mhx
|
||||||
|
NRwYxneeBTHg2VV53n+n8mRhO0eQtOfNh6Mvc4eHC2eTBk/XlUynDg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZWtMQVhOTTJxM1dYYW5w
|
||||||
|
aFViZWU2KzR2RnpDZEdDbk5nU1loQ1F0cVdnCjlPb0VtNFYvQzBiNDZUaTROOHRO
|
||||||
|
a3ZlaFlGblhnR1hRK3lRQ05mR0lJYzQKLS0tIFovSzEyNXhrcC9iRjAyVlZBWXIy
|
||||||
|
UWZBeXIrR0tvaFBVTFhqblB0d2xTM0UKULrTgxENwhZvEpNS0/Puxoh2d8s2zNo4
|
||||||
|
EY+fkaR3dOGjnro+E6PYO7NydZOfc/rT/VUBAQi8Dl8DPlJHV4WOjw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaEpWdkk0eUpiT0duTjRS
|
||||||
|
aXEwZlh1dW5oQkNwMjRGbVNKeTRxanpneVdZCkZVTjJHblo0Ui8yYytKeDZHaFVn
|
||||||
|
eVAzeHpxck9VN0pDVnIyb3A3VGdxY2cKLS0tIGRiNVprcHFqVUpJeFJHNklkT3JR
|
||||||
|
azV4ajZHUXFnY1VHS0JzaHM1aUtySHcKWw3FRCjkKm99+Rw7uL+550go0EoKJdKY
|
||||||
|
6tBW4vsh0+a3WBd/cNXwHVt8R3UscZ+MOwgSKyHDA62slqblH+G81Q==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-05-12T03:37:15Z"
|
||||||
|
mac: ENC[AES256_GCM,data:OM7jU2HfvOtNDvK4C5FE567dobZxhBdCDu5KSyBgGfzgFi1tSX0F4YoRZhspmfQKOeT/3+vLj1bfqDIkv2krDeZOnxw8vns7qgnTgR2tOn15bQmS8mIkSyk5WWdS1tbHfk1v+vF8T6lsl78G4nDSU/Q9DyFFdgmQUDDzlwW5vAs=,iv:tZgzqxwPqdDpQVkC/9598ixEzUNES5YMNfTwGUOEErQ=,tag:2w3/EftLvS/a2wl8ug6t3Q==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -39,9 +39,7 @@ in
|
||||||
# Prevent injection of code in other mime types (XSS Attacks)
|
# Prevent injection of code in other mime types (XSS Attacks)
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
||||||
|
|
||||||
'';
|
'';
|
||||||
# TODO add cloudflre IP's when/if I ingest internally.
|
|
||||||
commonHttpConfig = ''
|
commonHttpConfig = ''
|
||||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||||
'';
|
'';
|
||||||
|
@ -55,12 +53,9 @@ in
|
||||||
extraConfig = "return 444;";
|
extraConfig = "return 444;";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
|
|
||||||
allowedTCPPorts = [ 80 443 ];
|
allowedTCPPorts = [ 80 443 ];
|
||||||
allowedUDPPorts = [ 80 443 ];
|
allowedUDPPorts = [ 80 443 ];
|
||||||
};
|
};
|
||||||
|
|
Reference in a new issue