chore(forgejo): containerless

hosts/raptus/configuration.nix

@@ -12,8 +12,7 @@ in
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
     ./disk-config.nix
-    ./container-root.nix
+    ./forgejo.nix
-    ./forgejo
     ./headscale.nix
   ];
 
@@ -89,13 +88,13 @@ in
   security.acme.acceptTerms = true;
 
   services.nginx = {
+    package = pkgs.nginxQuic;
     enable = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     clientMaxBodySize = "50M";
     virtualHosts = builtins.listToAttrs [
       (mkVHost "rusty.ccnlc.eu" 8000 true)
-      (mkVHost "git.ccnlc.eu" 3000 true)
     ];
   };
 

hosts/raptus/forgejo.nix

@@ -0,0 +1,94 @@
+{ config, pkgs, ... }:
+let
+  domain = "git.ccnlc.eu";
+in
+{
+  systemd.tmpfiles.rules =
+    let
+      # Disallow crawlers from indexing this site.
+      robots = pkgs.writeText "forgejo-robots-txt" ''
+        User-agent: *
+        Disallow: /
+      '';
+    in
+    [
+      "L+ ${config.services.forgejo.customDir}/public/robots.txt - - - - ${robots.outPath}"
+    ];
+
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "50M";
+    virtualHosts.${domain} = {
+      locations."/" = {
+        proxyPass = "http://unix:/run/forgejo/forgejo.sock";
+        extraConfig = ''
+          proxy_ssl_server_name on;
+          proxy_pass_header Authorization;
+        '';
+      };
+      forceSSL = true;
+      enableACME = true;
+      quic = true;
+    };
+  };
+
+  services.forgejo = {
+    enable = true;
+    package = pkgs.forgejo;
+    settings = {
+      server = {
+        SSH_PORT = 2222;
+        SSH_LISTEN_PORT = 2222;
+        START_SSH_SERVER = true;
+        DOMAIN = domain;
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://${domain}";
+        PROTOCOL = "http+unix";
+        LANDING_PAGE = "/explore";
+      };
+      migrations.ALLOWED_DOMAINS = "*";
+      service = {
+        DISABLE_REGISTRATION = true;
+      };
+      packages.ENABLED = false;
+      log.LEVEL = "Debug";
+      session = {
+        COOKIE_SECURE = true;
+        SAME_SITE = "strict";
+      };
+      federation = {
+        ENABLED = true;
+      };
+      ui = {
+        DEFAULT_THEME = "forgejo-dark";
+        SHOW_USER_EMAIL = false;
+      };
+      security = {
+        INSTALL_LOCK = true;
+        MIN_PASSWORD_LENGTH = 30;
+        PASSWORD_COMPLEXITY = "lower, upper, digit, spec";
+        PASSWORD_CHECK_PWN = true;
+      };
+
+      repository = {
+        DISABLE_STARS = true;
+        PREFERRED_LICENSES = "MIT,GPL-3.0,GPL-2.0,LGPL-3.0,LGPL-2.1";
+        ENABLE_PUSH_CREATE_USER = true;
+
+        DEFAULT_PRIVATE = "public";
+        DEFAULT_PRIVATE_PUSH_CREATE = true;
+        DEFAULT_REPO_UNITS = "repo.code, repo.issues, repo.pulls, repo.actions";
+      };
+
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
+      };
+    };
+  };
+
+}

hosts/raptus/forgejo/app.ini

@@ -1,5 +0,0 @@
-[migrations]
-ALLOWED_DOMAINS=github.com,*.github.com
-
-[server]
-SSH_PORT=222

hosts/raptus/forgejo/default.nix

@@ -1,65 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  # Containers
-  virtualisation.oci-containers.containers."forgejo" = {
-    image = "codeberg.org/forgejo/forgejo:8";
-    environment = {
-      "USER_GID" = "1000";
-      "USER_UID" = "1000";
-      "FORGEJO__migrations__ALLOWED_DOMAINS" = "*";
-      "FORGEJO__server__SSH_PORT" = "222";
-      "FORGEJO__service__DISABLE_REGISTRATION" = "true";
-      "FORGEJO__federation__ENABLED" = "true";
-    };
-    volumes = [
-      "test_forgejo:/data:rw"
-    ];
-    ports = [
-      "3000:3000/tcp"
-      "222:22/tcp"
-    ];
-    log-driver = "journald";
-    extraOptions = [
-      "--network-alias=server"
-      "--network=test_forgejo"
-    ];
-  };
-  systemd.services."podman-forgejo" = {
-    serviceConfig = {
-      Restart = lib.mkOverride 500 "always";
-    };
-    after = [ "podman-network-test_forgejo.service" ];
-    requires = [ "podman-network-test_forgejo.service" ];
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-
-  # Networks
-  systemd.services."podman-network-test_forgejo" = {
-    path = [ pkgs.podman ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-      ExecStop = "podman network rm -f test_forgejo";
-    };
-    script = ''
-      podman network inspect test_forgejo || podman network create test_forgejo
-    '';
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-
-  # Volumes
-  systemd.services."podman-volume-test_forgejo" = {
-    path = [ pkgs.podman ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      podman volume inspect test_forgejo || podman volume create test_forgejo
-    '';
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-}

hosts/raptus/headscale.nix

@@ -16,6 +16,7 @@ let
     action = "accept";
     inherit src dst users;
   };
+  domain = "hs.ccnlc.eu";
 in
 mkIf config.services.headscale.enable {
   environment.systemPackages = [ config.services.headscale.package ];
@@ -30,7 +31,7 @@ mkIf config.services.headscale.enable {
       port = 8521;
 
       settings = {
-        server_url = "https://hs.ccnlc.eu";
+        server_url = "https://${domain}";
         tls_cert_path = null;
         tls_key_path = null;
         ip_prefixes = [
@@ -106,10 +107,10 @@ mkIf config.services.headscale.enable {
       };
     };
 
-    nginx.virtualHosts."hs.ccnlc.eu" = {
+    nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      #quic = true;
+      quic = true;
       http3 = true;
 
       locations = {

parts/lib/functions.nix

@@ -68,7 +68,8 @@ in
         proxyPass = "http://127.0.0.1:${toString port}";
         extraConfig = ''
           proxy_ssl_server_name on;
-          proxy_pass_header Authorization;'';
+          proxy_pass_header Authorization;
+        '';
       };
     };
   };