old
 1{
 2  config,
 3  pkgs,
 4  ...
 5}: {
 6  services.forgejo = {
 7    enable = true;
 8    package = pkgs.forgejo;
 9    user = "git";
10    group = "forgejo";
11    database = {
12      type = "sqlite3";
13    };
14    settings = {
15      default = {
16        APP_NAME = "Forgejo"; # TODO: A new name for my forgejo instance.
17        APP_SLOGAN = "Beyond coding. We Forge."; # TODO: A new slogan.
18      };
19      server = {
20        DOMAIN = "repo.hpcesia.com";
21        HTTP_ADDR = "127.0.0.1";
22        HTTP_PORT = 3125;
23        PROTOCOL = "http";
24        START_SSH_SERVER = true;
25        SSH_PORT = 2233;
26        ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
27      };
28      service = {
29        DISABLE_REGISTRATION = true;
30        ENABLE_NOTIFY_MAIL = true;
31        ENABLE_BASIC_AUTHENTICATION = false;
32      };
33      repository = {
34        DEFAULT_REPO_UNITS = "repo.code,repo.releases";
35      };
36      mailer = {
37        ENABLED = true;
38        PROTOCOL = "smtps";
39        SMTP_ADDR = "glacier.mxrouting.net";
40        SMTP_PORT = 465;
41        USER = "info@hpcesia.com";
42        FROM = "Forgejo Infomation <info@hpcesia.com>";
43        SUBJECT_PREFIX = "[repo.hpcesia.com] ";
44      };
45      # TODO: Enable federation after I finalize a suitable instance name and switch to an independent domain.
46      federation.ENABLED = false;
47      session.COOKIE_SECURE = true;
48      log = {
49        LEVEL = "Info";
50        ENABLE_SSH_LOG = true; # Enable ssh log for fail2ban.
51        "logger.router.MODE" = "Error";
52      };
53      actions = {
54        ENABLED = true;
55      };
56    };
57    secrets = {
58      mailer.PASSWD = config.sops.secrets.forgejo-mailer-password.path;
59    };
60  };
61
62  users.users."git" = {
63    isSystemUser = true;
64    useDefaultShell = true;
65    group = config.services.forgejo.group;
66    home = config.services.forgejo.stateDir;
67    extraGroups = [
68      "ssh-secrets-users" # to use ssh-config
69    ];
70  };
71
72  networking.firewall.allowedTCPPorts = [
73    config.services.forgejo.settings.server.SSH_PORT
74  ];
75
76  services.fail2ban.jails.forgejo-ssh = {
77    settings = {
78      filter = "forgejo-ssh";
79      action = "iptables-allports";
80      mode = "aggressive";
81      maxretry = 3;
82      findtime = 3600;
83      bantime = 900;
84    };
85  };
86
87  environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
88    [Definition]
89    failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
90    journalmatch = _SYSTEMD_UNIT=forgejo.service
91  '';
92}