diff --git a/flake.lock b/flake.lock index bc1100e..daed992 100644 --- a/flake.lock +++ b/flake.lock @@ -559,11 +559,11 @@ }, "nix-secrets": { "locked": { - "lastModified": 1739387047, - "narHash": "sha256-KpogJP00vwuMIKkGJff3zp0YfV9GfOG//UzMK4nWWUw=", + "lastModified": 1740164526, + "narHash": "sha256-lpKNY9qLoIT1XbLzeY+tmkV1DjQQ3mWYWjko+necYhM=", "ref": "refs/heads/master", - "rev": "be51e237b5b3d441a194f3e516175f6a543aee35", - "revCount": 280, + "rev": "ddf31a3a72504f36577ec341fbc84aa8f3dd3318", + "revCount": 283, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/cloudnix/default.nix b/hosts/cloudnix/default.nix index cdde410..3772ec0 100644 --- a/hosts/cloudnix/default.nix +++ b/hosts/cloudnix/default.nix @@ -30,16 +30,13 @@ in { ../common/optional/openssh.nix ../common/optional/distributed-builds/local-machine.nix - ../common/optional/nixos-containers/semitamaps.nix - ../common/optional/nixos-containers/vaultwarden.nix - ../common/optional/nixos-containers/xmpp.nix + # ../common/optional/nixos-containers/semitamaps.nix + # ../common/optional/nixos-containers/vaultwarden.nix + # ../common/optional/nixos-containers/xmpp.nix ../common/optional/fail2ban.nix ../common/optional/restic-backup.nix - - ../common/optional/nginx/vaultwarden.nix - ../common/optional/nginx/xmpp.nix - + ../common/optional/forgejo.nix outputs.nixosModules.nixosAutoUpgrade ]; diff --git a/hosts/common/optional/forgejo.nix b/hosts/common/optional/forgejo.nix new file mode 100644 index 0000000..13245f2 --- /dev/null +++ b/hosts/common/optional/forgejo.nix @@ -0,0 +1,37 @@ +{ + pkgs, + configVars, + ... +}: let + forgejoDomain = configVars.domains.forgejo; + forgejoPort = configVars.networking.addresses.forgejo.port; +in { + + imports = [./nginx/forgejo.nix]; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/forgejo" + ]; + }; + + services.forgejo = { + enable = true; + package = pkgs.forgejo; + database.type = "sqlite3"; + lfs.enable = true; + settings = { + server = { + DOMAIN = "git.${forgejoDomain}"; + ROOT_URL = "https://git.${forgejoDomain}/"; + HTTP_PORT = forgejoPort; + }; + service.DISABLE_REGISTRATION = false; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + }; + }; +} diff --git a/hosts/common/optional/nginx/forgejo.nix b/hosts/common/optional/nginx/forgejo.nix new file mode 100644 index 0000000..694eb8d --- /dev/null +++ b/hosts/common/optional/nginx/forgejo.nix @@ -0,0 +1,27 @@ +{configVars, ...}: let + email = configVars.email.user; + domain = configVars.domains.forgejo; + forgejoIp = configVars.networking.addresses.forgejo.localAddress; + forgejoPort = configVars.networking.addresses.forgejo.port; +in { + networking.firewall.allowedTCPPorts = [80 443]; + security.acme = { + acceptTerms = true; + defaults.email = email; + }; + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."git.${domain}" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + client_max_body_size 1024M; + ''; + locations."/" = { + proxyPass = "http://${forgejoIp}:${toString forgejoPort}"; + }; + }; + }; +} diff --git a/hosts/common/optional/nixos-containers/forgejo.nix b/hosts/common/optional/nixos-containers/forgejo.nix new file mode 100644 index 0000000..3875a2c --- /dev/null +++ b/hosts/common/optional/nixos-containers/forgejo.nix @@ -0,0 +1,119 @@ +{ + pkgs, + lib, + configVars, + inputs, + ... +}: let + containerName = "forgejo"; + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + hostAddress = configVars.networking.addresses.forgejo.hostAddress; + localAddress = configVars.networking.addresses.forgejo.localAddress; + forgejoPort = configVars.networking.addresses.forgejo.port; + forgejoDomain = configVars.domains.forgejo; + cloudnixIp = configVars.networking.addresses.cloudnix.ip; + sops-nix = inputs.sops-nix; +in { + networking = { + nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "enp1s0"; + }; + }; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${containerName}" + ]; + }; + imports = [../nginx/forgejo.nix]; + + containers."${containerName}" = { + autoStart = true; + privateNetwork = true; + hostAddress = hostAddress; + localAddress = localAddress; + nixpkgs = pkgs.path; + bindMounts = { + "/etc/ssh/ssh_host_ed25519_key" = { + hostPath = "/etc/ssh/ssh_host_ed25519_key"; + isReadOnly = true; + }; + }; + + config = { + pkgs, + lib, + ... + }: let + secretsDirectory = builtins.toString inputs.nix-secrets; + secretsFile = "${secretsDirectory}/secrets.yaml"; + in { + networking = { + defaultGateway = cloudnixIp; + firewall = { + enable = true; + allowedTCPPorts = [ + forgejoPort + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + sops = { + defaultSopsFile = "${secretsFile}"; + validateSopsFiles = false; + + age = { + sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + }; + }; + + imports = [ + sops-nix.nixosModules.sops + ]; + + environment.systemPackages = [ + pkgs.vim + pkgs.git + pkgs.lsof + ]; + + services.forgejo = { + enable = true; + package = pkgs.forgejo; + database.type = "sqlite3"; + lfs.enable = true; + settings = { + server = { + DOMAIN = "git.${forgejoDomain}"; + ROOT_URL = "https://git.${forgejoDomain}/"; + HTTP_PORT = forgejoPort; + }; + service.DISABLE_REGISTRATION = false; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + }; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users = { + root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + }; + + system.stateVersion = "24.05"; + }; + }; +} diff --git a/hosts/common/optional/nixos-containers/semitamaps.nix b/hosts/common/optional/nixos-containers/semitamaps.nix index 7113dfe..419602d 100644 --- a/hosts/common/optional/nixos-containers/semitamaps.nix +++ b/hosts/common/optional/nixos-containers/semitamaps.nix @@ -29,6 +29,10 @@ in { ]; }; + imports = [ + ../nginx/semitamaps.nix + ]; + containers."${containerName}" = { autoStart = true; privateNetwork = true; @@ -71,9 +75,6 @@ in { services.resolved.enable = true; - imports = [ - ]; - environment.systemPackages = [ pkgs.vim pkgs.git diff --git a/hosts/common/optional/nixos-containers/vaultwarden.nix b/hosts/common/optional/nixos-containers/vaultwarden.nix index 0d132d5..1e8478f 100644 --- a/hosts/common/optional/nixos-containers/vaultwarden.nix +++ b/hosts/common/optional/nixos-containers/vaultwarden.nix @@ -13,7 +13,6 @@ cloudnixIp = configVars.networking.addresses.cloudnix.ip; sops-nix = inputs.sops-nix; in { - networking = { nat = { enable = true; @@ -29,6 +28,8 @@ in { ]; }; + imports = [../nginx/vaultwarden.nix]; + containers."${containerName}" = { autoStart = true; privateNetwork = true; @@ -50,7 +51,6 @@ in { secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; in { - networking = { defaultGateway = cloudnixIp; firewall = { diff --git a/hosts/common/optional/nixos-containers/xmpp.nix b/hosts/common/optional/nixos-containers/xmpp.nix index ce1719d..3c450d6 100644 --- a/hosts/common/optional/nixos-containers/xmpp.nix +++ b/hosts/common/optional/nixos-containers/xmpp.nix @@ -43,6 +43,10 @@ in { }; }; + imports = [ + ../nginx/xmpp.nix + ]; + environment.persistence."/persist" = { hideMounts = true; directories = [