Commit a130ac7

HPCesia <me@hpcesia.com>
2025-10-03 18:54:09
refactor: migrate forgejo
1 parent 985c537
Changed files (7)
hosts/chaser-pardofelis/caddy.nix
@@ -20,7 +20,6 @@ in {
           # Assuming address start with `tcp://`.
           builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
         }";
-        forgejo = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
         goatcounter = "http://localhost:${builtins.toString config.services.goatcounter.port}";
         gokapi = "http://localhost:${builtins.toString config.services.gokapi.environment.GOKAPI_PORT}";
         grafana = "http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}";
@@ -79,10 +78,6 @@ in {
         encode zstd gzip
         reverse_proxy ${localAddress.prometheus}
       '';
-      "repo.hpcesia.com".extraConfig = ''
-        encode zstd gzip
-        reverse_proxy ${localAddress.forgejo}
-      '';
       "send.hpcesia.com".extraConfig = ''
         encode zstd gzip
         reverse_proxy ${localAddress.gokapi}
hosts/chaser-pardofelis/forgejo.nix
@@ -1,92 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  services.forgejo = {
-    enable = true;
-    package = pkgs.forgejo;
-    user = "git";
-    group = "forgejo";
-    database = {
-      type = "sqlite3";
-    };
-    settings = {
-      default = {
-        APP_NAME = "Forgejo"; # TODO: A new name for my forgejo instance.
-        APP_SLOGAN = "Beyond coding. We Forge."; # TODO: A new slogan.
-      };
-      server = {
-        DOMAIN = "repo.hpcesia.com";
-        HTTP_ADDR = "127.0.0.1";
-        HTTP_PORT = 3125;
-        PROTOCOL = "http";
-        START_SSH_SERVER = true;
-        SSH_PORT = 2233;
-        ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
-      };
-      service = {
-        DISABLE_REGISTRATION = true;
-        ENABLE_NOTIFY_MAIL = true;
-        ENABLE_BASIC_AUTHENTICATION = false;
-      };
-      repository = {
-        DEFAULT_REPO_UNITS = "repo.code,repo.releases";
-      };
-      mailer = {
-        ENABLED = true;
-        PROTOCOL = "smtps";
-        SMTP_ADDR = "glacier.mxrouting.net";
-        SMTP_PORT = 465;
-        USER = "info@hpcesia.com";
-        FROM = "Forgejo Infomation <info@hpcesia.com>";
-        SUBJECT_PREFIX = "[repo.hpcesia.com] ";
-      };
-      # TODO: Enable federation after I finalize a suitable instance name and switch to an independent domain.
-      federation.ENABLED = false;
-      session.COOKIE_SECURE = true;
-      log = {
-        LEVEL = "Info";
-        ENABLE_SSH_LOG = true; # Enable ssh log for fail2ban.
-        "logger.router.MODE" = "Error";
-      };
-      actions = {
-        ENABLED = true;
-      };
-    };
-    secrets = {
-      mailer.PASSWD = config.sops.secrets.forgejo-mailer-password.path;
-    };
-  };
-
-  users.users."git" = {
-    isSystemUser = true;
-    useDefaultShell = true;
-    group = config.services.forgejo.group;
-    home = config.services.forgejo.stateDir;
-    extraGroups = [
-      "ssh-secrets-users" # to use ssh-config
-    ];
-  };
-
-  networking.firewall.allowedTCPPorts = [
-    config.services.forgejo.settings.server.SSH_PORT
-  ];
-
-  services.fail2ban.jails.forgejo-ssh = {
-    settings = {
-      filter = "forgejo-ssh";
-      action = "iptables-allports";
-      mode = "aggressive";
-      maxretry = 3;
-      findtime = 3600;
-      bantime = 900;
-    };
-  };
-
-  environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
-    [Definition]
-    failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
-    journalmatch = _SYSTEMD_UNIT=forgejo.service
-  '';
-}
modules/hosts/chaser-pardofelis/default.nix
@@ -14,6 +14,7 @@
         (n: config.flake.modules.nixos."${config.flake.meta.service.prefix}${n}")
         [
           "caddy"
+          "forgejo"
           "goatcounter"
           "gotosocial"
           "podman"
modules/services/forgejo/default.nix
@@ -0,0 +1,90 @@
+{lib, ...}: {
+  flake.modules.nixos."services/forgejo" = {
+    config,
+    pkgs,
+    ...
+  }: {
+    services.forgejo = {
+      enable = true;
+      package = pkgs.forgejo;
+      user = "git";
+      group = "forgejo";
+      database = {
+        type = "sqlite3";
+      };
+      settings = {
+        default = {
+          APP_NAME = "Forgejo"; # TODO: A new name for my forgejo instance.
+          APP_SLOGAN = "Beyond coding. We Forge."; # TODO: A new slogan.
+        };
+        server = {
+          DOMAIN = "repo.hpcesia.com";
+          HTTP_ADDR = "127.0.0.1";
+          HTTP_PORT = 3125;
+          PROTOCOL = "http";
+          START_SSH_SERVER = true;
+          SSH_PORT = 2233;
+          ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
+        };
+        service = {
+          DISABLE_REGISTRATION = true;
+          ENABLE_NOTIFY_MAIL = true;
+          ENABLE_BASIC_AUTHENTICATION = false;
+        };
+        repository = {
+          DEFAULT_REPO_UNITS = "repo.code,repo.releases";
+        };
+        mailer = {
+          ENABLED = true;
+          PROTOCOL = "smtps";
+          SMTP_ADDR = "glacier.mxrouting.net";
+          SMTP_PORT = 465;
+          USER = "info@hpcesia.com";
+          FROM = "Forgejo Infomation <info@hpcesia.com>";
+          SUBJECT_PREFIX = "[repo.hpcesia.com] ";
+        };
+        # TODO: Enable federation after I finalize a suitable instance name and switch to an independent domain.
+        federation.ENABLED = false;
+        session.COOKIE_SECURE = true;
+        log = {
+          LEVEL = "Info";
+          ENABLE_SSH_LOG = true; # Enable ssh log for fail2ban.
+          "logger.router.MODE" = "Error";
+        };
+        actions = {
+          ENABLED = true;
+        };
+      };
+      secrets = {
+        mailer.PASSWD = config.vaultix.secrets.forgejo-mailer-password.path;
+      };
+    };
+
+    users.users."git" = {
+      isSystemUser = true;
+      useDefaultShell = true;
+      group = config.services.forgejo.group;
+      home = config.services.forgejo.stateDir;
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      config.services.forgejo.settings.server.SSH_PORT
+    ];
+
+    services.caddy.virtualHosts."repo.hpcesia.com".extraConfig =
+      lib.mkIf config.services.caddy.enable
+      (let
+        localAddress = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+      in ''
+        encode zstd gzip
+        reverse_proxy ${localAddress}
+      '');
+
+    vaultix.secrets.forgejo-mailer-password = {
+      file = ./mailer-password.age;
+      owner = "root";
+      group = "forgejo";
+      mode = "0440";
+    };
+  };
+}
modules/services/forgejo/fail2ban.nix
@@ -0,0 +1,20 @@
+{lib, ...}: {
+  flake.modules.nixos."services/forgejo" = {config, ...}:
+    lib.mkIf config.services.fail2ban.enable {
+      services.fail2ban.jails.forgejo-ssh = {
+        settings = {
+          filter = "forgejo-ssh";
+          action = "iptables-allports";
+          mode = "aggressive";
+          maxretry = 3;
+          findtime = 3600;
+          bantime = 900;
+        };
+      };
+      environment.etc."fail2ban/filter.d/forgejo-ssh.conf".text = ''
+        [Definition]
+        failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
+        journalmatch = _SYSTEMD_UNIT=forgejo.service
+      '';
+    };
+}
modules/services/forgejo/mailer-password.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 EM0hgE1u5q2vZjXOVFNivAkCPc1PwI/hLf59GOwRHzc
+XsUNqG6A+63ILfaE6E0AfeNmhCHQc/JutwzWnuvkmAc
+-> X4jBi}-grease
+7OSi7jX+M5jAacJzGVPQQtkNrZu0gm6zyL7B1CHATSgGt9BFy5rWvn+YVDISDiQy
+yYrKpCiEQw+L9i9CC7R1KPk9/5WwtA
+--- kOP3OPvWWCz75xTHIzsyHXqgSRPdpuheahPOoXhHt64
+[�G�/���v(,PzA�q��� -�7�a�\��?ߡ�@�$$��'�i��#�9n�
\ No newline at end of file
secrets/cache/pardofelis/41290a32ac30d48d8e6406a3e29f53306fbc75af72e010fb60dc33dd68e36d14
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw 6TZAE94OrS63h7Is0yZRJ5fvjNptzc7Y0yN7Yx4BtVU
+MbfOBTR9blVK5cQwJu2PKOTDyJDePtMTp+nmrhqgkd0
+-> 8Z-grease ey[i
+DGKQB48RzY8Dxf0Hm1i5jYX7pXLmPHqr++xhRVNBfRJ2UC/qaGj4+LfoWUU
+--- 4Cn/MZGoaWuydqqC5NgOu76J8OgWQALLQcmayO5tsFo
+U��է��?G�
+�����=�Wf���5�-�u�C%��~U�u-@;s�ҫ�r��2
\ No newline at end of file