Commit a130ac7
Changed files (7)
hosts
chaser-pardofelis
modules
hosts
chaser-pardofelis
services
secrets
cache
hosts/chaser-pardofelis/caddy.nix
@@ -20,7 +20,6 @@ in {
# Assuming address start with `tcp://`.
builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
}";
- forgejo = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
goatcounter = "http://localhost:${builtins.toString config.services.goatcounter.port}";
gokapi = "http://localhost:${builtins.toString config.services.gokapi.environment.GOKAPI_PORT}";
grafana = "http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}";
@@ -79,10 +78,6 @@ in {
encode zstd gzip
reverse_proxy ${localAddress.prometheus}
'';
- "repo.hpcesia.com".extraConfig = ''
- encode zstd gzip
- reverse_proxy ${localAddress.forgejo}
- '';
"send.hpcesia.com".extraConfig = ''
encode zstd gzip
reverse_proxy ${localAddress.gokapi}
hosts/chaser-pardofelis/forgejo.nix
@@ -1,92 +0,0 @@
-{
- config,
- pkgs,
- ...
-}: {
- services.forgejo = {
- enable = true;
- package = pkgs.forgejo;
- user = "git";
- group = "forgejo";
- database = {
- type = "sqlite3";
- };
- settings = {
- default = {
- APP_NAME = "Forgejo"; # TODO: A new name for my forgejo instance.
- APP_SLOGAN = "Beyond coding. We Forge."; # TODO: A new slogan.
- };
- server = {
- DOMAIN = "repo.hpcesia.com";
- HTTP_ADDR = "127.0.0.1";
- HTTP_PORT = 3125;
- PROTOCOL = "http";
- START_SSH_SERVER = true;
- SSH_PORT = 2233;
- ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
- };
- service = {
- DISABLE_REGISTRATION = true;
- ENABLE_NOTIFY_MAIL = true;
- ENABLE_BASIC_AUTHENTICATION = false;
- };
- repository = {
- DEFAULT_REPO_UNITS = "repo.code,repo.releases";
- };
- mailer = {
- ENABLED = true;
- PROTOCOL = "smtps";
- SMTP_ADDR = "glacier.mxrouting.net";
- SMTP_PORT = 465;
- USER = "info@hpcesia.com";
- FROM = "Forgejo Infomation <info@hpcesia.com>";
- SUBJECT_PREFIX = "[repo.hpcesia.com] ";
- };
- # TODO: Enable federation after I finalize a suitable instance name and switch to an independent domain.
- federation.ENABLED = false;
- session.COOKIE_SECURE = true;
- log = {
- LEVEL = "Info";
- ENABLE_SSH_LOG = true; # Enable ssh log for fail2ban.
- "logger.router.MODE" = "Error";
- };
- actions = {
- ENABLED = true;
- };
- };
- secrets = {
- mailer.PASSWD = config.sops.secrets.forgejo-mailer-password.path;
- };
- };
-
- users.users."git" = {
- isSystemUser = true;
- useDefaultShell = true;
- group = config.services.forgejo.group;
- home = config.services.forgejo.stateDir;
- extraGroups = [
- "ssh-secrets-users" # to use ssh-config
- ];
- };
-
- networking.firewall.allowedTCPPorts = [
- config.services.forgejo.settings.server.SSH_PORT
- ];
-
- services.fail2ban.jails.forgejo-ssh = {
- settings = {
- filter = "forgejo-ssh";
- action = "iptables-allports";
- mode = "aggressive";
- maxretry = 3;
- findtime = 3600;
- bantime = 900;
- };
- };
-
- environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
- [Definition]
- failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
- journalmatch = _SYSTEMD_UNIT=forgejo.service
- '';
-}
modules/hosts/chaser-pardofelis/default.nix
@@ -14,6 +14,7 @@
(n: config.flake.modules.nixos."${config.flake.meta.service.prefix}${n}")
[
"caddy"
+ "forgejo"
"goatcounter"
"gotosocial"
"podman"
modules/services/forgejo/default.nix
@@ -0,0 +1,90 @@
+{lib, ...}: {
+ flake.modules.nixos."services/forgejo" = {
+ config,
+ pkgs,
+ ...
+ }: {
+ services.forgejo = {
+ enable = true;
+ package = pkgs.forgejo;
+ user = "git";
+ group = "forgejo";
+ database = {
+ type = "sqlite3";
+ };
+ settings = {
+ default = {
+ APP_NAME = "Forgejo"; # TODO: A new name for my forgejo instance.
+ APP_SLOGAN = "Beyond coding. We Forge."; # TODO: A new slogan.
+ };
+ server = {
+ DOMAIN = "repo.hpcesia.com";
+ HTTP_ADDR = "127.0.0.1";
+ HTTP_PORT = 3125;
+ PROTOCOL = "http";
+ START_SSH_SERVER = true;
+ SSH_PORT = 2233;
+ ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
+ };
+ service = {
+ DISABLE_REGISTRATION = true;
+ ENABLE_NOTIFY_MAIL = true;
+ ENABLE_BASIC_AUTHENTICATION = false;
+ };
+ repository = {
+ DEFAULT_REPO_UNITS = "repo.code,repo.releases";
+ };
+ mailer = {
+ ENABLED = true;
+ PROTOCOL = "smtps";
+ SMTP_ADDR = "glacier.mxrouting.net";
+ SMTP_PORT = 465;
+ USER = "info@hpcesia.com";
+ FROM = "Forgejo Infomation <info@hpcesia.com>";
+ SUBJECT_PREFIX = "[repo.hpcesia.com] ";
+ };
+ # TODO: Enable federation after I finalize a suitable instance name and switch to an independent domain.
+ federation.ENABLED = false;
+ session.COOKIE_SECURE = true;
+ log = {
+ LEVEL = "Info";
+ ENABLE_SSH_LOG = true; # Enable ssh log for fail2ban.
+ "logger.router.MODE" = "Error";
+ };
+ actions = {
+ ENABLED = true;
+ };
+ };
+ secrets = {
+ mailer.PASSWD = config.vaultix.secrets.forgejo-mailer-password.path;
+ };
+ };
+
+ users.users."git" = {
+ isSystemUser = true;
+ useDefaultShell = true;
+ group = config.services.forgejo.group;
+ home = config.services.forgejo.stateDir;
+ };
+
+ networking.firewall.allowedTCPPorts = [
+ config.services.forgejo.settings.server.SSH_PORT
+ ];
+
+ services.caddy.virtualHosts."repo.hpcesia.com".extraConfig =
+ lib.mkIf config.services.caddy.enable
+ (let
+ localAddress = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+ in ''
+ encode zstd gzip
+ reverse_proxy ${localAddress}
+ '');
+
+ vaultix.secrets.forgejo-mailer-password = {
+ file = ./mailer-password.age;
+ owner = "root";
+ group = "forgejo";
+ mode = "0440";
+ };
+ };
+}
modules/services/forgejo/fail2ban.nix
@@ -0,0 +1,20 @@
+{lib, ...}: {
+ flake.modules.nixos."services/forgejo" = {config, ...}:
+ lib.mkIf config.services.fail2ban.enable {
+ services.fail2ban.jails.forgejo-ssh = {
+ settings = {
+ filter = "forgejo-ssh";
+ action = "iptables-allports";
+ mode = "aggressive";
+ maxretry = 3;
+ findtime = 3600;
+ bantime = 900;
+ };
+ };
+ environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
+ [Definition]
+ failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
+ journalmatch = _SYSTEMD_UNIT=forgejo.service
+ '';
+ };
+}
modules/services/forgejo/mailer-password.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 EM0hgE1u5q2vZjXOVFNivAkCPc1PwI/hLf59GOwRHzc
+XsUNqG6A+63ILfaE6E0AfeNmhCHQc/JutwzWnuvkmAc
+-> X4jBi}-grease
+7OSi7jX+M5jAacJzGVPQQtkNrZu0gm6zyL7B1CHATSgGt9BFy5rWvn+YVDISDiQy
+yYrKpCiEQw+L9i9CC7R1KPk9/5WwtA
+--- kOP3OPvWWCz75xTHIzsyHXqgSRPdpuheahPOoXhHt64
+[�G�/���v(,PzA�q��� -�7�a�\��?ߡ�@�$$��'�i��#�9n�
\ No newline at end of file
secrets/cache/pardofelis/41290a32ac30d48d8e6406a3e29f53306fbc75af72e010fb60dc33dd68e36d14
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw 6TZAE94OrS63h7Is0yZRJ5fvjNptzc7Y0yN7Yx4BtVU
+MbfOBTR9blVK5cQwJu2PKOTDyJDePtMTp+nmrhqgkd0
+-> 8Z-grease ey[i
+DGKQB48RzY8Dxf0Hm1i5jYX7pXLmPHqr++xhRVNBfRJ2UC/qaGj4+LfoWUU
+--- 4Cn/MZGoaWuydqqC5NgOu76J8OgWQALLQcmayO5tsFo
+U��է��?G�
+�����=�Wf���5�-�u�C%��~U�u-@;s�ҫ�r��2
\ No newline at end of file