From 58f99a156ce18f3b1ddff494b9ccdf11c9989e23 Mon Sep 17 00:00:00 2001 From: RGBCube Date: Tue, 6 Feb 2024 12:59:56 +0300 Subject: [PATCH] Start working on Forgejo config --- hosts/cube/forgejo.nix | 91 ++++++++++++++++++++++++++ hosts/cube/matrix-synapse.nix | 3 - secrets/cube/password.mail.forgejo.age | 6 ++ secrets/secrets.nix | 2 + 4 files changed, 99 insertions(+), 3 deletions(-) create mode 100644 hosts/cube/forgejo.nix create mode 100644 secrets/cube/password.mail.forgejo.age diff --git a/hosts/cube/forgejo.nix b/hosts/cube/forgejo.nix new file mode 100644 index 0000000..9bac132 --- /dev/null +++ b/hosts/cube/forgejo.nix @@ -0,0 +1,91 @@ +{ config, ulib, ... }: with ulib; + +let + inherit (config.networking) domain; + + fqdn = "git.${domain}"; +in serverSystemConfiguration { + age.secrets."cube/password.mail.forgejo".owner = "forgejo"; + + services.postgresql = { + ensureDatabases = [ "forgejo" ]; + ensureUsers = [{ + name = "forgejo"; + ensureDBOwnership = true; + }]; + }; + + services.forgejo = enabled { + lfs = enabled {}; + + mailerPasswordFile = config.age.secrets."cube/password.mail.forgejo".path; + + database = { + socket = "/run/postgresql"; + type = "postgres"; + }; + + settings = { + default.APP_NAME = "RGBCube's Forge of Shitty Software"; + + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "https://${fqdn}"; + }; + + attachment.ALLOWED_TYPES = "*/*"; + + cache.ENABLED = true; + + mailer = { + ENABLED = true; + + PROTOCOL = "smtps"; + SMTP_ADDR = config.mailserver.fqdn; + USER = "git@${domain}"; + }; + + other = { + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + SHOW_FOOTER_VERSION = false; + }; + + packages.ENABLED = false; + + repository = { + DEFAULT_BRANCH = "master"; + PREFERRED_LICENSES = "MIT,GPL-3.0,GPL-2.0,LGPL-3.0,LGPL-2.1"; + }; + + "repository.upload" = { + FILE_MAX_SIZE = 100; + MAX_FILES = 10; + }; + + server = { + DOMAIN = domain; + ROOT_URL = "https://${fqdn}/"; + LANDING_PAGE = "/explore"; + + HTTP_ADDR = "::"; + HTTP_PORT = 8004; + + SSH_CREATE_AUTHORIZED_KEYS_FILE = true; + SSH_PORT = builtins.elemAt config.services.openssh.ports 0; + + DISABLE_ROUTER_LOG = true; + }; + + service.DISABLE_REGISTRATION = true; + + session = { + COOKIE_SECURE = true; + SAME_SITE = "strict"; + }; + }; + }; + + services.nginx.virtualHosts.${fqdn} = (sslTemplate domain) // { + locations."/".proxyPass = "http://[::]:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; +} diff --git a/hosts/cube/matrix-synapse.nix b/hosts/cube/matrix-synapse.nix index 2612038..fa7cbef 100644 --- a/hosts/cube/matrix-synapse.nix +++ b/hosts/cube/matrix-synapse.nix @@ -58,9 +58,6 @@ in serverSystemConfiguration { enable_metrics = true; metrics_flags.known_servers = true; - allow_guest_access = false; - enable_registration = false; - expire_access_token = true; url_preview_enabled = true; diff --git a/secrets/cube/password.mail.forgejo.age b/secrets/cube/password.mail.forgejo.age new file mode 100644 index 0000000..2113e92 --- /dev/null +++ b/secrets/cube/password.mail.forgejo.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 +rZ0Tw k4u86tbxSaZTIr9QzN2P+md9WwGvn93jOXqR2JHWy30 +tG7p/GaP0MhTqbAin3KmIMCrE67Ls3NYoztcJT8r7po +--- cmz8sBFqHk8RyAae/gBqrWgjCyHrVtngjZGn1xQOze8 +9rgM׶9gz +@uO0ץa \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 95f7926..03f5c6f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -15,6 +15,8 @@ in with keys; { "cube/password.acme.age".publicKeys = key cube; + "cube/password.mail.forgejo.age".publicKeys = key cube; + "cube/password.grafana.age".publicKeys = key cube; "cube/password.mail.grafana.age".publicKeys = key cube;