federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

more generic approach, but stills limited to vogon, for the forgejo profile

Browse source
This commit is contained in:
Sic mundus creatus est 2025-07-01 22:26:25 +02:00
parent ea4d89eedc
commit 873479d893
2 changed files with 46 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

29
profiles/forgejo.nix
View file

@ -7,8 +7,21 @@ let
domain = "federez.net";
fqdn = "git.${domain}";
sys-ip = "193.54.193.164";
git-ip = "193.54.193.165";
hasValidLastOctet =
config ? vogon.networking.last-octet &&
builtins.length config.vogon.networking.last-octet >= 2;
lastOctetValues =
if hasValidLastOctet
then config.vogon.networking.last-octet
else abort ''Forgejo can only be deploy on vogon for now,
and it requires two public ip address, the first one
for ssh access from wan, and the second for the
forgejo dedicated ssh server'';
sys-ip = "193.54.193.${toString (builtins.elemAt lastOctetValues 0)}";
git-ip = "193.54.193.${toString (builtins.elemAt lastOctetValues 1)}";
in
{
age.secrets = lib.mapAttrs
@ -24,13 +37,7 @@ in
postgresqlDatabases = [ cfg.database.name ];
};
services.openssh = {
listenAddresses = [{
addr = "${sys-ip}";
port = 22;
}];
startWhenNeeded = false;
};
services.openssh.startWhenNeeded = false;
services.forgejo = {
enable = true;
@ -98,7 +105,7 @@ in
user = "wizard";
in ''
# || true -> avoid systemd to crash on that command if user already exist by forcing a 0 return value
${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
${adminCmd} create --admin --email "admin@federez.net" --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
'';
@ -115,7 +122,7 @@ in
"git.federez.net" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:3000";
locations."/".proxyPass = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
extraConfig = ''
client_max_body_size 1G;
'';

40
profiles/vogon/guest.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, lib, network, ... }:
let
inherit (lib) mkOption types;
@ -17,25 +17,41 @@ in
};
wan-mac = mkOption {
type = types.str;
description = '''
description = ''
Adresse MAC de l'interface réseau WAN
qui portera l'IPv4 interne.
'';
example = "BC:24:11:B7:AE:80";
};
ssh-octets = mkOption {
type = types.listOf (types.ints.between 161 174);
default = [ (builtins.head cfg.networking.last-octet) ];
defaultText = "[ (first element of last-octet) ]";
description = ''
Liste des octets à utiliser pour la configuration SSH.
Par défaut, utilise le premier élément de last-octet.
'';
example = [ 163 165 ];
};
};
};
config.systemd.network = {
links."10-wan" = {
matchConfig.MACAddress = cfg.networking.wan-mac;
linkConfig.Name = "wan";
};
networks."10-wan" = {
matchConfig.Name = "wan";
address = map (octet: "193.54.193.${toString octet}/28") cfg.networking.last-octet;
routes = [ { Gateway = "193.54.193.174"; } ];
linkConfig.RequiredForOnline = "routable";
config = {
systemd.network = {
links."10-wan" = {
matchConfig.MACAddress = cfg.networking.wan-mac;
linkConfig.Name = "wan";
};
networks."10-wan" = {
matchConfig.Name = "wan";
address = map (octet: "193.54.193.${toString octet}/28") cfg.networking.last-octet;
routes = [ { Gateway = "193.54.193.174"; } ];
linkConfig.RequiredForOnline = "routable";
};
};
services.openssh.listenAddresses = [
{ addr = network.infra.nodes.${config.networking.hostName}.ipv4; port = 22; }
{ addr = network.infra.nodes.${config.networking.hostName}.ipv6; port = 22; }
] ++ map (octet: { addr = "193.54.193.${toString octet}"; port = 22; }) cfg.networking.ssh-octets;
};
}