From 972693e5eb5e70c0987c646ac4d32059742e0c0a Mon Sep 17 00:00:00 2001 From: asyncnomi Date: Sun, 22 Jun 2025 20:04:01 +0200 Subject: [PATCH] add forgejo conf --- hive.nix | 2 +- profiles/forgejo.nix | 166 +++++++++++++++++++++++++++++++++++++++++++ profiles/gitlab.nix | 20 ++++-- 3 files changed, 180 insertions(+), 8 deletions(-) create mode 100644 profiles/forgejo.nix diff --git a/hive.nix b/hive.nix index f71e59d..5092858 100644 --- a/hive.nix +++ b/hive.nix @@ -235,7 +235,7 @@ in imports = [ ./profiles/vm/incus.nix ./profiles/vogon/guest.nix - #./profiles/forgejo.nix + ./profiles/forgejo.nix ]; }; } diff --git a/profiles/forgejo.nix b/profiles/forgejo.nix new file mode 100644 index 0000000..998e9f4 --- /dev/null +++ b/profiles/forgejo.nix @@ -0,0 +1,166 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.forgejo; + secrets = config.age.secrets; + + domain = "federez.net"; + fqdn = "git.${domain}"; +in +{ + age.secrets = lib.mapAttrs + (_: f: { file = f; owner = cfg.user; group = cfg.group; }) + { + forgejo-db-pass = ../secrets/forgejo-db-pass.age; + forgejo-wizard-user-pass = ../secrets/forgejo-wizard-user-pass.age; + forgejo-mailbox-pass = ../secrets/forgejo-mailbox-pass.age; + }; + + backups = { + directories = [ cfg.stateDir ]; + postgresqlDatabases = [ cfg.database.name ]; + }; + + services.forgejo = { + enable = true; + user = "forgejo"; + package = pkgs.forgejo; + stateDir = "/var/lib/forgejo"; + database = { + name = "forgejo"; + type = "postgres"; + socket = "/var/run/postgresql"; + passwordFile = secrets.db-pass.path; + }; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "${fqdn}"; + ROOT_URL = "https://${fqdn}/"; + HTTP_PORT = 3000; + SSH_PORT = 222; + SSH_LISTEN_PORT = 2222; + START_SSH_SERVER = true; + # Forgejo is installed under the forgejo user + # The builtin ssh server user must match this + BUILTIN_SSH_SERVER_USER = "${cfg.user}"; + }; + service = { + # Disable internal registration only + DISABLE_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + # Force login throug OIDC + ENABLE_INTERNAL_SIGNIN = false; + ENABLE_BASIC_AUTHENTICATION = true; + ENABLE_NOTIFY_MAIL = true; + + # Privacy + DEFAULT_KEEP_EMAIL_PRIVATE = true; + DEFAULT_USER_VISIBILITY = "private"; + }; + repository = { + # Enable git clone over HTTP + DISABLE_HTTP_GIT = false; + }; + mailer = { + ENABLED = true; + SMTP_ADDR = "${domain}"; + SMTP_PORT = 465; + FROM = "forge@${domain}"; + USER = "forge@${domain}"; + }; + }; + secrets = { + mailer = { + PASSWD = secrets.mbox-git.path; + }; + }; + }; + + systemd.services.forgejo.preStart = let + adminCmd = "${lib.getExe cfg.package} admin user"; + pwd = secrets.wizard-user-pass.path; + # Note, Forgejo doesn't allow creation of an account named "admin" + # Note: that username MUST be unpickable by a user signin-up to re2o endpoint + # WARN: Never change the username without deleting manually the account (it will otherwise continue to exists) + user = "wizard"; + in '' + # || true -> avoid systemd to crash on that command if user already exist by forcing a 0 return value + ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd})" || true + ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd})" || true + ''; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + "git.federez.net" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:3000"; + }; + }; + }; + + # Setup port redirection and input filtering + networking = { + nat.enable = false; + firewall.enable = false; + nftables = { + enable = true; + checkRuleset = false; + # NixOs add is own shit, YANK IT :) + flushRuleset = true; + tables = { + filter = { + content = '' + chain input { + type filter hook input priority 0 + policy drop + + # Authorized already setup connection + ct state related,established accept + + # Reject sus stuff + ct state invalid counter drop + tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop + + # ICMP + icmp type { echo-request } limit rate 4/second accept + icmpv6 type { echo-request } limit rate 4/second accept + ip protocol icmp accept + icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept + + # SSH + tcp dport 22 accept + + # HTTP/HTTPS + tcp dport {443,80} accept + + # Log anything else + ip protocol tcp counter log prefix "tcp.in.dropped: " + ip protocol udp counter log prefix "udp.in.dropped: " + + } + + ''; + family = "inet"; + }; + nat = { + content = '' + chain prerouting { + type nat hook prerouting priority -100 + policy accept + + # Port redirection + tcp dport 222 redirect to :2222 + } + ''; + family = "inet"; + }; + }; + }; + }; + +} \ No newline at end of file diff --git a/profiles/gitlab.nix b/profiles/gitlab.nix index 0299983..7a0374b 100644 --- a/profiles/gitlab.nix +++ b/profiles/gitlab.nix @@ -25,9 +25,15 @@ in postgresqlDatabases = [ cfg.databaseName ]; }; + # If you ever want to update gitlab, even despite Forgejo being in deployment: + # 1. Make a proper gitlab backup + # 2. Uncomment all commented line below + # 3. Run colmena + # 4. Restore the backup previously saved services.gitlab = { enable = true; host = "gitlab2.federez.net"; + port = 443; https = true; databasePasswordFile = secrets.gitlab-db-password.path; initialRootPasswordFile = secrets.gitlab-initial-root-password.path; @@ -36,9 +42,9 @@ in otpFile = secrets.gitlab-otp-secret.path; dbFile = secrets.gitlab-db-secret.path; jwsFile = secrets.gitlab-jws-secret.path; - activeRecordPrimaryKeyFile = secrets.gitlab-arpk-secret.path; - activeRecordDeterministicKeyFile = secrets.gitlab-ardk-secret.path; - activeRecordSaltFile = secrets.gitlab-ars-secret.path; + # activeRecordPrimaryKeyFile = secrets.gitlab-arpk-secret.path; + # activeRecordDeterministicKeyFile = secrets.gitlab-ardk-secret.path; + # activeRecordSaltFile = secrets.gitlab-ars-secret.path; }; extraConfig.ldap = { enabled = true; @@ -61,10 +67,10 @@ in }; }; - services.postgresql = { - enable = true; - package = pkgs.postgresql_16; - }; + # services.postgresql = { + # enable = true; + # package = pkgs.postgresql_16; + # }; services.nginx = { enable = true;