Compare commits
2 commits
3841eb663f
...
9cecd28e9a
Author | SHA1 | Date | |
---|---|---|---|
9cecd28e9a | |||
a597470f2b |
7 changed files with 92 additions and 64 deletions
|
@ -2,8 +2,9 @@
|
|||
description = "Lyns flake";
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
};
|
||||
outputs = { self, nixpkgs }@inputs: {
|
||||
outputs = { self, nixpkgs, sops-nix }@inputs: {
|
||||
nixosConfigurations = {
|
||||
"forgejo" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
|
@ -12,6 +13,7 @@
|
|||
# old configuration file can still take effect.
|
||||
# Note: configuration.nix itself is also a Nixpkgs Module,
|
||||
./configuration.nix
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
specialArgs = {
|
||||
inherit inputs;
|
||||
|
|
|
@ -1,16 +1,12 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running `nixos-help`).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
{ config, pkgs, lib, inputs, ... }: with lib.meta; {
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
# comment in backup.nix for borgbackuping forgejo
|
||||
#./backup.nix
|
||||
];
|
||||
|
||||
# will this work?
|
||||
users.lyn.enable = true;
|
||||
services.forgejo.enable = true;
|
||||
# Write path for borgbackup repos for backup.nix
|
||||
_module.args.borgrepolistfile = ./borgrepos;
|
||||
|
||||
|
@ -29,16 +25,6 @@
|
|||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
users.users.lyn = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"
|
||||
];
|
||||
packages = with pkgs; [
|
||||
];
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
@ -48,9 +34,6 @@
|
|||
curl
|
||||
htop
|
||||
];
|
||||
|
||||
|
||||
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh = {
|
||||
|
@ -62,44 +45,6 @@
|
|||
};
|
||||
openFirewall = true;
|
||||
};
|
||||
#Forgejo
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
settings.server = {
|
||||
ROOT_URL = "https://git.shibe.pro";
|
||||
DOMAIN = "git.shibe.pro";
|
||||
HTTP_PORT = 48540;
|
||||
OFFLINE_MODE = true; # disable gravatar, CDN
|
||||
};
|
||||
settings.actions = {
|
||||
ENABLED = true;
|
||||
};
|
||||
settings."repository.upload" = {
|
||||
FILE_MAX_SIZE = 4095;
|
||||
MAX_FILES = 20;
|
||||
};
|
||||
settings."attachment" = {
|
||||
MAX_SIZE = 4095;
|
||||
MAX_FILES = 20;
|
||||
};
|
||||
|
||||
settings.service = {
|
||||
DISABLE_REGISTRATION = true;
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||
};
|
||||
database = {
|
||||
user = "forgejo";
|
||||
passwordFile = "/etc/nixos/forgejo-dbpassword";
|
||||
name = "forgejodb";
|
||||
type = "mysql";
|
||||
};
|
||||
};
|
||||
|
||||
# Allow forgejo user to adjust authorized_keys dynamically
|
||||
services.openssh.extraConfig = ''
|
||||
Match User forgejo
|
||||
AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys
|
||||
'';
|
||||
|
||||
#enable qemu-guestagent
|
||||
services.qemuGuest.enable = true;
|
||||
|
@ -109,9 +54,7 @@
|
|||
# Firewall stuff:
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.allowPing = true;
|
||||
|
||||
# Open ports in the firewall.
|
||||
networking.firewall.allowedTCPPorts = [48540 ];
|
||||
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
|
8
meta/enable.nix
Normal file
8
meta/enable.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{lib, config, ...}: {
|
||||
lib.meta.enable = list: lib.genAttrs
|
||||
list
|
||||
(name:
|
||||
${name}.enable = true;
|
||||
)
|
||||
;
|
||||
}
|
23
meta/mkLocalModule.nix
Normal file
23
meta/mkLocalModule.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{lib, config, ...}: {
|
||||
lib.mkLocalModule = pathInterpolation: optDesc: config: let
|
||||
#example_input = ./some/subdir/MARKER/a/b/c/d/e/f/g;
|
||||
marker = "local-modules";
|
||||
splitAfterMarker = marker: input: builtins.foldl' (acc: new:
|
||||
if acc == false then # marker not found yet
|
||||
if new == marker then [] else acc
|
||||
else # marker found
|
||||
if builtins.typeOf new == "string"
|
||||
then acc ++ [new]
|
||||
else acc
|
||||
) false (builtins.split "/" (builtins.toString input));
|
||||
path = splitAfterMarker marker pathInterpolation;
|
||||
inputs = {
|
||||
#optDesc = "enable this";
|
||||
inherit optDesc: config;
|
||||
};
|
||||
mod = {config, ...}: {
|
||||
options = lib.setAttrsByPath path (lib.mkEnableOption inputs.optDesc);
|
||||
config = lib.mkIf (lib.getAttrByPath path config) inputs.config;
|
||||
};
|
||||
in mod;
|
||||
}
|
41
services/forgejo.nix
Normal file
41
services/forgejo.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{pkgs, lib, config}:
|
||||
with lib with builtins; {
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
settings.server = {
|
||||
ROOT_URL = "https://git.shibe.pro";
|
||||
DOMAIN = "git.shibe.pro";
|
||||
HTTP_PORT = 48540;
|
||||
OFFLINE_MODE = true; # disable gravatar, CDN
|
||||
};
|
||||
settings.actions = {
|
||||
ENABLED = true;
|
||||
};
|
||||
settings."repository.upload" = {
|
||||
FILE_MAX_SIZE = 4095;
|
||||
MAX_FILES = 20;
|
||||
};
|
||||
settings."attachment" = {
|
||||
MAX_SIZE = 4095;
|
||||
MAX_FILES = 20;
|
||||
};
|
||||
|
||||
settings.service = {
|
||||
DISABLE_REGISTRATION = true;
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||
};
|
||||
database = {
|
||||
user = "forgejo";
|
||||
passwordFile = "/etc/nixos/forgejo-dbpassword";
|
||||
name = "forgejodb";
|
||||
type = "mysql";
|
||||
};
|
||||
};
|
||||
|
||||
# Allow forgejo user to adjust authorized_keys dynamically
|
||||
services.openssh.extraConfig = ''
|
||||
Match User forgejo
|
||||
AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys
|
||||
'';
|
||||
networking.firewall.allowedTCPPorts = [48540];
|
||||
}
|
8
users/lyn/default.nix
Normal file
8
users/lyn/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{lib, config, ...}:{
|
||||
users.users.lyn = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel"];
|
||||
packages = with pkgs; [
|
||||
];
|
||||
}
|
||||
}
|
3
users/lyn/ssh.nix
Normal file
3
users/lyn/ssh.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
{lib, config, ...}: lib.mkLocalModule ./. "Lyn SSH user config" {
|
||||
users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
|
||||
}
|
Loading…
Reference in a new issue