From 7b12839890c6f0434a727cd76db81a8bbdf04cc8 Mon Sep 17 00:00:00 2001 From: emily Date: Tue, 30 Apr 2024 21:55:41 +0200 Subject: [PATCH] added forgejo --- .sops.yaml | 23 ++++++++ config/files/builders | 3 +- config/hosts/integra/configuration.nix | 1 + config/profiles/remote-build.nix | 27 ++++++--- config/services/forgejo.nix | 76 ++++++++++++++++++++++++++ flake.nix | 5 +- modules/default.nix | 4 +- modules/nginx/default.nix | 35 ++++++++++++ modules/vhost/default.nix | 47 ---------------- secrets/services/forgejo.yaml | 34 ++++++++++++ 10 files changed, 196 insertions(+), 59 deletions(-) create mode 100644 .sops.yaml create mode 100644 config/services/forgejo.nix create mode 100644 modules/nginx/default.nix delete mode 100644 modules/vhost/default.nix create mode 100644 secrets/services/forgejo.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..07a5396 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,23 @@ +keys: + - &emily B04F01A7A98A13020C39B4A68AB7B773A214ACE5 + - &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd + - &alucard age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd +creation_rules: + - path_regex: secrets/services/dns-knot.yaml + key_groups: + - pgp: + - *emily + age: + - *seras + - path_regex: secrets/services/attic.yaml + key_groups: + - pgp: + - *emily + age: + - *seras + - path_regex: secrets/services/forgejo.yaml + key_groups: + - pgp: + - *emily + age: + - *alucard diff --git a/config/files/builders b/config/files/builders index efcd1ac..ef5ba94 100644 --- a/config/files/builders +++ b/config/files/builders @@ -1 +1,2 @@ -ssh://build@seras.kyouma.net x86_64-linux,aarch64-linux - 40 5 nixos-test,benchmark,big-parallel,kvm +ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm +ssh://build@integra.kyouma.net aarch64-linux - 4 8 nixos-test,benchmark,big-parallel,kvm diff --git a/config/hosts/integra/configuration.nix b/config/hosts/integra/configuration.nix index fa437d0..2e9d8d0 100644 --- a/config/hosts/integra/configuration.nix +++ b/config/hosts/integra/configuration.nix @@ -3,6 +3,7 @@ ../../common ../../profiles/builder.nix ../../profiles/headless.nix + ../../services/forgejo.nix ./hardware-configuration.nix ./disko.nix ]; diff --git a/config/profiles/remote-build.nix b/config/profiles/remote-build.nix index 2c49322..3f1821d 100644 --- a/config/profiles/remote-build.nix +++ b/config/profiles/remote-build.nix @@ -1,16 +1,27 @@ {config, lib, pkgs, ... }: { - nix.buildMachines = [{ - hostName = "seras.kyouma.net"; - sshUser = "build"; - maxJobs = 40; - speedFactor = 5; - systems = [ "aarch64-linux" "x86_64-linux" ]; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - }]; + nix.buildMachines = [ + { + hostName = "seras.kyouma.net"; + sshUser = "build"; + maxJobs = 40; + speedFactor = 40; + systems = [ "x86_64-linux" ]; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + } + { + hostName = "integra.kyouma.net"; + sshUser = "build"; + maxJobs = 4; + speedFactor = 8; + systems = [ "aarch64-linux" ]; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + } + ]; nix.distributedBuilds = true; programs.ssh = { knownHosts = { "seras.kyouma.net".publicKey = "sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P"; + "integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU"; }; }; } diff --git a/config/services/forgejo.nix b/config/services/forgejo.nix new file mode 100644 index 0000000..79b43b5 --- /dev/null +++ b/config/services/forgejo.nix @@ -0,0 +1,76 @@ +{ config, inputs, pkgs, ... }: { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + sops.secrets."services/forgejo/mailerPassword" = { + sopsFile = ../../secrets/services/forgejo.yaml; + owner = "forgejo"; + }; + services.forgejo = { + enable = true; + mailerPasswordFile = config.sops.secrets."services/forgejo/mailerPassword".path; + database = { + createDatabase = true; + type = "postgres"; + socket = "/run/postgresql"; + }; + dump = { + enable = true; + type = "tar.xz"; + }; + settings = { + "cron.sync_external_users" = { + RUN_AT_START = true; + SCHEDULE = "@every 24h"; + UPDATE_EXISTING = true; + }; + federation.ENABLED = true; + log.LEVEL = "Info"; + mailer = { + ENABLED = true; + PROTOCOL = "smtp+starttls"; + FROM = "git@kyouma.net"; + SMTP_ADDR = "mail.kyouma.net"; + USER = "git@kyouma.net"; + }; + mirror.DEFAULT_INTERVAL = "1h"; + session = { + COOKIE_SECURE = true; + PROVIDER = "db"; + SESSION_LIFE_TIME = 2592000; + }; + server = { + STATIC_URL_PREFIX = "/static"; + PROTOCOL = "http+unix"; + DOMAIN = "git.kyouma.net"; + }; + security = { + LOGIN_REMEMBER_DAYS = 90; + PASSWORD_HASH_ALGO = "argon2"; + MIN_PASSWORD_LENGTH = 16; + PASSWORD_COMPLEXITY = "spec"; + }; + service = { + REGISTER_EMAIL_CONFIRM = true; + ENABLE_NOTIFY_MAIL = true; + ENABLE_CAPTCHA = true; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + }; + repository.ENABLE_PUSH_CREATE_USER = true; + ui = { + EXPLORE_PAGING_NUM = 50; + ISSUE_PAGING_NUM = 50; + MEMBERS_PAGING_NUM = 50; + DEFAULT_THEME = "forgejo-dark"; + SHOW_USER_EMAIL = false; + }; + }; + }; + kyouma.nginx.virtualHosts."git.kyouma.net" = { + locations."/static/".alias = "${pkgs.forgejo.data}/public/"; + locations."/" = { + proxyPass = "http://unix:/run/forgejo/forgejo.socket"; + }; + }; + security.acme.certs."git.kyouma.net" = {}; +} diff --git a/flake.nix b/flake.nix index 1342ea5..b20d8d4 100644 --- a/flake.nix +++ b/flake.nix @@ -45,7 +45,10 @@ nixConfig = { builders-use-substitutes = true; - builders = "ssh://build@seras.kyouma.net x86_64-linux,aarch64-linux - 40 5 nixos-test,benchmark,big-parallel,kvm"; + builders = [ + "ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm" + "ssh://build@integra.kyouma.net aarch64-linux - 4 8 nixos-test,benchmark,big-parallel,kvm" + ]; }; outputs = { self, nixpkgs, flake-utils, ... }@inputs: let diff --git a/modules/default.nix b/modules/default.nix index 14d4e70..3577ffb 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,7 +1,7 @@ { ... }: { imports = [ - ./machine-type ./deployment - ./vhost + ./machine-type + ./nginx ]; } diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix new file mode 100644 index 0000000..d00b432 --- /dev/null +++ b/modules/nginx/default.nix @@ -0,0 +1,35 @@ +{ config, lib, ... }: let + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "same-origin" always; + ''; + createHost = vhostName: vhostCfg: { + extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig; + forceSSL = true; + #kTLS = true; + #http3 = true; + #quic = true; + } // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { + enableACME = true; + } // lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) { + enableACME = false; + useACMEHost = vhostCfg.redirectTo; + globalRedirect = vhostCfg.redirectTo; + } // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]); + +in { + options = { + kyouma.nginx.virtualHosts = lib.mkOption { + type = with lib.types; nullOr anything; + default = null; + }; + }; + config = { + services.nginx.virtualHosts = lib.mkIf (config.kyouma.nginx.virtualHosts != null) ( + builtins.mapAttrs (createHost) config.kyouma.nginx.virtualHosts); + }; +} diff --git a/modules/vhost/default.nix b/modules/vhost/default.nix deleted file mode 100644 index 456d3ad..0000000 --- a/modules/vhost/default.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, lib, ... }: - -with lib; let - cfg = config.kyouma.nginx.virtualHosts; - extraConfig = '' - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Referrer-Policy "same-origin" always; - ''; - virtHostCfg = { - forceSSL = true; - #kTLS = true; - #http3 = true; - #quic = true; - }; - createHostFunc = builtins.mapAttrs (vhostName: vhostCfg: - with lib; let - mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg - then { - useACMEHost = vhostCfg.redirectTo; - globalRedirect = vhostCfg.redirectTo; - } else ( - optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { - enableACME = true; - }); - extraCfg = if builtins.hasAttr "extraConfig" vhostCfg - then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; } - else { inherit extraConfig; }; - in - virtHostCfg // mkRedirect // extraCfg // - (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]) - ); -in { - options = { - kyouma.nginx.virtualHosts = mkOption { - type = with types; nullOr anything; - default = null; - }; - }; - config = { - services.nginx.virtualHosts = mkIf (cfg != null) (createHostFunc (cfg)); - }; -} - diff --git a/secrets/services/forgejo.yaml b/secrets/services/forgejo.yaml new file mode 100644 index 0000000..90478bd --- /dev/null +++ b/secrets/services/forgejo.yaml @@ -0,0 +1,34 @@ +services: + forgejo: + mailerPassword: ENC[AES256_GCM,data:x4JQppFSseA+QNxQYbOlG0nTV66CzGKGTzhzGpWVVcQ=,iv:wcIO5Ow3DStEvrxzpnO2xD9SHRYz3PGYrMIYwJ0H+bI=,tag:Pv90jkF5SuXdc+942mBTFA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkd3djMk56SytWVmo5RDNw + NHMvUEtRMGZyUzFiakVGZE1aWTFjZnJkbFM4Cjk0a2FqdXVhdnNzUUxBWmlJc0tX + VWRyalNLMVRzcWQ4MnM4UlhYSEkwUWMKLS0tIG9VUVdsQ3VBc1BnZTgvb3B4c3l3 + azZWZ1ZzV01LTVJ5YW9DREd3NmRYMm8KDJ/tAgBGmATYSY39IR2SXKxOqTVkcijC + MI7kq5wqQBZP/yHdCrjQymnqH8Nvxf0s3iXpGBlPxURfowe+iH5F3A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-02T14:54:13Z" + mac: ENC[AES256_GCM,data:N5mdPONsyiUy5TGUI2rurxyd5Lczt7pMwdhI7eKqk5ZThZAf6dni/xhv+gO5LXDHTIdtopFegsk3t5FWtkCK+U6B+1ouU8E6mBDLTwVHa0+cZcf42eTipAATLxGjQRhgHxfUSfU4ndke96Nx6MN/F57n+fUAmMyrenhJunlCLnc=,iv:rMpOparLNS4yxFra6x1LT7kuYQQETD/UVFIZ2buVTLM=,tag:QLC+t6yCHlVgA6N0vlCHJg==,type:str] + pgp: + - created_at: "2024-05-02T14:52:36Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D1GtNSlou/HkSAQdARZLi4xZr9dGTiHolSWZreUv6PzkAT2q+/orYXzeiO20w + fRrP5wiXgxA+15zzloqz6JPFhdwunGLum7zcQ2oqOvj/X+9TCd0KP+iu/PpIaUPJ + 0l4BPEMOXUwlK0Ll1z0vwjlabQkuGvvKEWVquaWP+uqwX8VkBnv4rZimiI9J8P3p + sIuqm66WGEDHI5MuX4GuBKcd78wRm4d3c5KY6cuk8AzfO5+0wKPcKgB/KyGCzi/n + =SNC/ + -----END PGP MESSAGE----- + fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 + unencrypted_suffix: _unencrypted + version: 3.8.1