forked from emily/nixfiles
added forgejo
This commit is contained in:
parent
3201fd5a96
commit
7b12839890
10 changed files with 196 additions and 59 deletions
23
.sops.yaml
Normal file
23
.sops.yaml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
keys:
|
||||||
|
- &emily B04F01A7A98A13020C39B4A68AB7B773A214ACE5
|
||||||
|
- &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
|
||||||
|
- &alucard age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/services/dns-knot.yaml
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *emily
|
||||||
|
age:
|
||||||
|
- *seras
|
||||||
|
- path_regex: secrets/services/attic.yaml
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *emily
|
||||||
|
age:
|
||||||
|
- *seras
|
||||||
|
- path_regex: secrets/services/forgejo.yaml
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *emily
|
||||||
|
age:
|
||||||
|
- *alucard
|
|
@ -1 +1,2 @@
|
||||||
ssh://build@seras.kyouma.net x86_64-linux,aarch64-linux - 40 5 nixos-test,benchmark,big-parallel,kvm
|
ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm
|
||||||
|
ssh://build@integra.kyouma.net aarch64-linux - 4 8 nixos-test,benchmark,big-parallel,kvm
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
../../common
|
../../common
|
||||||
../../profiles/builder.nix
|
../../profiles/builder.nix
|
||||||
../../profiles/headless.nix
|
../../profiles/headless.nix
|
||||||
|
../../services/forgejo.nix
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./disko.nix
|
./disko.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,16 +1,27 @@
|
||||||
{config, lib, pkgs, ... }: {
|
{config, lib, pkgs, ... }: {
|
||||||
nix.buildMachines = [{
|
nix.buildMachines = [
|
||||||
|
{
|
||||||
hostName = "seras.kyouma.net";
|
hostName = "seras.kyouma.net";
|
||||||
sshUser = "build";
|
sshUser = "build";
|
||||||
maxJobs = 40;
|
maxJobs = 40;
|
||||||
speedFactor = 5;
|
speedFactor = 40;
|
||||||
systems = [ "aarch64-linux" "x86_64-linux" ];
|
systems = [ "x86_64-linux" ];
|
||||||
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
|
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
|
||||||
}];
|
}
|
||||||
|
{
|
||||||
|
hostName = "integra.kyouma.net";
|
||||||
|
sshUser = "build";
|
||||||
|
maxJobs = 4;
|
||||||
|
speedFactor = 8;
|
||||||
|
systems = [ "aarch64-linux" ];
|
||||||
|
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
nix.distributedBuilds = true;
|
nix.distributedBuilds = true;
|
||||||
programs.ssh = {
|
programs.ssh = {
|
||||||
knownHosts = {
|
knownHosts = {
|
||||||
"seras.kyouma.net".publicKey = "sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P";
|
"seras.kyouma.net".publicKey = "sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P";
|
||||||
|
"integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
76
config/services/forgejo.nix
Normal file
76
config/services/forgejo.nix
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
{ config, inputs, pkgs, ... }: {
|
||||||
|
imports = [
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
|
];
|
||||||
|
sops.secrets."services/forgejo/mailerPassword" = {
|
||||||
|
sopsFile = ../../secrets/services/forgejo.yaml;
|
||||||
|
owner = "forgejo";
|
||||||
|
};
|
||||||
|
services.forgejo = {
|
||||||
|
enable = true;
|
||||||
|
mailerPasswordFile = config.sops.secrets."services/forgejo/mailerPassword".path;
|
||||||
|
database = {
|
||||||
|
createDatabase = true;
|
||||||
|
type = "postgres";
|
||||||
|
socket = "/run/postgresql";
|
||||||
|
};
|
||||||
|
dump = {
|
||||||
|
enable = true;
|
||||||
|
type = "tar.xz";
|
||||||
|
};
|
||||||
|
settings = {
|
||||||
|
"cron.sync_external_users" = {
|
||||||
|
RUN_AT_START = true;
|
||||||
|
SCHEDULE = "@every 24h";
|
||||||
|
UPDATE_EXISTING = true;
|
||||||
|
};
|
||||||
|
federation.ENABLED = true;
|
||||||
|
log.LEVEL = "Info";
|
||||||
|
mailer = {
|
||||||
|
ENABLED = true;
|
||||||
|
PROTOCOL = "smtp+starttls";
|
||||||
|
FROM = "git@kyouma.net";
|
||||||
|
SMTP_ADDR = "mail.kyouma.net";
|
||||||
|
USER = "git@kyouma.net";
|
||||||
|
};
|
||||||
|
mirror.DEFAULT_INTERVAL = "1h";
|
||||||
|
session = {
|
||||||
|
COOKIE_SECURE = true;
|
||||||
|
PROVIDER = "db";
|
||||||
|
SESSION_LIFE_TIME = 2592000;
|
||||||
|
};
|
||||||
|
server = {
|
||||||
|
STATIC_URL_PREFIX = "/static";
|
||||||
|
PROTOCOL = "http+unix";
|
||||||
|
DOMAIN = "git.kyouma.net";
|
||||||
|
};
|
||||||
|
security = {
|
||||||
|
LOGIN_REMEMBER_DAYS = 90;
|
||||||
|
PASSWORD_HASH_ALGO = "argon2";
|
||||||
|
MIN_PASSWORD_LENGTH = 16;
|
||||||
|
PASSWORD_COMPLEXITY = "spec";
|
||||||
|
};
|
||||||
|
service = {
|
||||||
|
REGISTER_EMAIL_CONFIRM = true;
|
||||||
|
ENABLE_NOTIFY_MAIL = true;
|
||||||
|
ENABLE_CAPTCHA = true;
|
||||||
|
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||||
|
};
|
||||||
|
repository.ENABLE_PUSH_CREATE_USER = true;
|
||||||
|
ui = {
|
||||||
|
EXPLORE_PAGING_NUM = 50;
|
||||||
|
ISSUE_PAGING_NUM = 50;
|
||||||
|
MEMBERS_PAGING_NUM = 50;
|
||||||
|
DEFAULT_THEME = "forgejo-dark";
|
||||||
|
SHOW_USER_EMAIL = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
kyouma.nginx.virtualHosts."git.kyouma.net" = {
|
||||||
|
locations."/static/".alias = "${pkgs.forgejo.data}/public/";
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://unix:/run/forgejo/forgejo.socket";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
security.acme.certs."git.kyouma.net" = {};
|
||||||
|
}
|
|
@ -45,7 +45,10 @@
|
||||||
|
|
||||||
nixConfig = {
|
nixConfig = {
|
||||||
builders-use-substitutes = true;
|
builders-use-substitutes = true;
|
||||||
builders = "ssh://build@seras.kyouma.net x86_64-linux,aarch64-linux - 40 5 nixos-test,benchmark,big-parallel,kvm";
|
builders = [
|
||||||
|
"ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm"
|
||||||
|
"ssh://build@integra.kyouma.net aarch64-linux - 4 8 nixos-test,benchmark,big-parallel,kvm"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, flake-utils, ... }@inputs: let
|
outputs = { self, nixpkgs, flake-utils, ... }@inputs: let
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ ... }: {
|
{ ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
./machine-type
|
|
||||||
./deployment
|
./deployment
|
||||||
./vhost
|
./machine-type
|
||||||
|
./nginx
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
35
modules/nginx/default.nix
Normal file
35
modules/nginx/default.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{ config, lib, ... }: let
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||||
|
add_header Referrer-Policy "same-origin" always;
|
||||||
|
'';
|
||||||
|
createHost = vhostName: vhostCfg: {
|
||||||
|
extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
|
||||||
|
forceSSL = true;
|
||||||
|
#kTLS = true;
|
||||||
|
#http3 = true;
|
||||||
|
#quic = true;
|
||||||
|
} // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
|
||||||
|
enableACME = true;
|
||||||
|
} // lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {
|
||||||
|
enableACME = false;
|
||||||
|
useACMEHost = vhostCfg.redirectTo;
|
||||||
|
globalRedirect = vhostCfg.redirectTo;
|
||||||
|
} // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);
|
||||||
|
|
||||||
|
in {
|
||||||
|
options = {
|
||||||
|
kyouma.nginx.virtualHosts = lib.mkOption {
|
||||||
|
type = with lib.types; nullOr anything;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = {
|
||||||
|
services.nginx.virtualHosts = lib.mkIf (config.kyouma.nginx.virtualHosts != null) (
|
||||||
|
builtins.mapAttrs (createHost) config.kyouma.nginx.virtualHosts);
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,47 +0,0 @@
|
||||||
{ config, lib, ... }:
|
|
||||||
|
|
||||||
with lib; let
|
|
||||||
cfg = config.kyouma.nginx.virtualHosts;
|
|
||||||
extraConfig = ''
|
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
|
||||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
||||||
add_header Referrer-Policy "same-origin" always;
|
|
||||||
'';
|
|
||||||
virtHostCfg = {
|
|
||||||
forceSSL = true;
|
|
||||||
#kTLS = true;
|
|
||||||
#http3 = true;
|
|
||||||
#quic = true;
|
|
||||||
};
|
|
||||||
createHostFunc = builtins.mapAttrs (vhostName: vhostCfg:
|
|
||||||
with lib; let
|
|
||||||
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
|
|
||||||
then {
|
|
||||||
useACMEHost = vhostCfg.redirectTo;
|
|
||||||
globalRedirect = vhostCfg.redirectTo;
|
|
||||||
} else (
|
|
||||||
optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
|
|
||||||
enableACME = true;
|
|
||||||
});
|
|
||||||
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
|
|
||||||
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
|
|
||||||
else { inherit extraConfig; };
|
|
||||||
in
|
|
||||||
virtHostCfg // mkRedirect // extraCfg //
|
|
||||||
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
|
|
||||||
);
|
|
||||||
in {
|
|
||||||
options = {
|
|
||||||
kyouma.nginx.virtualHosts = mkOption {
|
|
||||||
type = with types; nullOr anything;
|
|
||||||
default = null;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
config = {
|
|
||||||
services.nginx.virtualHosts = mkIf (cfg != null) (createHostFunc (cfg));
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
34
secrets/services/forgejo.yaml
Normal file
34
secrets/services/forgejo.yaml
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
services:
|
||||||
|
forgejo:
|
||||||
|
mailerPassword: ENC[AES256_GCM,data:x4JQppFSseA+QNxQYbOlG0nTV66CzGKGTzhzGpWVVcQ=,iv:wcIO5Ow3DStEvrxzpnO2xD9SHRYz3PGYrMIYwJ0H+bI=,tag:Pv90jkF5SuXdc+942mBTFA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkd3djMk56SytWVmo5RDNw
|
||||||
|
NHMvUEtRMGZyUzFiakVGZE1aWTFjZnJkbFM4Cjk0a2FqdXVhdnNzUUxBWmlJc0tX
|
||||||
|
VWRyalNLMVRzcWQ4MnM4UlhYSEkwUWMKLS0tIG9VUVdsQ3VBc1BnZTgvb3B4c3l3
|
||||||
|
azZWZ1ZzV01LTVJ5YW9DREd3NmRYMm8KDJ/tAgBGmATYSY39IR2SXKxOqTVkcijC
|
||||||
|
MI7kq5wqQBZP/yHdCrjQymnqH8Nvxf0s3iXpGBlPxURfowe+iH5F3A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-05-02T14:54:13Z"
|
||||||
|
mac: ENC[AES256_GCM,data:N5mdPONsyiUy5TGUI2rurxyd5Lczt7pMwdhI7eKqk5ZThZAf6dni/xhv+gO5LXDHTIdtopFegsk3t5FWtkCK+U6B+1ouU8E6mBDLTwVHa0+cZcf42eTipAATLxGjQRhgHxfUSfU4ndke96Nx6MN/F57n+fUAmMyrenhJunlCLnc=,iv:rMpOparLNS4yxFra6x1LT7kuYQQETD/UVFIZ2buVTLM=,tag:QLC+t6yCHlVgA6N0vlCHJg==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2024-05-02T14:52:36Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hF4D1GtNSlou/HkSAQdARZLi4xZr9dGTiHolSWZreUv6PzkAT2q+/orYXzeiO20w
|
||||||
|
fRrP5wiXgxA+15zzloqz6JPFhdwunGLum7zcQ2oqOvj/X+9TCd0KP+iu/PpIaUPJ
|
||||||
|
0l4BPEMOXUwlK0Ll1z0vwjlabQkuGvvKEWVquaWP+uqwX8VkBnv4rZimiI9J8P3p
|
||||||
|
sIuqm66WGEDHI5MuX4GuBKcd78wRm4d3c5KY6cuk8AzfO5+0wKPcKgB/KyGCzi/n
|
||||||
|
=SNC/
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
Loading…
Reference in a new issue