forked from emily/nixfiles
added forgejo
This commit is contained in:
parent
3201fd5a96
commit
7b12839890
10 changed files with 196 additions and 59 deletions
23
.sops.yaml
Normal file
23
.sops.yaml
Normal file
|
@ -0,0 +1,23 @@
|
|||
keys:
|
||||
- &emily B04F01A7A98A13020C39B4A68AB7B773A214ACE5
|
||||
- &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
|
||||
- &alucard age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
|
||||
creation_rules:
|
||||
- path_regex: secrets/services/dns-knot.yaml
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *emily
|
||||
age:
|
||||
- *seras
|
||||
- path_regex: secrets/services/attic.yaml
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *emily
|
||||
age:
|
||||
- *seras
|
||||
- path_regex: secrets/services/forgejo.yaml
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *emily
|
||||
age:
|
||||
- *alucard
|
|
@ -1 +1,2 @@
|
|||
ssh://build@seras.kyouma.net x86_64-linux,aarch64-linux - 40 5 nixos-test,benchmark,big-parallel,kvm
|
||||
ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm
|
||||
ssh://build@integra.kyouma.net aarch64-linux - 4 8 nixos-test,benchmark,big-parallel,kvm
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
../../common
|
||||
../../profiles/builder.nix
|
||||
../../profiles/headless.nix
|
||||
../../services/forgejo.nix
|
||||
./hardware-configuration.nix
|
||||
./disko.nix
|
||||
];
|
||||
|
|
|
@ -1,16 +1,27 @@
|
|||
{config, lib, pkgs, ... }: {
|
||||
nix.buildMachines = [{
|
||||
hostName = "seras.kyouma.net";
|
||||
sshUser = "build";
|
||||
maxJobs = 40;
|
||||
speedFactor = 5;
|
||||
systems = [ "aarch64-linux" "x86_64-linux" ];
|
||||
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
|
||||
}];
|
||||
nix.buildMachines = [
|
||||
{
|
||||
hostName = "seras.kyouma.net";
|
||||
sshUser = "build";
|
||||
maxJobs = 40;
|
||||
speedFactor = 40;
|
||||
systems = [ "x86_64-linux" ];
|
||||
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
|
||||
}
|
||||
{
|
||||
hostName = "integra.kyouma.net";
|
||||
sshUser = "build";
|
||||
maxJobs = 4;
|
||||
speedFactor = 8;
|
||||
systems = [ "aarch64-linux" ];
|
||||
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
|
||||
}
|
||||
];
|
||||
nix.distributedBuilds = true;
|
||||
programs.ssh = {
|
||||
knownHosts = {
|
||||
"seras.kyouma.net".publicKey = "sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P";
|
||||
"integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
76
config/services/forgejo.nix
Normal file
76
config/services/forgejo.nix
Normal file
|
@ -0,0 +1,76 @@
|
|||
{ config, inputs, pkgs, ... }: {
|
||||
imports = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
];
|
||||
sops.secrets."services/forgejo/mailerPassword" = {
|
||||
sopsFile = ../../secrets/services/forgejo.yaml;
|
||||
owner = "forgejo";
|
||||
};
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
mailerPasswordFile = config.sops.secrets."services/forgejo/mailerPassword".path;
|
||||
database = {
|
||||
createDatabase = true;
|
||||
type = "postgres";
|
||||
socket = "/run/postgresql";
|
||||
};
|
||||
dump = {
|
||||
enable = true;
|
||||
type = "tar.xz";
|
||||
};
|
||||
settings = {
|
||||
"cron.sync_external_users" = {
|
||||
RUN_AT_START = true;
|
||||
SCHEDULE = "@every 24h";
|
||||
UPDATE_EXISTING = true;
|
||||
};
|
||||
federation.ENABLED = true;
|
||||
log.LEVEL = "Info";
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
PROTOCOL = "smtp+starttls";
|
||||
FROM = "git@kyouma.net";
|
||||
SMTP_ADDR = "mail.kyouma.net";
|
||||
USER = "git@kyouma.net";
|
||||
};
|
||||
mirror.DEFAULT_INTERVAL = "1h";
|
||||
session = {
|
||||
COOKIE_SECURE = true;
|
||||
PROVIDER = "db";
|
||||
SESSION_LIFE_TIME = 2592000;
|
||||
};
|
||||
server = {
|
||||
STATIC_URL_PREFIX = "/static";
|
||||
PROTOCOL = "http+unix";
|
||||
DOMAIN = "git.kyouma.net";
|
||||
};
|
||||
security = {
|
||||
LOGIN_REMEMBER_DAYS = 90;
|
||||
PASSWORD_HASH_ALGO = "argon2";
|
||||
MIN_PASSWORD_LENGTH = 16;
|
||||
PASSWORD_COMPLEXITY = "spec";
|
||||
};
|
||||
service = {
|
||||
REGISTER_EMAIL_CONFIRM = true;
|
||||
ENABLE_NOTIFY_MAIL = true;
|
||||
ENABLE_CAPTCHA = true;
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||
};
|
||||
repository.ENABLE_PUSH_CREATE_USER = true;
|
||||
ui = {
|
||||
EXPLORE_PAGING_NUM = 50;
|
||||
ISSUE_PAGING_NUM = 50;
|
||||
MEMBERS_PAGING_NUM = 50;
|
||||
DEFAULT_THEME = "forgejo-dark";
|
||||
SHOW_USER_EMAIL = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
kyouma.nginx.virtualHosts."git.kyouma.net" = {
|
||||
locations."/static/".alias = "${pkgs.forgejo.data}/public/";
|
||||
locations."/" = {
|
||||
proxyPass = "http://unix:/run/forgejo/forgejo.socket";
|
||||
};
|
||||
};
|
||||
security.acme.certs."git.kyouma.net" = {};
|
||||
}
|
|
@ -45,7 +45,10 @@
|
|||
|
||||
nixConfig = {
|
||||
builders-use-substitutes = true;
|
||||
builders = "ssh://build@seras.kyouma.net x86_64-linux,aarch64-linux - 40 5 nixos-test,benchmark,big-parallel,kvm";
|
||||
builders = [
|
||||
"ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm"
|
||||
"ssh://build@integra.kyouma.net aarch64-linux - 4 8 nixos-test,benchmark,big-parallel,kvm"
|
||||
];
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, flake-utils, ... }@inputs: let
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ ... }: {
|
||||
imports = [
|
||||
./machine-type
|
||||
./deployment
|
||||
./vhost
|
||||
./machine-type
|
||||
./nginx
|
||||
];
|
||||
}
|
||||
|
|
35
modules/nginx/default.nix
Normal file
35
modules/nginx/default.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ config, lib, ... }: let
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "same-origin" always;
|
||||
'';
|
||||
createHost = vhostName: vhostCfg: {
|
||||
extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
|
||||
forceSSL = true;
|
||||
#kTLS = true;
|
||||
#http3 = true;
|
||||
#quic = true;
|
||||
} // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
|
||||
enableACME = true;
|
||||
} // lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {
|
||||
enableACME = false;
|
||||
useACMEHost = vhostCfg.redirectTo;
|
||||
globalRedirect = vhostCfg.redirectTo;
|
||||
} // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);
|
||||
|
||||
in {
|
||||
options = {
|
||||
kyouma.nginx.virtualHosts = lib.mkOption {
|
||||
type = with lib.types; nullOr anything;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
config = {
|
||||
services.nginx.virtualHosts = lib.mkIf (config.kyouma.nginx.virtualHosts != null) (
|
||||
builtins.mapAttrs (createHost) config.kyouma.nginx.virtualHosts);
|
||||
};
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
with lib; let
|
||||
cfg = config.kyouma.nginx.virtualHosts;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "same-origin" always;
|
||||
'';
|
||||
virtHostCfg = {
|
||||
forceSSL = true;
|
||||
#kTLS = true;
|
||||
#http3 = true;
|
||||
#quic = true;
|
||||
};
|
||||
createHostFunc = builtins.mapAttrs (vhostName: vhostCfg:
|
||||
with lib; let
|
||||
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
|
||||
then {
|
||||
useACMEHost = vhostCfg.redirectTo;
|
||||
globalRedirect = vhostCfg.redirectTo;
|
||||
} else (
|
||||
optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
|
||||
enableACME = true;
|
||||
});
|
||||
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
|
||||
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
|
||||
else { inherit extraConfig; };
|
||||
in
|
||||
virtHostCfg // mkRedirect // extraCfg //
|
||||
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
|
||||
);
|
||||
in {
|
||||
options = {
|
||||
kyouma.nginx.virtualHosts = mkOption {
|
||||
type = with types; nullOr anything;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
config = {
|
||||
services.nginx.virtualHosts = mkIf (cfg != null) (createHostFunc (cfg));
|
||||
};
|
||||
}
|
||||
|
34
secrets/services/forgejo.yaml
Normal file
34
secrets/services/forgejo.yaml
Normal file
|
@ -0,0 +1,34 @@
|
|||
services:
|
||||
forgejo:
|
||||
mailerPassword: ENC[AES256_GCM,data:x4JQppFSseA+QNxQYbOlG0nTV66CzGKGTzhzGpWVVcQ=,iv:wcIO5Ow3DStEvrxzpnO2xD9SHRYz3PGYrMIYwJ0H+bI=,tag:Pv90jkF5SuXdc+942mBTFA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkd3djMk56SytWVmo5RDNw
|
||||
NHMvUEtRMGZyUzFiakVGZE1aWTFjZnJkbFM4Cjk0a2FqdXVhdnNzUUxBWmlJc0tX
|
||||
VWRyalNLMVRzcWQ4MnM4UlhYSEkwUWMKLS0tIG9VUVdsQ3VBc1BnZTgvb3B4c3l3
|
||||
azZWZ1ZzV01LTVJ5YW9DREd3NmRYMm8KDJ/tAgBGmATYSY39IR2SXKxOqTVkcijC
|
||||
MI7kq5wqQBZP/yHdCrjQymnqH8Nvxf0s3iXpGBlPxURfowe+iH5F3A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-02T14:54:13Z"
|
||||
mac: ENC[AES256_GCM,data:N5mdPONsyiUy5TGUI2rurxyd5Lczt7pMwdhI7eKqk5ZThZAf6dni/xhv+gO5LXDHTIdtopFegsk3t5FWtkCK+U6B+1ouU8E6mBDLTwVHa0+cZcf42eTipAATLxGjQRhgHxfUSfU4ndke96Nx6MN/F57n+fUAmMyrenhJunlCLnc=,iv:rMpOparLNS4yxFra6x1LT7kuYQQETD/UVFIZ2buVTLM=,tag:QLC+t6yCHlVgA6N0vlCHJg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-05-02T14:52:36Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4D1GtNSlou/HkSAQdARZLi4xZr9dGTiHolSWZreUv6PzkAT2q+/orYXzeiO20w
|
||||
fRrP5wiXgxA+15zzloqz6JPFhdwunGLum7zcQ2oqOvj/X+9TCd0KP+iu/PpIaUPJ
|
||||
0l4BPEMOXUwlK0Ll1z0vwjlabQkuGvvKEWVquaWP+uqwX8VkBnv4rZimiI9J8P3p
|
||||
sIuqm66WGEDHI5MuX4GuBKcd78wRm4d3c5KY6cuk8AzfO5+0wKPcKgB/KyGCzi/n
|
||||
=SNC/
|
||||
-----END PGP MESSAGE-----
|
||||
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
Loading…
Reference in a new issue