old
1{
2 config,
3 pkgs,
4 ...
5}: {
6 services.forgejo = {
7 enable = true;
8 package = pkgs.forgejo;
9 user = "git";
10 group = "forgejo";
11 database = {
12 type = "sqlite3";
13 };
14 settings = {
15 default = {
16 APP_NAME = "Forgejo"; # TODO: A new name for my forgejo instance.
17 APP_SLOGAN = "Beyond coding. We Forge."; # TODO: A new slogan.
18 };
19 server = {
20 DOMAIN = "repo.hpcesia.com";
21 HTTP_ADDR = "127.0.0.1";
22 HTTP_PORT = 3125;
23 PROTOCOL = "http";
24 START_SSH_SERVER = true;
25 SSH_PORT = 2233;
26 ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
27 };
28 service = {
29 DISABLE_REGISTRATION = true;
30 ENABLE_NOTIFY_MAIL = true;
31 ENABLE_BASIC_AUTHENTICATION = false;
32 };
33 repository = {
34 DEFAULT_REPO_UNITS = "repo.code,repo.releases";
35 };
36 mailer = {
37 ENABLED = true;
38 PROTOCOL = "smtps";
39 SMTP_ADDR = "glacier.mxrouting.net";
40 SMTP_PORT = 465;
41 USER = "info@hpcesia.com";
42 FROM = "Forgejo Infomation <info@hpcesia.com>";
43 SUBJECT_PREFIX = "[repo.hpcesia.com] ";
44 };
45 # TODO: Enable federation after I finalize a suitable instance name and switch to an independent domain.
46 federation.ENABLED = false;
47 session.COOKIE_SECURE = true;
48 log = {
49 LEVEL = "Info";
50 ENABLE_SSH_LOG = true; # Enable ssh log for fail2ban.
51 "logger.router.MODE" = "Error";
52 };
53 actions = {
54 ENABLED = true;
55 };
56 };
57 secrets = {
58 mailer.PASSWD = config.sops.secrets.forgejo-mailer-password.path;
59 };
60 };
61
62 users.users."git" = {
63 isSystemUser = true;
64 useDefaultShell = true;
65 group = config.services.forgejo.group;
66 home = config.services.forgejo.stateDir;
67 extraGroups = [
68 "ssh-secrets-users" # to use ssh-config
69 ];
70 };
71
72 networking.firewall.allowedTCPPorts = [
73 config.services.forgejo.settings.server.SSH_PORT
74 ];
75
76 services.fail2ban.jails.forgejo-ssh = {
77 settings = {
78 filter = "forgejo-ssh";
79 action = "iptables-allports";
80 mode = "aggressive";
81 maxretry = 3;
82 findtime = 3600;
83 bantime = 900;
84 };
85 };
86
87 environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
88 [Definition]
89 failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
90 journalmatch = _SYSTEMD_UNIT=forgejo.service
91 '';
92}