federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

rekey, fix some forgejo issue

Browse source
This commit is contained in:
asyncnomi 2025-06-22 21:28:12 +02:00
parent 972693e5eb
commit 18c721bd99
31 changed files with 903 additions and 903 deletions
Download patch file Download diff file Expand all files Collapse all files

16
profiles/forgejo.nix
View file

@ -30,7 +30,7 @@ in
name = "forgejo";
type = "postgres";
socket = "/var/run/postgresql";
passwordFile = secrets.db-pass.path;
passwordFile = secrets.forgejo-db-pass.path;
};
# Enable support for Git Large File Storage
lfs.enable = true;
@ -48,10 +48,9 @@ in
};
service = {
# Disable internal registration only
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
# Force login throug OIDC
ENABLE_INTERNAL_SIGNIN = false;
DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
ENABLE_INTERNAL_SIGNIN = true;
ENABLE_BASIC_AUTHENTICATION = true;
ENABLE_NOTIFY_MAIL = true;
@ -73,14 +72,14 @@ in
};
secrets = {
mailer = {
PASSWD = secrets.mbox-git.path;
PASSWD = secrets.forgejo-mailbox-pass.path;
};
};
};
systemd.services.forgejo.preStart = let
adminCmd = "${lib.getExe cfg.package} admin user";
pwd = secrets.wizard-user-pass.path;
pwd = secrets.forgejo-wizard-user-pass.path;
# Note, Forgejo doesn't allow creation of an account named "admin"
# Note: that username MUST be unpickable by a user signin-up to re2o endpoint
# WARN: Never change the username without deleting manually the account (it will otherwise continue to exists)
@ -138,6 +137,9 @@ in
# HTTP/HTTPS
tcp dport {443,80} accept
# Allow loopback
iif lo accept
# Log anything else
ip protocol tcp counter log prefix "tcp.in.dropped: "
ip protocol udp counter log prefix "udp.in.dropped: "