diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..6a98abc --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,22 @@ + keys: + - &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv + - &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38 + - &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj + + creation_rules: + - path_regex: secrets/all/[^/]+\.yaml$ + key_groups: + - age: + - *Lyn + - *forgenite + #hosts + - path_regex: secrets/hosts/forgenite.yaml + key_groups: + - age: + - *Lyn + - *forgenite + - path_regex: secrets/hosts/forgejo-ci.yaml + key_groups: + - age: + - *Lyn + - *forgejo-ci diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..7ca4cde --- /dev/null +++ b/flake.lock @@ -0,0 +1,96 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1725407940, + "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1721524707, + "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1725432240, + "narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ad416d066ca1222956472ab7d0555a6946746a80", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1725194671, + "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1725540166, + "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "d9d781523a1463965cd1e1333a306e70d9feff07", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 7ced256..2109647 100644 --- a/flake.nix +++ b/flake.nix @@ -2,22 +2,39 @@ description = "Lyns flake"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + sops-nix.url = "github:Mic92/sops-nix"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; }; - outputs = { self, nixpkgs }@inputs: { - nixosConfigurations = { - "forgejo" = nixpkgs.lib.nixosSystem { + outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let + + passInputs = ({lib,config,...}:{ + options.inputs = lib.mkOption{type = lib.types.attrs;}; + config.inputs = inputs; + options.pkgsInstances = lib.mkOption{type = lib.types.attrs;}; + config.pkgsInstances = { + unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;}; + }; + }); + + in { + + nixosConfigurations = { + "forgejo" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [ - # Import the configuration.nix here, so that the - # old configuration file can still take effect. - # Note: configuration.nix itself is also a Nixpkgs Module, - ./configuration.nix + modules = [ + ./hosts/forgenite + sops-nix.nixosModules.sops + passInputs ]; - specialArgs = { - inherit inputs; - flake = self; - }; + }; + "forgejo-ci" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/forgejo-ci + sops-nix.nixosModules.sops + passInputs + ]; + }; }; }; -}; } diff --git a/hosts/forgejo-ci/default.nix b/hosts/forgejo-ci/default.nix new file mode 100644 index 0000000..bd0caf8 --- /dev/null +++ b/hosts/forgejo-ci/default.nix @@ -0,0 +1,20 @@ +{ config, pkgs, lib, inputs, ... }: { + imports = + [ + ./../../services/forgejo-ci.nix + ./hardware-configuration.nix + ./../../users/lyn + ./../../meta/profiles/base.nix + ./../../meta/profiles/vm.nix + ]; + lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {}; + # Use UEFI + boot.loader.systemd-boot.enable = true; + + networking.hostName = "forgenite"; # Define your hostname. + + # Firewall stuff: + networking.firewall.enable = true; + networking.firewall.allowPing = true; + system.stateVersion = "23.05"; +} diff --git a/hosts/forgejo-ci/hardware-configuration.nix b/hosts/forgejo-ci/hardware-configuration.nix new file mode 100644 index 0000000..0f10cb8 --- /dev/null +++ b/hosts/forgejo-ci/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/58fe64e6-74c3-4a96-885c-340a3126d1f0"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/40A9-C398"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/4d39c334-1726-4646-95d3-ecbedbf21ddb"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index d1f1fb0..3d2af14 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -1,125 +1,21 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running `nixos-help`). - -{ config, pkgs, ... }: - -{ +{ config, pkgs, lib, inputs, ... }: { imports = [ + ./../../services/forgejo.nix + ./../../users/lyn ./hardware-configuration.nix - # comment in backup.nix for borgbackuping forgejo - #./backup.nix + ./../../meta/profiles/base.nix + ./../../meta/profiles/vm.nix ]; - # Write path for borgbackup repos for backup.nix - _module.args.borgrepolistfile = ./borgrepos; - - # Enable Flakes and the new command-line tool - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - # Set default editor to vim - environment.variables.EDITOR = "vim"; + lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo"; # Use UEFI boot.loader.systemd-boot.enable = true; - # Use the GRUB 2 boot loader. - #boot.loader.grub.enable = true; - #boot.loader.grub.device = "/dev/sda"; - - networking.hostName = "forgejo"; # Define your hostname. - # Set your time zone. - time.timeZone = "Europe/Berlin"; - - users.users.lyn = { - isNormalUser = true; - extraGroups = [ "wheel"]; - openssh.authorizedKeys.keys = [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local" - ]; - packages = with pkgs; [ - ]; -}; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git - vim - wget - curl - htop - ]; - - - - - # Enable the OpenSSH daemon. - services.openssh = { - enable = true; - settings = { - X11Forwarding = true; - PermitRootLogin = "no"; - PasswordAuthentication = false; - }; - openFirewall = true; - }; - #Forgejo - services.forgejo = { - enable = true; - settings.server = { - ROOT_URL = "https://git.shibe.pro"; - DOMAIN = "git.shibe.pro"; - HTTP_PORT = 48540; - OFFLINE_MODE = true; # disable gravatar, CDN - }; - settings.actions = { - ENABLED = true; - }; - settings."repository.upload" = { - FILE_MAX_SIZE = 4095; - MAX_FILES = 20; - }; - settings."attachment" = { - MAX_SIZE = 4095; - MAX_FILES = 20; - }; - - settings.service = { - DISABLE_REGISTRATION = true; - DEFAULT_KEEP_EMAIL_PRIVATE = true; - }; - database = { - user = "forgejo"; - passwordFile = "/etc/nixos/forgejo-dbpassword"; - name = "forgejodb"; - type = "mysql"; - }; - }; - - # Allow forgejo user to adjust authorized_keys dynamically - services.openssh.extraConfig = '' - Match User forgejo - AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys - ''; - - #enable qemu-guestagent - services.qemuGuest.enable = true; - # Disable password checking for wheel group users so we can solely rely on ssh keys - security.sudo.wheelNeedsPassword = false; + networking.hostName = "forgenite"; # Define your hostname. # Firewall stuff: networking.firewall.enable = true; networking.firewall.allowPing = true; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [48540 ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -129,10 +25,6 @@ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "24.05"; # Did you read the comment? - system.autoUpgrade = { - enable = true; - allowReboot = true; - }; nix.gc = { automatic = true; persistent = true; diff --git a/meta/enable.nix b/meta/enable.nix new file mode 100644 index 0000000..0f129b0 --- /dev/null +++ b/meta/enable.nix @@ -0,0 +1,8 @@ +{lib, config, ...}: { + lib.meta.enable = list: lib.genAttrs + list + (name: + ${name}.enable = true; + ) + ; +} diff --git a/meta/mkLocalModule.nix b/meta/mkLocalModule.nix new file mode 100644 index 0000000..b2171d9 --- /dev/null +++ b/meta/mkLocalModule.nix @@ -0,0 +1,23 @@ +{lib, config, ...}: { + lib.mkLocalModule = pathInterpolation: optDesc: config: let + #example_input = ./some/subdir/MARKER/a/b/c/d/e/f/g; + marker = "local-modules"; + splitAfterMarker = marker: input: builtins.foldl' (acc: new: + if acc == false then # marker not found yet + if new == marker then [] else acc + else # marker found + if builtins.typeOf new == "string" + then acc ++ [new] + else acc + ) false (builtins.split "/" (builtins.toString input)); + path = splitAfterMarker marker pathInterpolation; + inputs = { + #optDesc = "enable this"; + inherit optDesc: config; + }; + mod = {config, ...}: { + options = lib.setAttrsByPath path (lib.mkEnableOption inputs.optDesc); + config = lib.mkIf (lib.getAttrByPath path config) inputs.config; + }; + in mod; +} diff --git a/meta/modules/sops/default.nix b/meta/modules/sops/default.nix new file mode 100644 index 0000000..49b8cb7 --- /dev/null +++ b/meta/modules/sops/default.nix @@ -0,0 +1,23 @@ +{ pkgs, lib, config, ... }: +let + cfg = config.lyn.sops; +in +{ + options.lyn.sops = with lib; { + secrets = mkOption { + type = types.attrs; + default = { }; + }; + }; + config = { + sops.secrets = lib.mapAttrs + (name: value: + let + name_split = lib.splitString "/" name; + in + { + sopsFile = ../../../secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml; + } // value) + cfg.secrets; + }; +} diff --git a/meta/profiles/base.nix b/meta/profiles/base.nix new file mode 100644 index 0000000..3c101ef --- /dev/null +++ b/meta/profiles/base.nix @@ -0,0 +1,31 @@ +{lib, config, pkgs, ...}: { + imports = [ + ../modules/sops + ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nixpkgs.config.allowUnfree = true; + nix.package = config.pkgsInstances.unstable.lix; + environment.variables.EDITOR = "vim"; + + time.timeZone = "Europe/Berlin"; + + services.openssh = { + enable = true; + settings = { + X11Forwarding = true; + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + openFirewall = true; + }; + # Disable password checking for wheel group users so we can solely rely on ssh keys + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + git + vim + wget + curl + htop + ]; +} diff --git a/meta/profiles/vm.nix b/meta/profiles/vm.nix new file mode 100644 index 0000000..75c7eab --- /dev/null +++ b/meta/profiles/vm.nix @@ -0,0 +1,5 @@ +{ config, pkgs, lib, ... }: +{ + #enable qemu-guestagent + services.qemuGuest.enable = true; +} \ No newline at end of file diff --git a/secrets/hosts/forgejo-ci.yaml b/secrets/hosts/forgejo-ci.yaml new file mode 100644 index 0000000..adb9d56 --- /dev/null +++ b/secrets/hosts/forgejo-ci.yaml @@ -0,0 +1,32 @@ +hosts: + forgejo-ci: + forgejo_ci_token: ENC[AES256_GCM,data:zZQPn/YxMKly1hcT2m3cGoIILh4wG7GiCXwiKRwNLrrPfwJlfAUn9g==,iv:xKVR09JhCIM5plxifcHeAEcsp1UyuXaqXaQCqIPywtU=,tag:zF032vUnTr8Mj79ZLCWcfg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMG5zVlFXWjNYdFVjdEd3 + WWliRGtBR2YrTEtYcXF0WmI1NnNQc0NnN2dFCjVMMXVWVzJ3Z3g3NjlBaFNSdFFy + NWxSNjNxN2hFNWYyQkRVUHBGa25laFkKLS0tIFpWaEE4MDBPTWhFdnBOOWNtRC80 + YW9QUWJCRmhhYm1Zb2t6RFJ1SStERHMK8Yk/lGQYocea8MaR4c7/7tkRSqIcjYrO + +i1HN9gIrasVtZF1k0YuSB7sCCQ+oVvKtVCR7TRoeJhoxqgQZ/q5RQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TWhSM3lYK3JMQUc0WDUz + VlEySTNTN2ZaMHo0OXlyTWNPYVhSWE5uZkNJCkFqNHJCc3h6WkVJUkYxM0VibFRY + MWdYYWdtd1FnMmdtMndIY3gvcmJVQzQKLS0tIFpZV2RrZTg3cWxJOFlkY2F3TWRW + SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8 + Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-06T03:55:48Z" + mac: ENC[AES256_GCM,data:H9RZy7w/quqfjMedaQe1NHAasC0FspxcXPyAXoy5uZaAoevNdXQNIe5yqBW+BRrw/5uIKKtLuS7YS5B3evpor2WRV0EeoPmy4dI/oFYZWg2kNzLVTumxQp4Q1vOOcrBrMUmm7OeoItr85p42Cx/08I9TnwRieGMnG5Mn0J6o+Zo=,iv:XbWd6j2LhhOld7NXN2m58f1cUJpLcdb3Ywf0bNkQYdA=,tag:T5gTjfRCCLfGFtIzXE7OfA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/secrets/hosts/forgenite.yaml b/secrets/hosts/forgenite.yaml new file mode 100644 index 0000000..31c4db4 --- /dev/null +++ b/secrets/hosts/forgenite.yaml @@ -0,0 +1,32 @@ +hosts: + forgenite: + forgejo_db_password: ENC[AES256_GCM,data:1Qp6kLbt4tO+9/i5JN2rRjZJW0gJDKEQV9XmDEEts4bVvOsBCu6wYg==,iv:FZCthW7Yo9z0KqJvjhnQaNX1rqdUeINyfdM3xdLcOrk=,tag:32peH4VsZ3hLeC7XAqINAg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySlhJWGtCd21zM3BxeEox + NG9VcHBoYkxHeUVwN1dQMHZVVmtpVTV6ekRRClB2MzNlKzVwbkdXRFY0QlUwOEUw + R2xBNkZGK09pZzBmTUJDdC95bU4vdTAKLS0tIGQ2Z1RpZjRHQUNya2JzZzFQQjA0 + YlJIcmQrUVJMMUdkMjNoOUkva1hIMWMK+56bsZXNIeYiuj+QAuajsCDWPAv9IYV9 + 7oh61PZvFYql6TXWjVioIBpS0MxKTbidjWQoYwD4vp8ZikfYUwuoqQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5R2lUZkdXQTUrQmRhMnE3 + bnRkdUF1WW1obG1acmdQN0NmSkNmWGlFYzFJCkNGQ2lNVFMvYXZYT2dERE1aMVEy + a3AybWpZcTZIakVrUExHeTl0MXoxbFkKLS0tIE4wdTRtcUtZTkxiWVkyZC9QSDlR + YnpWY3ZsZWdQcEc2YTJJeldTaTdCVkkKA8cfHrWV7COWKYf19IP/dt/mPM6PDWvm + DiTB8JBSKTlsBsvA26qkPHcKyXCBjLDaSi1hmGI6PhI7nIDTQ15t6w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-06T00:00:08Z" + mac: ENC[AES256_GCM,data:LC/WIffWQMHRk0ty3bnSGNyUySjYIA84euR5dgb95+uegLzAaMtBehnE5GB36eMzciMSP95jP2KOHfDimwU7eugeauEgJLrtv8Sp5r29LnU+MLDpAVwqw/HDZq8J7LIoYspqMr19ZxwcG1K4kfNlB7JYSuP7V7DhXo+I5/Qjv8A=,iv:CHf0KGCpbFIEMjgkxxS8RvSfOrGRYdGd/rdVJ/XPkoI=,tag:ZghIOEu9NLchxz7j4Er6QQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/services/forgejo-ci.nix b/services/forgejo-ci.nix new file mode 100644 index 0000000..5a06c1e --- /dev/null +++ b/services/forgejo-ci.nix @@ -0,0 +1,28 @@ +{ config, pkgs, lib, inputs, ... }: +{ + environment.systemPackages = with pkgs; [ + docker +]; + + # Enable docker + virtualisation.docker = { + enable = true; + daemon.settings = { + fixed-cidr-v6 = "fd00::/80"; + ipv6 = true; + }; + }; + # Forgejo actions runner + services.gitea-actions-runner = { + package = config.pkgsInstances.unstable.forgejo-runner; + instances = { + "shibepro-ci" = { + enable = true; + url = "https://git.shibe.pro"; + name = "shibepro-ci"; + tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path; + labels = []; + }; + }; + }; +} diff --git a/services/forgejo.nix b/services/forgejo.nix new file mode 100644 index 0000000..db1f4f4 --- /dev/null +++ b/services/forgejo.nix @@ -0,0 +1,42 @@ +{pkgs, lib, config, ...}: +with lib; with builtins; { + services.forgejo = { + enable = true; + package = config.pkgsInstances.unstable.forgejo; + settings.server = { + ROOT_URL = "https://git.shibe.pro"; + DOMAIN = "git.shibe.pro"; + HTTP_PORT = 48540; + OFFLINE_MODE = true; # disable gravatar, CDN + }; + settings.actions = { + ENABLED = true; + }; + settings."repository.upload" = { + FILE_MAX_SIZE = 4095; + MAX_FILES = 20; + }; + settings."attachment" = { + MAX_SIZE = 4095; + MAX_FILES = 20; + }; + + settings.service = { + DISABLE_REGISTRATION = true; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + }; + database = { + user = "forgejo"; + passwordFile = config.sops.secrets."hosts/forgenite/forgejo_db_password".path; + name = "forgejodb"; + type = "mysql"; + }; + }; + + # Allow forgejo user to adjust authorized_keys dynamically + services.openssh.extraConfig = '' + Match User forgejo + AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys + ''; + networking.firewall.allowedTCPPorts = [48540]; +} diff --git a/users/lyn/default.nix b/users/lyn/default.nix new file mode 100644 index 0000000..98dd833 --- /dev/null +++ b/users/lyn/default.nix @@ -0,0 +1,11 @@ +{lib,pkgs, config, ...}:{ + imports = [ + ./ssh.nix + ]; + users.users.lyn = { + isNormalUser = true; + extraGroups = [ "wheel"]; + packages = with pkgs; [ + ]; + }; +} diff --git a/users/lyn/ssh.nix b/users/lyn/ssh.nix new file mode 100644 index 0000000..039fb5c --- /dev/null +++ b/users/lyn/ssh.nix @@ -0,0 +1,3 @@ +{lib, config, ...}: { + users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"]; +}