diff --git a/hosts/raptus/configuration.nix b/hosts/raptus/configuration.nix index 546f13f..5d3145f 100644 --- a/hosts/raptus/configuration.nix +++ b/hosts/raptus/configuration.nix @@ -12,8 +12,7 @@ in imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./disk-config.nix - ./container-root.nix - ./forgejo + ./forgejo.nix ./headscale.nix ]; @@ -89,13 +88,13 @@ in security.acme.acceptTerms = true; services.nginx = { + package = pkgs.nginxQuic; enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; clientMaxBodySize = "50M"; virtualHosts = builtins.listToAttrs [ (mkVHost "rusty.ccnlc.eu" 8000 true) - (mkVHost "git.ccnlc.eu" 3000 true) ]; }; diff --git a/hosts/raptus/forgejo.nix b/hosts/raptus/forgejo.nix new file mode 100644 index 0000000..7f09498 --- /dev/null +++ b/hosts/raptus/forgejo.nix @@ -0,0 +1,94 @@ +{ config, pkgs, ... }: +let + domain = "git.ccnlc.eu"; +in +{ + systemd.tmpfiles.rules = + let + # Disallow crawlers from indexing this site. + robots = pkgs.writeText "forgejo-robots-txt" '' + User-agent: * + Disallow: / + ''; + in + [ + "L+ ${config.services.forgejo.customDir}/public/robots.txt - - - - ${robots.outPath}" + ]; + + networking.firewall.allowedTCPPorts = [ 2222 ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + clientMaxBodySize = "50M"; + virtualHosts.${domain} = { + locations."/" = { + proxyPass = "http://unix:/run/forgejo/forgejo.sock"; + extraConfig = '' + proxy_ssl_server_name on; + proxy_pass_header Authorization; + ''; + }; + forceSSL = true; + enableACME = true; + quic = true; + }; + }; + + services.forgejo = { + enable = true; + package = pkgs.forgejo; + settings = { + server = { + SSH_PORT = 2222; + SSH_LISTEN_PORT = 2222; + START_SSH_SERVER = true; + DOMAIN = domain; + HTTP_PORT = 3000; + ROOT_URL = "https://${domain}"; + PROTOCOL = "http+unix"; + LANDING_PAGE = "/explore"; + }; + migrations.ALLOWED_DOMAINS = "*"; + service = { + DISABLE_REGISTRATION = true; + }; + packages.ENABLED = false; + log.LEVEL = "Debug"; + session = { + COOKIE_SECURE = true; + SAME_SITE = "strict"; + }; + federation = { + ENABLED = true; + }; + ui = { + DEFAULT_THEME = "forgejo-dark"; + SHOW_USER_EMAIL = false; + }; + security = { + INSTALL_LOCK = true; + MIN_PASSWORD_LENGTH = 30; + PASSWORD_COMPLEXITY = "lower, upper, digit, spec"; + PASSWORD_CHECK_PWN = true; + }; + + repository = { + DISABLE_STARS = true; + PREFERRED_LICENSES = "MIT,GPL-3.0,GPL-2.0,LGPL-3.0,LGPL-2.1"; + ENABLE_PUSH_CREATE_USER = true; + + DEFAULT_PRIVATE = "public"; + DEFAULT_PRIVATE_PUSH_CREATE = true; + DEFAULT_REPO_UNITS = "repo.code, repo.issues, repo.pulls, repo.actions"; + }; + + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "https://code.forgejo.org"; + }; + }; + }; + +} diff --git a/hosts/raptus/forgejo/app.ini b/hosts/raptus/forgejo/app.ini deleted file mode 100644 index ecdef13..0000000 --- a/hosts/raptus/forgejo/app.ini +++ /dev/null @@ -1,5 +0,0 @@ -[migrations] -ALLOWED_DOMAINS=github.com,*.github.com - -[server] -SSH_PORT=222 diff --git a/hosts/raptus/forgejo/default.nix b/hosts/raptus/forgejo/default.nix deleted file mode 100644 index 8320880..0000000 --- a/hosts/raptus/forgejo/default.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ lib, pkgs, ... }: -{ - # Containers - virtualisation.oci-containers.containers."forgejo" = { - image = "codeberg.org/forgejo/forgejo:8"; - environment = { - "USER_GID" = "1000"; - "USER_UID" = "1000"; - "FORGEJO__migrations__ALLOWED_DOMAINS" = "*"; - "FORGEJO__server__SSH_PORT" = "222"; - "FORGEJO__service__DISABLE_REGISTRATION" = "true"; - "FORGEJO__federation__ENABLED" = "true"; - }; - volumes = [ - "test_forgejo:/data:rw" - ]; - ports = [ - "3000:3000/tcp" - "222:22/tcp" - ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=server" - "--network=test_forgejo" - ]; - }; - systemd.services."podman-forgejo" = { - serviceConfig = { - Restart = lib.mkOverride 500 "always"; - }; - after = [ "podman-network-test_forgejo.service" ]; - requires = [ "podman-network-test_forgejo.service" ]; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; - - # Networks - systemd.services."podman-network-test_forgejo" = { - path = [ pkgs.podman ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "podman network rm -f test_forgejo"; - }; - script = '' - podman network inspect test_forgejo || podman network create test_forgejo - ''; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; - - # Volumes - systemd.services."podman-volume-test_forgejo" = { - path = [ pkgs.podman ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - podman volume inspect test_forgejo || podman volume create test_forgejo - ''; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; -} diff --git a/hosts/raptus/headscale.nix b/hosts/raptus/headscale.nix index cb3e7fb..95ec8c4 100644 --- a/hosts/raptus/headscale.nix +++ b/hosts/raptus/headscale.nix @@ -16,6 +16,7 @@ let action = "accept"; inherit src dst users; }; + domain = "hs.ccnlc.eu"; in mkIf config.services.headscale.enable { environment.systemPackages = [ config.services.headscale.package ]; @@ -30,7 +31,7 @@ mkIf config.services.headscale.enable { port = 8521; settings = { - server_url = "https://hs.ccnlc.eu"; + server_url = "https://${domain}"; tls_cert_path = null; tls_key_path = null; ip_prefixes = [ @@ -106,10 +107,10 @@ mkIf config.services.headscale.enable { }; }; - nginx.virtualHosts."hs.ccnlc.eu" = { + nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - #quic = true; + quic = true; http3 = true; locations = { diff --git a/parts/lib/functions.nix b/parts/lib/functions.nix index 13cd79b..d502726 100644 --- a/parts/lib/functions.nix +++ b/parts/lib/functions.nix @@ -68,7 +68,8 @@ in proxyPass = "http://127.0.0.1:${toString port}"; extraConfig = '' proxy_ssl_server_name on; - proxy_pass_header Authorization;''; + proxy_pass_header Authorization; + ''; }; }; };