nydragon/nix-da
1
Fork 0
Code Issues Pull requests Activity Actions 1

chore(forgejo): containerless

Browse source
This commit is contained in:
Nydragon 2024-10-14 02:59:11 +02:00
parent 520157cb2b
commit 05dfa7188f
Signed by: nydragon
SSH key fingerprint: SHA256:iQnIC12spf4QjWSbarmkD2No1cLMlu6TWoV7K6cYF5g
6 changed files with 102 additions and 77 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
hosts/raptus/configuration.nix
View file

@ -12,8 +12,7 @@ in
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
./disk-config.nix
./container-root.nix
./forgejo
./forgejo.nix
./headscale.nix
];
@ -89,13 +88,13 @@ in
security.acme.acceptTerms = true;
services.nginx = {
package = pkgs.nginxQuic;
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "50M";
virtualHosts = builtins.listToAttrs [
(mkVHost "rusty.ccnlc.eu" 8000 true)
(mkVHost "git.ccnlc.eu" 3000 true)
];
};

94
hosts/raptus/forgejo.nix Normal file
View file

@ -0,0 +1,94 @@
{ config, pkgs, ... }:
let
domain = "git.ccnlc.eu";
in
{
systemd.tmpfiles.rules =
let
# Disallow crawlers from indexing this site.
robots = pkgs.writeText "forgejo-robots-txt" ''
User-agent: *
Disallow: /
'';
in
[
"L+ ${config.services.forgejo.customDir}/public/robots.txt - - - - ${robots.outPath}"
];
networking.firewall.allowedTCPPorts = [ 2222 ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "50M";
virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://unix:/run/forgejo/forgejo.sock";
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;
'';
};
forceSSL = true;
enableACME = true;
quic = true;
};
};
services.forgejo = {
enable = true;
package = pkgs.forgejo;
settings = {
server = {
SSH_PORT = 2222;
SSH_LISTEN_PORT = 2222;
START_SSH_SERVER = true;
DOMAIN = domain;
HTTP_PORT = 3000;
ROOT_URL = "https://${domain}";
PROTOCOL = "http+unix";
LANDING_PAGE = "/explore";
};
migrations.ALLOWED_DOMAINS = "*";
service = {
DISABLE_REGISTRATION = true;
};
packages.ENABLED = false;
log.LEVEL = "Debug";
session = {
COOKIE_SECURE = true;
SAME_SITE = "strict";
};
federation = {
ENABLED = true;
};
ui = {
DEFAULT_THEME = "forgejo-dark";
SHOW_USER_EMAIL = false;
};
security = {
INSTALL_LOCK = true;
MIN_PASSWORD_LENGTH = 30;
PASSWORD_COMPLEXITY = "lower, upper, digit, spec";
PASSWORD_CHECK_PWN = true;
};
repository = {
DISABLE_STARS = true;
PREFERRED_LICENSES = "MIT,GPL-3.0,GPL-2.0,LGPL-3.0,LGPL-2.1";
ENABLE_PUSH_CREATE_USER = true;
DEFAULT_PRIVATE = "public";
DEFAULT_PRIVATE_PUSH_CREATE = true;
DEFAULT_REPO_UNITS = "repo.code, repo.issues, repo.pulls, repo.actions";
};
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
};
};
};
}

5
hosts/raptus/forgejo/app.ini
View file

@ -1,5 +0,0 @@
[migrations]
ALLOWED_DOMAINS=github.com,*.github.com
[server]
SSH_PORT=222

65
hosts/raptus/forgejo/default.nix
View file

@ -1,65 +0,0 @@
{ lib, pkgs, ... }:
{
# Containers
virtualisation.oci-containers.containers."forgejo" = {
image = "codeberg.org/forgejo/forgejo:8";
environment = {
"USER_GID" = "1000";
"USER_UID" = "1000";
"FORGEJO__migrations__ALLOWED_DOMAINS" = "*";
"FORGEJO__server__SSH_PORT" = "222";
"FORGEJO__service__DISABLE_REGISTRATION" = "true";
"FORGEJO__federation__ENABLED" = "true";
};
volumes = [
"test_forgejo:/data:rw"
];
ports = [
"3000:3000/tcp"
"222:22/tcp"
];
log-driver = "journald";
extraOptions = [
"--network-alias=server"
"--network=test_forgejo"
];
};
systemd.services."podman-forgejo" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [ "podman-network-test_forgejo.service" ];
requires = [ "podman-network-test_forgejo.service" ];
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
# Networks
systemd.services."podman-network-test_forgejo" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "podman network rm -f test_forgejo";
};
script = ''
podman network inspect test_forgejo || podman network create test_forgejo
'';
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
# Volumes
systemd.services."podman-volume-test_forgejo" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
podman volume inspect test_forgejo || podman volume create test_forgejo
'';
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
}

7
hosts/raptus/headscale.nix
View file

@ -16,6 +16,7 @@ let
action = "accept";
inherit src dst users;
};
domain = "hs.ccnlc.eu";
in
mkIf config.services.headscale.enable {
environment.systemPackages = [ config.services.headscale.package ];
@ -30,7 +31,7 @@ mkIf config.services.headscale.enable {
port = 8521;
settings = {
server_url = "https://hs.ccnlc.eu";
server_url = "https://${domain}";
tls_cert_path = null;
tls_key_path = null;
ip_prefixes = [
@ -106,10 +107,10 @@ mkIf config.services.headscale.enable {
};
};
nginx.virtualHosts."hs.ccnlc.eu" = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
#quic = true;
quic = true;
http3 = true;
locations = {

3
parts/lib/functions.nix
View file

@ -68,7 +68,8 @@ in
proxyPass = "http://127.0.0.1:${toString port}";
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;'';
proxy_pass_header Authorization;
'';
};
};
};