forjoe migrated, reachable and firewall-whitelisted

2024-02-04 05:21:33 +01:00 · 2024-02-04 05:21:33 +01:00 · acaa4d06b9
commit acaa4d06b9
parent 2147e07e3e
1 changed files with 27 additions and 4 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -46,7 +46,6 @@
 		"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"
 	];
 	packages = with pkgs; [
-      	rclone
    ];
 };

@ -75,6 +74,30 @@
 	};
 	openFirewall = true;
  };
+  #Forgejo
+  services.forgejo = {
+    enable = true;
+    settings.server = {
+      ROOT_URL = "https://git.shibe.pro";
+      DOMAIN = "git.shibe.pro";
+      HTTP_PORT = 48540;
+      OFFLINE_MODE = true; # disable gravatar, CDN
+    };
+    settings.service.DISABLE_REGISTRATION = true;
+    database = {
+      user = "forgejo";
+      passwordFile = "/etc/nixos/forgejo-dbpassword";
+      name = "forgejodb";
+      type = "mysql";
+    };
+  };
+
+  # Allow forgejo user to adjust authorized_keys dynamically
+  services.openssh.extraConfig = ''
+    Match User forgejo
+      AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys
+  '';
+
  #enable qemu-guestagent
  services.qemuGuest.enable = true;
  # Disable password checking for wheel group users so we can solely rely on ssh keys
@ -83,9 +106,9 @@
  # Firewall stuff:
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
-  services.samba.openFirewall = true;
+ 
  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
+  networking.firewall.allowedTCPPorts = [48540 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;