federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix/profiles/forgejo.nix

168 lines
No EOL
5.7 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
cfg = config.services.forgejo;
secrets = config.age.secrets;
domain = "federez.net";
fqdn = "git.${domain}";
in
{
age.secrets = lib.mapAttrs
(_: f: { file = f; owner = cfg.user; group = cfg.group; })
{
forgejo-db-pass = ../secrets/forgejo-db-pass.age;
forgejo-wizard-user-pass = ../secrets/forgejo-wizard-user-pass.age;
forgejo-mailbox-pass = ../secrets/forgejo-mailbox-pass.age;
};
backups = {
directories = [ cfg.stateDir ];
postgresqlDatabases = [ cfg.database.name ];
};
services.forgejo = {
enable = true;
user = "forgejo";
package = pkgs.forgejo;
stateDir = "/var/lib/forgejo";
database = {
name = "forgejo";
type = "postgres";
socket = "/var/run/postgresql";
passwordFile = secrets.forgejo-db-pass.path;
};
# Enable support for Git Large File Storage
lfs.enable = true;
settings = {
server = {
DOMAIN = "${fqdn}";
ROOT_URL = "https://${fqdn}/";
HTTP_PORT = 3000;
SSH_PORT = 222;
SSH_LISTEN_PORT = 2222;
START_SSH_SERVER = true;
# Forgejo is installed under the forgejo user
# The builtin ssh server user must match this
BUILTIN_SSH_SERVER_USER = "${cfg.user}";
};
service = {
# Disable internal registration only
DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
ENABLE_INTERNAL_SIGNIN = true;
ENABLE_BASIC_AUTHENTICATION = true;
ENABLE_NOTIFY_MAIL = true;
# Privacy
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DEFAULT_USER_VISIBILITY = "private";
};
repository = {
# Enable git clone over HTTP
DISABLE_HTTP_GIT = false;
};
mailer = {
ENABLED = true;
SMTP_ADDR = "${domain}";
SMTP_PORT = 465;
FROM = "forge@${domain}";
USER = "forge@${domain}";
};
};
secrets = {
mailer = {
PASSWD = secrets.forgejo-mailbox-pass.path;
};
};
};
systemd.services.forgejo.preStart = let
adminCmd = "${lib.getExe cfg.package} admin user";
pwd = secrets.forgejo-wizard-user-pass.path;
# Note, Forgejo doesn't allow creation of an account named "admin"
# Note: that username MUST be unpickable by a user signin-up to re2o endpoint
# WARN: Never change the username without deleting manually the account (it will otherwise continue to exists)
user = "wizard";
in ''
# || true -> avoid systemd to crash on that command if user already exist by forcing a 0 return value
${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
'';
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"git.federez.net" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:3000";
};
};
};
# Setup port redirection and input filtering
networking = {
nat.enable = false;
firewall.enable = false;
nftables = {
enable = true;
checkRuleset = false;
# NixOs add is own shit, YANK IT :)
flushRuleset = true;
tables = {
filter = {
content = ''
chain input {
type filter hook input priority 0
policy drop
# Authorized already setup connection
ct state related,established accept
# Reject sus stuff
ct state invalid counter drop
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
# ICMP
icmp type { echo-request } limit rate 4/second accept
icmpv6 type { echo-request } limit rate 4/second accept
ip protocol icmp accept
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# SSH
tcp dport 22 accept
# HTTP/HTTPS
tcp dport {443,80} accept
# Allow loopback
iif lo accept
# Log anything else
ip protocol tcp counter log prefix "tcp.in.dropped: "
ip protocol udp counter log prefix "udp.in.dropped: "
}
'';
family = "inet";
};
nat = {
content = ''
chain prerouting {
type nat hook prerouting priority -100
policy accept
# Port redirection
tcp dport 222 redirect to :2222
}
'';
family = "inet";
};
};
};
};
}
Reference in a new issue View git blame Copy permalink