From b9cc3201b833e1e2a5d4456ecff2af14c31f480e Mon Sep 17 00:00:00 2001 From: Lukas Wurzinger Date: Sat, 21 Dec 2024 17:31:10 +0100 Subject: [PATCH] stuff --- common/ripgrep.nix | 5 ++ flake.lock | 18 +++---- hosts/server/abacus/forgejo.nix | 87 +++++++++++++++++++++++++++++++++ secrets/forgejo-admin.age | 9 ++++ secrets/forgejo-mailer.age | 10 ++++ secrets/secrets.nix | 5 ++ 6 files changed, 125 insertions(+), 9 deletions(-) create mode 100644 common/ripgrep.nix create mode 100644 hosts/server/abacus/forgejo.nix create mode 100644 secrets/forgejo-admin.age create mode 100644 secrets/forgejo-mailer.age diff --git a/common/ripgrep.nix b/common/ripgrep.nix new file mode 100644 index 0000000..6094a55 --- /dev/null +++ b/common/ripgrep.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + environment.systemPackages = [ + pkgs.ripgrep + ]; +} diff --git a/flake.lock b/flake.lock index 0e076e8..2c75ad0 100644 --- a/flake.lock +++ b/flake.lock @@ -338,11 +338,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1734720291, - "narHash": "sha256-a0ArHOrz4X3TK0fwXs67lBwlNPG2y78LBTf9lUJxo54=", + "lastModified": 1734745015, + "narHash": "sha256-HGl0yR/qfGTO99NfiB5bqTe2nPKmD57opzB/TwhJSW0=", "owner": "lilyinstarlight", "repo": "nixos-cosmic", - "rev": "b5f8f498a70d4ca6fd33772cab9d0cc8f8cf611d", + "rev": "1c922245aec471610533c7a225bf9c20e7002ff2", "type": "github" }, "original": { @@ -381,11 +381,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1734323986, - "narHash": "sha256-m/lh6hYMIWDYHCAsn81CDAiXoT3gmxXI9J987W5tZrE=", + "lastModified": 1734600368, + "narHash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "394571358ce82dff7411395829aa6a3aad45b907", + "rev": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca", "type": "github" }, "original": { @@ -498,11 +498,11 @@ ] }, "locked": { - "lastModified": 1734575524, - "narHash": "sha256-BxQ/4JuHEi0zRjF0P8B5xnbXOLulgsK2gfwVRXGZ4a4=", + "lastModified": 1734661750, + "narHash": "sha256-BI58NBdimxu1lnpOrG9XxBz7Cwqy+qIf99zunWofX5w=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "573c674a3ad06e8a525263185ebef336a411d1d5", + "rev": "7d3d910d5fd575e6e8c5600d83d54e5c47273bfe", "type": "github" }, "original": { diff --git a/hosts/server/abacus/forgejo.nix b/hosts/server/abacus/forgejo.nix new file mode 100644 index 0000000..0cdf76c --- /dev/null +++ b/hosts/server/abacus/forgejo.nix @@ -0,0 +1,87 @@ +{ + config, + lib, + ... +}: let + inherit (config.networking) domain; + virtualHostName = "tea.${domain}"; +in { + age.secrets = lib.mkSecrets { + forgejo-mailer = { + mode = "400"; + owner = "forgejo"; + }; + forgejo-admin = { + mode = "400"; + owner = "forgejo"; + }; + }; + + services.forgejo = { + enable = true; + database.type = "postgres"; + lfs.enable = true; + settings = { + server = { + DOMAIN = virtualHostName; + ROOT_URL = "https://${virtualHostName}/"; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 8060; + }; + + service = { + DISABLE_REGISTRATION = true; + ENABLE_NOTIFY_MAIL = true; + REQUIRE_SIGNIN_VIEW = true; # TODO + }; + + federation = { + ENABLED = false; # TODO + SHARE_USER_STATISTICS = false; # TODO + }; + + mailer = { + ENABLED = true; + SMTP_ADDR = "smtp.fastmail.com"; + FROM = "tea@${domain}"; + USER = "lukas@${domain}"; + }; + }; + secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer.path; + }; + + systemd.services.forgejo.preStart = let + forgejo = lib.getExe config.services.forgejo.package; + passwordFile = config.age.secrets.forgejo-admin.path; + user = "lukas"; + email = "lukas@wrz.one"; + in '' + if ! \ + ${forgejo} admin user change-password \ + --username ${lib.escapeShellArg user} \ + --password "$(cat -- ${lib.escapeShellArg passwordFile})" + then + ${forgejo} admin user create \ + --admin \ + --email ${lib.escapeShellArg email} \ + --username ${lib.escapeShellArg user} \ + --password "$(cat -- ${lib.escapeShellArg passwordFile})" + fi + ''; + + services.nginx.virtualHosts.${virtualHostName} = { + enableACME = true; + forceSSL = true; + + extraConfig = '' + client_max_body_size 512M; + ''; + + locations."/".proxyPass = let + inherit (config.services.forgejo.settings.server) HTTP_ADDR HTTP_PORT; + in "http://${lib.formatHostPort { + host = HTTP_ADDR; + port = HTTP_PORT; + }}"; + }; +} diff --git a/secrets/forgejo-admin.age b/secrets/forgejo-admin.age new file mode 100644 index 0000000..42485b0 --- /dev/null +++ b/secrets/forgejo-admin.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 SFHVrw AX7EqqMZLaetIHP2UX3tAah1sM62HC4Q6yQN+GfI/mY +ZjQ3rIVxjUKvH49WsQx5GH1Xrt5YhcQV1xGy1Ha0QVM +-> ssh-ed25519 S+dwQQ srmW8YUI+usZdBng7/vYefhK8U7h8lhmZPnQBXIVyzo +PGwiccVGY9LXWwKjaNCNajYiqQeNftGdURSlU+7i6/w +-> ssh-ed25519 ffmsLw sezlUhl2yIHgR6igudKrnRaYlowBNT1mTZPmJL83G0o +vBpTR6Rl4UGtFbdPKrl29QpzyQV2RkJJ5OF5a9TDlzg +--- gpOgzSPpqa4CN+2v7jBkc1CBHJblq1NHlr8bDNvM3Vk +.uc'߄ԒotiPrty ssh-ed25519 SFHVrw U6hzdh0ovG3u8KtQyYX/rPDWLPZZ8aqRpwt7uleDjE0 +cXXazXoaasaYWq65ZTo45nY4cQ3Pt4pU4tfWHdynwU8 +-> ssh-ed25519 S+dwQQ u63Xj4MX8z8V1C/O+u+ZWEqANe7OWB7+HckJLxfoFG0 +q+6GDIb16IbADLxxs7c4qooYPoGq7LuMMPMqaNRoiwY +-> ssh-ed25519 ffmsLw mtafAVhaZQwgcWA+KqK6cRNC4OJfQofBctJbPbryzXI +P1R4aRaFXHdfUzYoJwOBc9GPwRGb25XtL+/0ayqzgtA +--- qvpsZVBmcOxhGNEhTqaJThat+D7uVcUXIVR4zNO/Vq0 +TYR}Fmbr +gwF.r2Stq\°Դ| \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2385063..5249bb7 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,9 +2,14 @@ with import ../pubkeys.nix; { "user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues hosts); "microbin.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; + "miniflux.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; + "vaultwarden.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; + "forgejo-mailer.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; + "forgejo-admin.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; + "restic-vessel.age".publicKeys = (builtins.attrValues users) ++ [hosts.vessel]; "restic-abacus.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; }