1
0
Fork 0
forked from emily/nixfiles

added forgejo

This commit is contained in:
emily 2024-04-30 21:55:41 +02:00
parent 3201fd5a96
commit 7b12839890
Signed by untrusted user: emily
GPG key ID: F6F4C66207FCF995
10 changed files with 196 additions and 59 deletions

23
.sops.yaml Normal file
View file

@ -0,0 +1,23 @@
keys:
- &emily B04F01A7A98A13020C39B4A68AB7B773A214ACE5
- &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
- &alucard age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
creation_rules:
- path_regex: secrets/services/dns-knot.yaml
key_groups:
- pgp:
- *emily
age:
- *seras
- path_regex: secrets/services/attic.yaml
key_groups:
- pgp:
- *emily
age:
- *seras
- path_regex: secrets/services/forgejo.yaml
key_groups:
- pgp:
- *emily
age:
- *alucard

View file

@ -1 +1,2 @@
ssh://build@seras.kyouma.net x86_64-linux,aarch64-linux - 40 5 nixos-test,benchmark,big-parallel,kvm ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm
ssh://build@integra.kyouma.net aarch64-linux - 4 8 nixos-test,benchmark,big-parallel,kvm

View file

@ -3,6 +3,7 @@
../../common ../../common
../../profiles/builder.nix ../../profiles/builder.nix
../../profiles/headless.nix ../../profiles/headless.nix
../../services/forgejo.nix
./hardware-configuration.nix ./hardware-configuration.nix
./disko.nix ./disko.nix
]; ];

View file

@ -1,16 +1,27 @@
{config, lib, pkgs, ... }: { {config, lib, pkgs, ... }: {
nix.buildMachines = [{ nix.buildMachines = [
{
hostName = "seras.kyouma.net"; hostName = "seras.kyouma.net";
sshUser = "build"; sshUser = "build";
maxJobs = 40; maxJobs = 40;
speedFactor = 5; speedFactor = 40;
systems = [ "aarch64-linux" "x86_64-linux" ]; systems = [ "x86_64-linux" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}]; }
{
hostName = "integra.kyouma.net";
sshUser = "build";
maxJobs = 4;
speedFactor = 8;
systems = [ "aarch64-linux" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
];
nix.distributedBuilds = true; nix.distributedBuilds = true;
programs.ssh = { programs.ssh = {
knownHosts = { knownHosts = {
"seras.kyouma.net".publicKey = "sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P"; "seras.kyouma.net".publicKey = "sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P";
"integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU";
}; };
}; };
} }

View file

@ -0,0 +1,76 @@
{ config, inputs, pkgs, ... }: {
imports = [
inputs.sops-nix.nixosModules.sops
];
sops.secrets."services/forgejo/mailerPassword" = {
sopsFile = ../../secrets/services/forgejo.yaml;
owner = "forgejo";
};
services.forgejo = {
enable = true;
mailerPasswordFile = config.sops.secrets."services/forgejo/mailerPassword".path;
database = {
createDatabase = true;
type = "postgres";
socket = "/run/postgresql";
};
dump = {
enable = true;
type = "tar.xz";
};
settings = {
"cron.sync_external_users" = {
RUN_AT_START = true;
SCHEDULE = "@every 24h";
UPDATE_EXISTING = true;
};
federation.ENABLED = true;
log.LEVEL = "Info";
mailer = {
ENABLED = true;
PROTOCOL = "smtp+starttls";
FROM = "git@kyouma.net";
SMTP_ADDR = "mail.kyouma.net";
USER = "git@kyouma.net";
};
mirror.DEFAULT_INTERVAL = "1h";
session = {
COOKIE_SECURE = true;
PROVIDER = "db";
SESSION_LIFE_TIME = 2592000;
};
server = {
STATIC_URL_PREFIX = "/static";
PROTOCOL = "http+unix";
DOMAIN = "git.kyouma.net";
};
security = {
LOGIN_REMEMBER_DAYS = 90;
PASSWORD_HASH_ALGO = "argon2";
MIN_PASSWORD_LENGTH = 16;
PASSWORD_COMPLEXITY = "spec";
};
service = {
REGISTER_EMAIL_CONFIRM = true;
ENABLE_NOTIFY_MAIL = true;
ENABLE_CAPTCHA = true;
DEFAULT_KEEP_EMAIL_PRIVATE = true;
};
repository.ENABLE_PUSH_CREATE_USER = true;
ui = {
EXPLORE_PAGING_NUM = 50;
ISSUE_PAGING_NUM = 50;
MEMBERS_PAGING_NUM = 50;
DEFAULT_THEME = "forgejo-dark";
SHOW_USER_EMAIL = false;
};
};
};
kyouma.nginx.virtualHosts."git.kyouma.net" = {
locations."/static/".alias = "${pkgs.forgejo.data}/public/";
locations."/" = {
proxyPass = "http://unix:/run/forgejo/forgejo.socket";
};
};
security.acme.certs."git.kyouma.net" = {};
}

View file

@ -45,7 +45,10 @@
nixConfig = { nixConfig = {
builders-use-substitutes = true; builders-use-substitutes = true;
builders = "ssh://build@seras.kyouma.net x86_64-linux,aarch64-linux - 40 5 nixos-test,benchmark,big-parallel,kvm"; builders = [
"ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm"
"ssh://build@integra.kyouma.net aarch64-linux - 4 8 nixos-test,benchmark,big-parallel,kvm"
];
}; };
outputs = { self, nixpkgs, flake-utils, ... }@inputs: let outputs = { self, nixpkgs, flake-utils, ... }@inputs: let

View file

@ -1,7 +1,7 @@
{ ... }: { { ... }: {
imports = [ imports = [
./machine-type
./deployment ./deployment
./vhost ./machine-type
./nginx
]; ];
} }

35
modules/nginx/default.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, lib, ... }: let
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
createHost = vhostName: vhostCfg: {
extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
forceSSL = true;
#kTLS = true;
#http3 = true;
#quic = true;
} // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
enableACME = true;
} // lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {
enableACME = false;
useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo;
} // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);
in {
options = {
kyouma.nginx.virtualHosts = lib.mkOption {
type = with lib.types; nullOr anything;
default = null;
};
};
config = {
services.nginx.virtualHosts = lib.mkIf (config.kyouma.nginx.virtualHosts != null) (
builtins.mapAttrs (createHost) config.kyouma.nginx.virtualHosts);
};
}

View file

@ -1,47 +0,0 @@
{ config, lib, ... }:
with lib; let
cfg = config.kyouma.nginx.virtualHosts;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
virtHostCfg = {
forceSSL = true;
#kTLS = true;
#http3 = true;
#quic = true;
};
createHostFunc = builtins.mapAttrs (vhostName: vhostCfg:
with lib; let
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
then {
useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo;
} else (
optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
enableACME = true;
});
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
else { inherit extraConfig; };
in
virtHostCfg // mkRedirect // extraCfg //
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
);
in {
options = {
kyouma.nginx.virtualHosts = mkOption {
type = with types; nullOr anything;
default = null;
};
};
config = {
services.nginx.virtualHosts = mkIf (cfg != null) (createHostFunc (cfg));
};
}

View file

@ -0,0 +1,34 @@
services:
forgejo:
mailerPassword: ENC[AES256_GCM,data:x4JQppFSseA+QNxQYbOlG0nTV66CzGKGTzhzGpWVVcQ=,iv:wcIO5Ow3DStEvrxzpnO2xD9SHRYz3PGYrMIYwJ0H+bI=,tag:Pv90jkF5SuXdc+942mBTFA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkd3djMk56SytWVmo5RDNw
NHMvUEtRMGZyUzFiakVGZE1aWTFjZnJkbFM4Cjk0a2FqdXVhdnNzUUxBWmlJc0tX
VWRyalNLMVRzcWQ4MnM4UlhYSEkwUWMKLS0tIG9VUVdsQ3VBc1BnZTgvb3B4c3l3
azZWZ1ZzV01LTVJ5YW9DREd3NmRYMm8KDJ/tAgBGmATYSY39IR2SXKxOqTVkcijC
MI7kq5wqQBZP/yHdCrjQymnqH8Nvxf0s3iXpGBlPxURfowe+iH5F3A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-02T14:54:13Z"
mac: ENC[AES256_GCM,data:N5mdPONsyiUy5TGUI2rurxyd5Lczt7pMwdhI7eKqk5ZThZAf6dni/xhv+gO5LXDHTIdtopFegsk3t5FWtkCK+U6B+1ouU8E6mBDLTwVHa0+cZcf42eTipAATLxGjQRhgHxfUSfU4ndke96Nx6MN/F57n+fUAmMyrenhJunlCLnc=,iv:rMpOparLNS4yxFra6x1LT7kuYQQETD/UVFIZ2buVTLM=,tag:QLC+t6yCHlVgA6N0vlCHJg==,type:str]
pgp:
- created_at: "2024-05-02T14:52:36Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D1GtNSlou/HkSAQdARZLi4xZr9dGTiHolSWZreUv6PzkAT2q+/orYXzeiO20w
fRrP5wiXgxA+15zzloqz6JPFhdwunGLum7zcQ2oqOvj/X+9TCd0KP+iu/PpIaUPJ
0l4BPEMOXUwlK0Ll1z0vwjlabQkuGvvKEWVquaWP+uqwX8VkBnv4rZimiI9J8P3p
sIuqm66WGEDHI5MuX4GuBKcd78wRm4d3c5KY6cuk8AzfO5+0wKPcKgB/KyGCzi/n
=SNC/
-----END PGP MESSAGE-----
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
unencrypted_suffix: _unencrypted
version: 3.8.1