fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add forgejo host

Browse source
This commit is contained in:
fi 2024-01-28 03:31:28 +01:00
parent 0f665588df
commit d82f9a8803
Signed by: fi
SSH key fingerprint: SHA256:d+6fQoDPMbSFK95zRVflRKZLRKF4cPSQb7VIxYkhFsA
11 changed files with 166 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
config/hosts/forgejo/configuration.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "forgejo";
firewall = {
allowedTCPPorts = [ 80 8443 ];
};
};
system.stateVersion = "23.11";
}

9
config/hosts/forgejo/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
imports = [
./configuration.nix
./forgejo.nix
./redis.nix
./nginx.nix
];
}

60
config/hosts/forgejo/forgejo.nix Normal file
View file

@ -0,0 +1,60 @@
{ ... }:
{
services.forgejo = {
enable = true;
database.type = "postgres";
mailerPasswordFile = "/secrets/forgejo-mailer-password.secret";
settings = {
DEFAULT = {
APP_NAME = "Nekoverse Git";
};
server = {
DOMAIN = "git.nekover.se";
PROTOCOL = "http";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
ROOT_URL = "https://git.nekover.se/";
# LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
# Doesn't need to be set.
};
admin = {
DISABLE_REGULAR_ORG_CREATION = false;
};
session = {
COOKIE_SECURE = true;
};
"ui.meta" = {
AUTHOR = "Nekoverse Git";
DESCRIPTION = "Git instance of the Nekoverse.";
KEYWORDS = "git,forge,forgejo,nekoverse";
};
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
};
repo = {
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
};
actions = {
ENABLED = true;
ARTIFACT_RETENTION_DAYS = 30;
};
mailer = {
ENABLED = true;
FROM = "nyareply@nekover.se";
PROTOCOL = "smtps";
SMTP_ADDR = "mail-1.grzb.de";
SMTP_PORT = 465;
USER = "forgejo@nekover.se";
};
cache = {
ENABLED = true;
ADAPTER = "redis";
HOST = "redis+socket:///run/redis-forgejo/redis.sock";
};
};
};
}

37
config/hosts/forgejo/nginx.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts."git.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
locations."/" = {
proxyPass = "${config.services.forgejo.settings.server.PROTOCOL}://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
};
# Disallow crawling archives to save disk space.
# See: https://forgejo.org/docs/latest/admin/search-engines-indexation/
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
};
extraConfig = ''
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
}

12
config/hosts/forgejo/redis.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
services.redis.servers.forgejo = {
enable = true;
user = "forgejo";
};
systemd.services.forgejo = {
after = [ "redis-forgejo.service" ];
requires = [ "redis-forgejo.service" ];
};
}

13
config/hosts/forgejo/secrets.nix Normal file
View file

@ -0,0 +1,13 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"forgejo-mailer-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
destDir = "/secrets";
user = "forgejo";
group = "forgejo";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

8
config/hosts/mail-1/secrets.nix
View file

@ -89,5 +89,13 @@
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
"mail-forgejo-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}; };
} }

5
config/hosts/mail-1/simple-nixos-mailserver.nix
View file

@ -56,6 +56,11 @@
sendOnly = true; sendOnly = true;
aliases = [ "nyareply@nekover.se" ]; aliases = [ "nyareply@nekover.se" ];
}; };
"forgejo@nekover.se" = {
hashedPasswordFile = "/secrets/mail-forgejo-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
}; };
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
}; };

1
config/hosts/web-public-2/nginx.nix
View file

@ -22,6 +22,7 @@
element.nekover.se 127.0.0.1:8443; element.nekover.se 127.0.0.1:8443;
gameserver.grzb.de 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443;
git.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443;
git.nekover.se 10.202.41.106:8443;
hydra.nekover.se 10.202.41.121:8443; hydra.nekover.se 10.202.41.121:8443;
id.nekover.se 10.202.41.124:8443; id.nekover.se 10.202.41.124:8443;
matrix.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443;

1
config/hosts/web-public-2/virtualHosts/acme-challenge.nix
View file

@ -5,6 +5,7 @@ let
"mail-1.grzb.de" = "mail-1.vs.grzb.de"; "mail-1.grzb.de" = "mail-1.vs.grzb.de";
"matrix.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de";
"netbox.grzb.de" = "netbox.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de";
"git.nekover.se" = "forgejo.vs.grzb.de";
"grafana.grzb.de" = "metrics.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de";
"jackett.grzb.de" = "torrent.vs.grzb.de"; "jackett.grzb.de" = "torrent.vs.grzb.de";
"jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de"; "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de";

4
hosts.nix
View file

@ -45,6 +45,10 @@ in
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
forgejo = {
site = "vs";
environment = "proxmox";
};
keycloak = { keycloak = {
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";