forjoe migrated, reachable and firewall-whitelisted

2024-02-04 05:21:33 +01:00 · 2024-02-04 05:21:33 +01:00 · 405964620b
commit 405964620b
parent 5da0bf2720
1 changed files with 27 additions and 4 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -46,7 +46,6 @@
 		"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"
 	];
 	packages = with pkgs; [
      	rclone
    ];
 };
@ -75,7 +74,31 @@
 	};
 	openFirewall = true;
  };
-  	#enable qemu-guestagent
+  #Forgejo
  services.forgejo = {
    enable = true;
    settings.server = {
      ROOT_URL = "https://git.shibe.pro";
      DOMAIN = "git.shibe.pro";
      HTTP_PORT = 48540;
      OFFLINE_MODE = true; # disable gravatar, CDN
    };
    settings.service.DISABLE_REGISTRATION = true;
    database = {
      user = "forgejo";
      passwordFile = "/etc/nixos/forgejo-dbpassword";
      name = "forgejodb";
      type = "mysql";
    };
  };
  # Allow forgejo user to adjust authorized_keys dynamically
  services.openssh.extraConfig = ''
    Match User forgejo
      AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys
  '';
  #enable qemu-guestagent
  services.qemuGuest.enable = true;
  # Disable password checking for wheel group users so we can solely rely on ssh keys
  security.sudo.wheelNeedsPassword = false;
@ -83,9 +106,9 @@
  # Firewall stuff:
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
-  services.samba.openFirewall = true;
+ 
  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
+  networking.firewall.allowedTCPPorts = [48540 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;