add forgejo conf

2025-06-22 20:04:01 +02:00 · 2025-06-22 20:04:01 +02:00 · 972693e5eb
commit 972693e5eb
parent 89e4672f15
3 changed files with 180 additions and 8 deletions
--- a/profiles/forgejo.nix
+++ b/profiles/forgejo.nix
@ -0,0 +1,166 @@
+{ config, lib, pkgs, ... }:
+
+let
+    cfg = config.services.forgejo;
+    secrets = config.age.secrets;
+
+    domain = "federez.net";
+    fqdn = "git.${domain}";
+in
+{
+    age.secrets = lib.mapAttrs
+        (_: f: { file = f; owner = cfg.user; group = cfg.group; })
+        {
+            forgejo-db-pass = ../secrets/forgejo-db-pass.age;
+            forgejo-wizard-user-pass = ../secrets/forgejo-wizard-user-pass.age;
+            forgejo-mailbox-pass = ../secrets/forgejo-mailbox-pass.age;
+        };
+
+    backups = {
+        directories = [ cfg.stateDir ];
+        postgresqlDatabases = [ cfg.database.name ];
+    };
+
+    services.forgejo = {
+        enable = true;
+        user = "forgejo";
+        package = pkgs.forgejo;
+        stateDir = "/var/lib/forgejo";
+        database = {
+            name = "forgejo";
+            type = "postgres";
+            socket = "/var/run/postgresql";
+            passwordFile = secrets.db-pass.path;
+        };
+        # Enable support for Git Large File Storage
+        lfs.enable = true;
+        settings = {
+            server = {
+                DOMAIN = "${fqdn}";
+                ROOT_URL = "https://${fqdn}/"; 
+                HTTP_PORT = 3000;
+                SSH_PORT = 222;
+                SSH_LISTEN_PORT = 2222;
+                START_SSH_SERVER = true;
+                # Forgejo is installed under the forgejo user
+                # The builtin ssh server user must match this
+                BUILTIN_SSH_SERVER_USER = "${cfg.user}";
+            };
+            service = {
+                # Disable internal registration only
+                DISABLE_REGISTRATION = false;
+                ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+                # Force login throug OIDC
+                ENABLE_INTERNAL_SIGNIN = false;
+                ENABLE_BASIC_AUTHENTICATION = true;
+                ENABLE_NOTIFY_MAIL = true;
+
+                # Privacy
+                DEFAULT_KEEP_EMAIL_PRIVATE = true;
+                DEFAULT_USER_VISIBILITY = "private";
+            };
+            repository = {
+                # Enable git clone over HTTP
+                DISABLE_HTTP_GIT = false;
+            };
+            mailer = {
+                ENABLED = true;
+                SMTP_ADDR = "${domain}";
+                SMTP_PORT = 465;
+                FROM = "forge@${domain}";
+                USER = "forge@${domain}";
+            };
+        };
+        secrets = {
+            mailer = {
+                PASSWD = secrets.mbox-git.path;
+            };
+        };
+    };
+
+    systemd.services.forgejo.preStart = let 
+        adminCmd = "${lib.getExe cfg.package} admin user";
+        pwd = secrets.wizard-user-pass.path;
+        # Note, Forgejo doesn't allow creation of an account named "admin"
+        # Note: that username MUST be unpickable by a user signin-up to re2o endpoint
+        # WARN: Never change the username without deleting manually the account (it will otherwise continue to exists)
+        user = "wizard";
+    in ''
+        # || true -> avoid systemd to crash on that command if user already exist by forcing a 0 return value
+        ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
+        ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
+    '';
+
+    services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        virtualHosts = {
+            "git.federez.net" = {
+                enableACME = true;
+                forceSSL = true;
+                locations."/".proxyPass = "http://localhost:3000";
+            };
+        };
+    };
+
+    # Setup port redirection and input filtering
+    networking = {
+        nat.enable = false;
+        firewall.enable = false;
+        nftables = {
+            enable = true;
+            checkRuleset = false;
+            # NixOs add is own shit, YANK IT :)
+            flushRuleset = true;
+            tables = {
+                filter = {
+                    content = ''
+                        chain input {
+                            type filter hook input priority 0
+                            policy drop
+
+                            # Authorized already setup connection
+                            ct state related,established accept
+
+                            # Reject sus stuff
+                            ct state invalid counter drop
+                            tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
+
+                            # ICMP
+                            icmp type { echo-request } limit rate 4/second accept
+                            icmpv6 type { echo-request } limit rate 4/second accept
+                            ip protocol icmp accept
+                            icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+
+                            # SSH
+                            tcp dport 22 accept
+
+                            # HTTP/HTTPS
+                            tcp dport {443,80} accept
+
+                            # Log anything else
+                            ip protocol tcp counter log prefix "tcp.in.dropped: "
+                            ip protocol udp counter log prefix "udp.in.dropped: "
+
+                        }
+
+                    '';
+                    family = "inet";
+                };
+                nat = {
+                    content = ''
+                        chain prerouting {
+                            type nat hook prerouting priority -100
+                            policy accept
+
+                            # Port redirection
+                            tcp dport 222 redirect to :2222
+                        }
+                    '';
+                    family = "inet";
+                };
+            };
+        };
+    };
+
+}
--- a/profiles/gitlab.nix
+++ b/profiles/gitlab.nix
@ -25,9 +25,15 @@ in
    postgresqlDatabases = [ cfg.databaseName ];
  };

+  # If you ever want to update gitlab, even despite Forgejo being in deployment:
+  # 1. Make a proper gitlab backup
+  # 2. Uncomment all commented line below
+  # 3. Run colmena
+  # 4. Restore the backup previously saved
  services.gitlab = {
    enable = true;
    host = "gitlab2.federez.net";
+    port = 443;
    https = true;
    databasePasswordFile = secrets.gitlab-db-password.path;
    initialRootPasswordFile = secrets.gitlab-initial-root-password.path;
@ -36,9 +42,9 @@ in
      otpFile = secrets.gitlab-otp-secret.path;
      dbFile = secrets.gitlab-db-secret.path;
      jwsFile = secrets.gitlab-jws-secret.path;
-      activeRecordPrimaryKeyFile = secrets.gitlab-arpk-secret.path;
-      activeRecordDeterministicKeyFile = secrets.gitlab-ardk-secret.path;
-      activeRecordSaltFile = secrets.gitlab-ars-secret.path;
+      # activeRecordPrimaryKeyFile = secrets.gitlab-arpk-secret.path;
+      # activeRecordDeterministicKeyFile = secrets.gitlab-ardk-secret.path;
+      # activeRecordSaltFile = secrets.gitlab-ars-secret.path;
    };
    extraConfig.ldap = {
      enabled = true;
@ -61,10 +67,10 @@ in
    };
  };

-  services.postgresql = {
-    enable = true;
-    package = pkgs.postgresql_16;
-  };
+  # services.postgresql = {
+  #   enable = true;
+  #   package = pkgs.postgresql_16;
+  # };

  services.nginx = {
    enable = true;