Adding Forgejo - swapping to unstable nixos (#1)

* Adding forgejo
This commit is contained in:
Joseph Hanson 2024-05-13 09:57:15 -05:00 committed by GitHub
parent f1f2295806
commit 0c43fa3396
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 185 additions and 35 deletions

View file

@ -3,8 +3,8 @@
inputs = { inputs = {
# Nixpkgs and unstable # Nixpkgs and unstable
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
# impermanence # impermanence
# https://github.com/nix-community/impermanence # https://github.com/nix-community/impermanence
@ -17,13 +17,20 @@
# https://github.com/nix-community # https://github.com/nix-community
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
# home-manager - home user+dotfile manager # home-manager - unstable
# https://github.com/nix-community/home-manager # https://github.com/nix-community/home-manager
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-23.11"; url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# home-manager - stable
# https://github.com/nix-community/home-manager
home-manager-stable = {
url = "github:nix-community/home-manager/release-23.11";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
# sops-nix - secrets with mozilla sops # sops-nix - secrets with mozilla sops
# https://github.com/Mic92/sops-nix # https://github.com/Mic92/sops-nix
sops-nix = { sops-nix = {

View file

@ -97,7 +97,7 @@ in
update_path ${homeDirectory}/.cargo/bin update_path ${homeDirectory}/.cargo/bin
update_path ${homeDirectory}/.local/bin update_path ${homeDirectory}/.local/bin
set -gx EDITOR "nvim" set -gx EDITOR "vim"
set -gx EZA_COLORS "da=1;34:gm=1;34" set -gx EZA_COLORS "da=1;34:gm=1;34"
set -gx EZA_COLORS 'da=1;34:gm=1;34;di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:' set -gx EZA_COLORS 'da=1;34:gm=1;34;di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'

View file

@ -28,4 +28,12 @@
swapDevices = [ ]; swapDevices = [ ];
mySystem = {
security.acme.enable = true;
services = {
forgejo.enable = true;
nginx.enable = true;
};
};
} }

View file

@ -19,14 +19,13 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
sops.secrets = { sops.secrets = {
"security/acme/env".sopsFile = ./secrets.sops.yaml; "security/acme/env".sopsFile = ./secrets.sops.yaml;
"security/acme/env".restartUnits = [ "${app}.service" ]; "security/acme/env".restartUnits = [ "lego.service" ];
}; };
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable {
directories = [ "/var/lib/acme" ]; directories = [ "/var/lib/acme" ];
}; };
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "admin@${config.networking.domain}"; defaults.email = "admin@${config.networking.domain}";

View file

@ -1,6 +1,6 @@
security: security:
acme: acme:
env: ENC[AES256_GCM,data:xOsM9gewm+R6rB74IK7vKQ==,iv:Pc/+RZbIm3cljBrHX666NOoaWyavSTfchG42KgZGHi8=,tag:4ZYPeMVZc0FW4QMqQen/4A==,type:str] env: ENC[AES256_GCM,data:ZdtHl/MTYH1Hiw5Euf6PudZi74rFapfjbUlgEpUXA+H1kbqhZ8SdxEad1Pp8bAhEMpjK72uIAwHtGzz3HgElp4g=,iv:I5q2Ntn7Fh34VQd6ALH8NjKJI21V+fGBdw9RIEd8ksg=,tag:Y5mlPUq0QEAdXeU4Y4cheg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -10,41 +10,41 @@ sops:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRlNxNmp0a05HR1Z5NExm YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WjhEaW54SEpGRGgwT0ly
Ym1tcWRra0I5eVdqN0lBbDAvSHI4YWhDekJzClZhVmh0WnhjMEpRbXorZS9nWEly REVkS2xvOGxhT1puRm5Gc0N1Y1FHWko1ekcwCml5MHFWWG1qNjNZbkY1TldORFdm
N094c1ZmUkkxQ3hCUzZ2dlVXMmNzL2MKLS0tIFdRY0hkM3FTbWl5dnpZYjJ3NEFQ YWRMTjJwODFYZFhXcHNxWUViNCtVcUEKLS0tIGlpdVdwc01XUmpsT0VFSWJXa01J
eGxDZmhBSFNtMENySnBFMXdqWFJDR28K6VIwYHAOSgoHOgMuK39S1YomMdBZDOQ9 bHoxZnBPZFFjQ0FCdWJrVGwzcEEzakEKNLWXfzWIQqaciDQ9ZQc3qnF9lnZew1D6
cHFR/jDzLLIobP+J12PJW57IwjO0ZlquhFvZqcnPDih650Hwn370gw== q3vHQJ6rEagGh/EsHzdDzo8y5NOj7L5e+Igi9rwtoS7+Xle55i3T+Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM1U1MlFhMXZKcTd2czFI YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbUUzc1BHbWkxQlJqcDZs
N3ZyL1UxRU5aNEpuWmJ2NGNnYUZCYlpEUW5ZCktsQlhyYUFxeC9sd2ZXUnpadWQ2 aVhrYkdzM054R3hkT2g4Tm90WTNseEdlR21VCkF3NkJqSVIrYzJZUHVNNVJncEla
WEFBTi9UR0FodWpTS1pJQ2krdUhFeFEKLS0tIFZMS2RlOEl4aUt6VXk5VUl1b21n RnVDcG1OTWlQa2l4dEVhdEQ3dWRTa3MKLS0tIEpnQ3pqb090N0Jta0QzdEhrNUFy
dTVXRzEyd3EreXZOS0wvK0dqK1JHVkUKbOGwJEtp8QJ1Y0oUZUR69bP/fvyQCDAy eU9iZ0xzSUcrVG1VV3BQbnUxSll1ZWsKeSVfkJgoPnSiW0rguTwUFvbYdA2LETIR
WJQfP/H8oRwq8YkWOcusmYd5zpY2guAkAraxiXT04jWr2Knci+UvTA== OePUhnczLMJL6Qj+uolCJB5cedLPpmOuPILKU1BI0eZEmH8HsarCdQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UU0yT01hRkNja01JOVRL YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudk1BWGVWY1IwSXhOZVNX
TDRkM2twOWo4K2czT2E1NUFJbzdSbEZpTkdnCnFxS3hCakllOHlBOGVRYWY2L2dX bHFQQ0pYaWo3R3B1bXFpbndRMTdBRHdndlNvClJSTjN6WTQ4b2V2NHdISXVTMDZj
SjJLWEFMalVVdkpmTGIwWldUM0ZkK3MKLS0tIDZoV2JxUWRob3dTR0xoell4cVJJ MkFrQnhMUmIxWnJGZjFRT3VDeWVZQW8KLS0tIENlTUM1TEdnOEh6UFVjSWREYW5q
d1Vja1o1S29sNU9YTnFZRUw5cmx1Z2cKn1NlVWpkhY5UCCNUeusQP1mqmf4r4jfj THhhdG5oYm96QlUwZW42YUJDeDdTbW8KNRwQ/ENQPgeJiXNggFxcgkymhVQy66TO
IFTA+cQObz5ID5UKXHOtUsNR/P3holDDWqbWycParrnccink+bJvQg== IRzxYmmo/MlBhDWQlk0EBFHYudmC8lF7n/pTvM8pz6V/5tc0Y1R9ow==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4NUx4b2dnYzhDWHRHdXdU YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWDgwSXowMG5pM2dzbDJJ
L0U5VXJiaVY4TTlLRENtZGhJcExESDBQRFdnClNrcVlwbU9kYVRTTitWQW1nUjR0 clNFM2UvcVZWT0o4UVZQdnlxc25BeXR4V1hjClVzZHlXaHQvN0NiT0JoWG9EWmRz
MVJ2dHFOYXNESkMzR0VBdDR0dFF5R0UKLS0tIGo3RWljNlQyOHBFWHJYZFZ5bVl0 VDAyTkxod0FGVENOZndMTE9aZnM1UmcKLS0tIHAzWFRoZVdXNnIya0gyMFVXa1Va
WWxiKzM3SXpJdmZKMzI3ZGNKSzRYV0EKjOQnIihgj+fPUbjdz83Vng1xHQOmeY5F SUtQblFtK2RSR1F6WFphUWlXRmJCeDgKbvve6CId6RF/F90Px5sl6FdJH6VhLR4w
oyFvCTyZaXpb1GlOcx/MKrjlcteCuBgJ1VNq65KgVy7IQBCBMOkVow== K52iqxq1or/YKUn69dC9l21UwW2u1dJ7g9lTXcRll/clmh8LtDXZXw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-11T03:03:13Z" lastmodified: "2024-05-13T03:24:35Z"
mac: ENC[AES256_GCM,data:woOIDwPLTaNDmxI5OJiXuDh2UiSiEEEMRqL61mXdfURSVEtr/ZRF7GsEwW3m243Ztbxp7k+i2KE7ydzQtyJJB4+xSg+BL2F/99ld7XLCPUrH6PjugzSu26G1H42Ir/v/BaFyPNNHzJdA3YpT++o1yVIZqvx9xf2pOwDzIf/0o/Y=,iv:NUrbxRxn1w/Q3WMkplObO0GU6APhdZNjtaZytQ1yzbE=,tag:/7QsYDRBZrNFALYlA8hL+w==,type:str] mac: ENC[AES256_GCM,data:Gz8uMG1pYseVsD1ooCuT48euPjed47su97ycdtKFsy8r3fLRvXUIfP8YPxSJ/OPGPm0yXBoNGRCovoey1N3B8NQXqWmQ78pmHIEVN6EqM8DvKLUn3a4XR52g0mURGqgFqJJXJCxn/UN4SMs1Kbl3Ahc9cXf17J1MoScVRqhpDWE=,iv:xYX7OUtaKDwjRohYN3q0mdrFfjop3XtzxAjQrMFrydk=,tag:sawX4x4KFzHJoPAeE18dag==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

View file

@ -28,5 +28,6 @@
./miniflux ./miniflux
./calibre-web ./calibre-web
./rss-bridge ./rss-bridge
./forgejo
]; ];
} }

View file

@ -0,0 +1,89 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.mySystem.services.forgejo;
app = "forgejo";
port = 443;
http_port = 3000;
serviceUser = "forgejo";
domain = "git.hsn.dev";
in
{
options.mySystem.services.forgejo = {
enable = mkEnableOption "Forgejo";
};
config = mkIf cfg.enable {
services.nginx = {
virtualHosts.${domain} = {
forceSSL = true;
useACMEHost = config.networking.domain;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://127.0.0.1:${toString http_port}";
};
};
services.forgejo = {
enable = true;
database.type = "postgres";
# Enable support for Git Large File Storage
lfs.enable = true;
settings = {
server = {
DOMAIN = domain;
# You need to specify this to remove the port from URLs in the web UI.
ROOT_URL = "https://${domain}/";
HTTP_PORT = http_port;
# Default landing page on 'explore'
LANDING_PAGE = "explore";
};
# You can temporarily allow registration to create an admin user.
service = {
DISABLE_REGISTRATION = true;
ENABLE_NOTIFY_MAIL = true;
REGISTER_EMAIL_CONFIRM = true;
REQUIRE_SIGNIN_VIEW = false;
};
indexer = {
REPO_INDEXER_ENABLED = true;
REPO_INDEXER_PATH = "indexers/repos.bleve";
MAX_FILE_SIZE = 1048576;
REPO_INDEXER_INCLUDE = "";
REPO_INDEXER_EXCLUDE = "resources/bin/**";
};
picture = {
AVATAR_UPLOAD_PATH = "/var/lib/forgejo/data/avatars";
REPOSITORY_AVATAR_UPLOAD_PATH = "/var/lib/forgejo/data/repo-avatars";
};
# Add support for actions, based on act: https://github.com/nektos/act
actions = {
ENABLED = true;
};
# Sending emails is completely optional
# You can send a test email from the web UI at:
# Profile Picture > Site Administration > Configuration > Mailer Configuration
mailer = {
ENABLED = true;
SMTP_ADDR = "smtp.mailgun.org";
FROM = "git@hsn.dev";
USER = "git@mg.hsn.dev";
SMTP_PORT = 587;
};
session = {
COOKIE_SECURE = true;
COOKIE_NAME = "session";
};
};
mailerPasswordFile = config.sops.secrets."services/forgejo/smtp/password".path;
};
# sops
sops.secrets."services/forgejo/smtp/password" = {
sopsFile = ./secrets.sops.yaml;
owner = serviceUser;
mode = "400";
restartUnits = [ "forgejo.service" ];
};
};
}

View file

@ -0,0 +1,51 @@
services:
forgejo:
smtp:
password: ENC[AES256_GCM,data:WL+v0tKArR90bzbZ04lL6ODADSMXGHAEYAnNrhdgCShEcNjUwJXVHV8bsOIdiAsXoic=,iv:+KPPzcHrHPee2EhQCQzGsCNzLQa9t2MCdXHF3O8zZ+M=,tag:FuxrUg1/qS0WvD222wbfkw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByQmVLNjhPNThZa3dLd3ha
a0VCa1JDaGJXLzQwck1Ga2wvVWU0K1BCbkVRCjdlL3B0cUZVZEtFalFkb2lTWktL
cGZGcjR1KzVEYzZKakZHMnlBR0FvM2MKLS0tIHpRZm5nbGpVZmVpVVkrZVVSKzlk
ZUx0c29QMWpTRHJ0U3B1V2lkdEJvUk0KVK8GKsSl8uXhw8zbxpW4An/E7UI8yW6u
0MELMJtmskLQnCUKKbeE8nAHW2MMGt6schoXwqsAEkspeaf+AC2G1A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Mk1UVzJQM044aG9BRmg3
QnUrdURwNGhONUxnR2Jjbjc1TitWWXEvb2dBCmlGSVh0Y0VNcExUYk9ER3JsNUgx
d1BCQWI2L0I0TGZoYUdmamg0aTBVbjQKLS0tIE52elRkSjd3eUlWempGSFBvbHoy
U1hZT2FVeEtkSDUvUERRYWpyanI2UUUKO7EHrVbhMFqZdwnIlK0Fnd5cLUVJ9Mhx
NRwYxneeBTHg2VV53n+n8mRhO0eQtOfNh6Mvc4eHC2eTBk/XlUynDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZWtMQVhOTTJxM1dYYW5w
aFViZWU2KzR2RnpDZEdDbk5nU1loQ1F0cVdnCjlPb0VtNFYvQzBiNDZUaTROOHRO
a3ZlaFlGblhnR1hRK3lRQ05mR0lJYzQKLS0tIFovSzEyNXhrcC9iRjAyVlZBWXIy
UWZBeXIrR0tvaFBVTFhqblB0d2xTM0UKULrTgxENwhZvEpNS0/Puxoh2d8s2zNo4
EY+fkaR3dOGjnro+E6PYO7NydZOfc/rT/VUBAQi8Dl8DPlJHV4WOjw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaEpWdkk0eUpiT0duTjRS
aXEwZlh1dW5oQkNwMjRGbVNKeTRxanpneVdZCkZVTjJHblo0Ui8yYytKeDZHaFVn
eVAzeHpxck9VN0pDVnIyb3A3VGdxY2cKLS0tIGRiNVprcHFqVUpJeFJHNklkT3JR
azV4ajZHUXFnY1VHS0JzaHM1aUtySHcKWw3FRCjkKm99+Rw7uL+550go0EoKJdKY
6tBW4vsh0+a3WBd/cNXwHVt8R3UscZ+MOwgSKyHDA62slqblH+G81Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-12T03:37:15Z"
mac: ENC[AES256_GCM,data:OM7jU2HfvOtNDvK4C5FE567dobZxhBdCDu5KSyBgGfzgFi1tSX0F4YoRZhspmfQKOeT/3+vLj1bfqDIkv2krDeZOnxw8vns7qgnTgR2tOn15bQmS8mIkSyk5WWdS1tbHfk1v+vF8T6lsl78G4nDSU/Q9DyFFdgmQUDDzlwW5vAs=,iv:tZgzqxwPqdDpQVkC/9598ixEzUNES5YMNfTwGUOEErQ=,tag:2w3/EftLvS/a2wl8ug6t3Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -39,9 +39,7 @@ in
# Prevent injection of code in other mime types (XSS Attacks) # Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
''; '';
# TODO add cloudflre IP's when/if I ingest internally.
commonHttpConfig = '' commonHttpConfig = ''
add_header X-Clacks-Overhead "GNU Terry Pratchett"; add_header X-Clacks-Overhead "GNU Terry Pratchett";
''; '';
@ -55,12 +53,9 @@ in
extraConfig = "return 444;"; extraConfig = "return 444;";
}; };
}; };
}; };
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 80 443 ]; allowedUDPPorts = [ 80 443 ];
}; };