commit 9ab8d7af4c5c2756076a2938a689668d40d73e2c · aylac.top/nixcfg-own-knot

+3 -3

flake.lock

···

       1032
       1032
        
           "secrets": {

     

       1033
       1033
        
             "flake": false,

     

       1034
       1034
        
             "locked": {

     

       1035
       1035
       -
               "lastModified": 1756878317,

     

       1036
       1036
       -
               "narHash": "sha256-pEVF9/ZjyENenEUUqrKGO3qNngqRP1EaLf7mOS/4ol4=",

     

       1035
       1035
       +
               "lastModified": 1756947975,

     

       1036
       1036
       +
               "narHash": "sha256-Wgu/RE90hq9PixuZnlhx7UO5QXNBLWbrMN0PZnJSGX4=",

     

       1037
       1037
        
               "owner": "ayla6",

     

       1038
       1038
        
               "repo": "secrets",

     

       1039
       1039
       -
               "rev": "9cf93253fccc51a8a22c8fe944d80a50a24d7404",

     

       1039
       1039
       +
               "rev": "9075972fc860180bec1d885a2e00f9aa79944249",

     

       1040
       1040
        
               "type": "github"

     

       1041
       1041
        
             },

     

       1042
       1042
        
             "original": {

hosts/nanpi/secrets.nix

···

       1
       1
        
       {self, ...}: {

     

       2
       2
        
         age.secrets = {

     

       3
       3
        
           aylaPassword.file = "${self.inputs.secrets}/ayla/passwordHash.age";

     

       4
       4
       +
           postgres-forgejo.file = "${self.inputs.secrets}/postgres/forgejo.age";

     

       4
       5
        
           pds.file = "${self.inputs.secrets}/pds.age";

     

       5
       6
        
           resticPassword.file = "${self.inputs.secrets}/restic-passwd.age";

     

       6
       7
        
           rclone.file = "${self.inputs.secrets}/rclone.age";

+2 -3

modules/nixos/profiles/backups/default.nix

···

       142
       142
        
               paths = [config.services.couchdb.databaseDir];

     

       143
       143
        
             }

     

       144
       144
        
             {

     

       145
       145
       -
               # damn this is ugly

     

       146
       145
        
               name = "forgejo";

     

       147
       146
        
               containerised = true;

     

       148
       148
       -
               inherit (config.myNixOS.services.forgejo) enable;

     

       149
       149
       -
               paths = ["/var/lib/nixos-containers/forgejo${config.containers.forgejo.config.services.forgejo.stateDir}"];

     

       147
       147
       +
               inherit (config.services.forgejo) enable;

     

       148
       148
       +
               paths = [config.services.forgejo.stateDir];

     

       150
       149
        
               backupMode = "none";

     

       151
       150
        
             }

     

       152
       151
        
             # {

+17

modules/nixos/services/fail2ban/default.nix

···

       29
       29
        
               source = config.age.secrets.cloudflareFail2ban.path;

     

       30
       30
        
             };

     

       31
       31
        
       

     

       32
       32
       +
             "fail2ban/filter.d/forgejo.conf".text = ''

     

       33
       33
       +
               [Definition]

     

       34
       34
       +
               failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>

     

       35
       35
       +
               journalmatch = _SYSTEMD_UNIT=forgejo.service

     

       36
       36
       +
             '';

     

       37
       37
       +
       

     

       32
       38
        
             "fail2ban/action.d/ntfy.conf".text = ''

     

       33
       39
        
               [Definition]

     

       34
       40
        
               actionban = ${mkNotify {

     
···

       71
       77
        
             bantime-increment.enable = true;

     

       72
       78
        
             extraPackages = [pkgs.curl pkgs.jq pkgs.uutils-coreutils-noprefix];

     

       73
       79
        
             jails = {

     

       80
       80
       +
               forgejo.settings = {

     

       81
       81
       +
                 action = ''

     

       82
       82
       +
                   mycloudflare

     

       83
       83
       +
                     iptables-allports

     

       84
       84
       +
                     ntfy'';

     

       85
       85
       +
                 bantime = 900;

     

       86
       86
       +
                 filter = "forgejo";

     

       87
       87
       +
                 findtime = 3600;

     

       88
       88
       +
                 maxretry = 4;

     

       89
       89
       +
               };

     

       90
       90
       +
       

     

       74
       91
        
               # HTTP basic-auth failures, 5 tries → 1-day ban

     

       75
       92
        
               nginx-http-auth = {

     

       76
       93
        
                 settings = {

+71 -154

modules/nixos/services/forgejo/default.nix

···

       11
       11
        
       

     

       12
       12
        
         network = config.mySnippets.aylac-top;

     

       13
       13
        
         service = network.networkMap.${name};

     

       14
       14
       -
       

     

       15
       15
       -
         mkNotify = {

     

       16
       16
       -
           message,

     

       17
       17
       -
           channel,

     

       18
       18
       -
           priority ? 1,

     

       19
       19
       -
         }: ''

     

       20
       20
       -
           curl -u $(cat "${config.age.secrets.ntfyAuto.path}") \

     

       21
       21
       -
             -H "X-Priority: ${toString priority}" \

     

       22
       22
       -
             -d '${message}' \

     

       23
       23
       -
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/${channel}

     

       24
       24
       -
         '';

     

       25
       14
        
       in {

     

       26
       15
        
         options.myNixOS.services.${name} = {

     

       27
       16
        
           enable = lib.mkEnableOption "forgejo git forge";

     
···

       42
       31
        
       

     

       43
       32
        
         config = lib.mkIf cfg.enable {

     

       44
       33
        
           age.secrets.cloudflareFail2ban.file = "${self.inputs.secrets}/cloudflare/fail2ban.age";

     

       45
       45
       -
       

     

       46
       46
       -
           services.cloudflared.tunnels."${network.cloudflareTunnel}".ingress = lib.mkIf cfg.autoProxy {

     

       47
       47
       -
             "${service.vHost}" = "http://${service.hostName}:${toString service.port}";

     

       48
       48
       -
           };

     

       49
       34
        
       

     

       50
       35
        
           myNixOS.services.postgresql = lib.mkIf (cfg.db == "postgresql") {

     

       51
       36
        
             enable = true;

     

       52
       37
        
             databases = ["forgejo"];

     

       53
       38
        
           };

     

       54
       39
        
       

     

       55
       55
       -
           containers.forgejo = {

     

       56
       56
       -
             autoStart = true;

     

       57
       57
       -
             bindMounts = {

     

       58
       58
       -
               "${config.age.secrets.cloudflareFail2ban.path}".isReadOnly = true;

     

       59
       59
       -
               "${config.age.secrets.ntfyAuto.path}".isReadOnly = true;

     

       40
       40
       +
           services = {

     

       41
       41
       +
             cloudflared.tunnels."${network.cloudflareTunnel}".ingress = lib.mkIf cfg.autoProxy {

     

       42
       42
       +
               "${service.vHost}" = "http://${service.hostName}:${toString service.port}";

     

       60
       43
        
             };

     

       61
       44
        
       

     

       62
       62
       -
             config = {

     

       63
       63
       -
               services = {

     

       64
       64
       -
                 postgresql.enable = lib.mkForce false;

     

       45
       45
       +
             forgejo = {

     

       46
       46
       +
               enable = true;

     

       65
       47
        
       

     

       66
       66
       -
                 forgejo = {

     

       67
       67
       -
                   enable = true;

     

       48
       48
       +
               database = lib.mkIf (cfg.db == "postgresql") {

     

       49
       49
       +
                 createDatabase = true;

     

       50
       50
       +
                 host = "127.0.0.1";

     

       51
       51
       +
                 name = "forgejo";

     

       52
       52
       +
                 passwordFile = config.age.secrets.postgres-forgejo.path;

     

       53
       53
       +
                 type = "postgres";

     

       54
       54
       +
                 user = "forgejo";

     

       55
       55
       +
               };

     

       68
       56
        
       

     

       69
       69
       -
                   database = lib.mkIf (cfg.db

     

       70
       70
       -
                     == "postgresql") {

     

       71
       71
       -
                     host = "127.0.0.1";

     

       72
       72
       -
                     name = "forgejo";

     

       73
       73
       -
                     type = "postgres";

     

       74
       74
       -
                     user = "forgejo";

     

       75
       75
       -
                     socket = null;

     

       76
       76
       -
                   };

     

       57
       57
       +
               lfs.enable = true;

     

       58
       58
       +
               package = pkgs.forgejo;

     

       77
       59
        
       

     

       78
       78
       -
                   lfs.enable = true;

     

       79
       79
       -
                   package = pkgs.forgejo;

     

       60
       60
       +
               settings = {

     

       61
       61
       +
                 actions = {

     

       62
       62
       +
                   ARTIFACT_RETENTION_DAYS = 15;

     

       63
       63
       +
                   DEFAULT_ACTIONS_URL = "https://github.com";

     

       64
       64
       +
                   ENABLED = false;

     

       65
       65
       +
                 };

     

       80
       66
        
       

     

       81
       81
       -
                   settings = {

     

       82
       82
       -
                     actions = {

     

       83
       83
       -
                       ARTIFACT_RETENTION_DAYS = 15;

     

       84
       84
       -
                       DEFAULT_ACTIONS_URL = "https://github.com";

     

       85
       85
       -
                       ENABLED = false;

     

       86
       86
       -
                     };

     

       67
       67
       +
                 cron = {

     

       68
       68
       +
                   ENABLED = true;

     

       69
       69
       +
                   RUN_AT_START = false;

     

       70
       70
       +
                 };

     

       87
       71
        
       

     

       88
       88
       -
                     cron = {

     

       89
       89
       -
                       ENABLED = true;

     

       90
       90
       -
                       RUN_AT_START = false;

     

       91
       91
       -
                     };

     

       72
       72
       +
                 DEFAULT.APP_NAME = "git.aylac.top";

     

       73
       73
       +
                 federation.ENABLED = true;

     

       74
       74
       +
                 indexer.REPO_INDEXER_ENABLED = true;

     

       92
       75
        
       

     

       93
       93
       -
                     DEFAULT.APP_NAME = "git.aylac.top";

     

       94
       94
       -
                     federation.ENABLED = true;

     

       95
       95
       -
                     indexer.REPO_INDEXER_ENABLED = true;

     

       76
       76
       +
                 log = {

     

       77
       77
       +
                   ENABLE_SSH_LOG = true;

     

       78
       78
       +
                   LEVEL = "Debug";

     

       79
       79
       +
                 };

     

       96
       80
        
       

     

       97
       97
       -
                     log = {

     

       98
       98
       -
                       ENABLE_SSH_LOG = true;

     

       99
       99
       -
                       LEVEL = "Debug";

     

       100
       100
       -
                     };

     

       81
       81
       +
                 mailer = {

     

       82
       82
       +
                   ENABLED = false;

     

       83
       83
       +
                 };

     

       101
       84
        
       

     

       102
       102
       -
                     mailer = {

     

       103
       103
       -
                       ENABLED = false;

     

       104
       104
       -
                     };

     

       85
       85
       +
                 migrations = {

     

       86
       86
       +
                   ALLOW_LOCALNETWORKS = true;

     

       87
       87
       +
                 };

     

       105
       88
        
       

     

       106
       106
       -
                     migrations = {

     

       107
       107
       -
                       ALLOW_LOCALNETWORKS = true;

     

       108
       108
       -
                     };

     

       89
       89
       +
                 picture = {

     

       90
       90
       +
                   AVATAR_MAX_FILE_SIZE = 5242880;

     

       91
       91
       +
                   ENABLE_FEDERATED_AVATAR = true;

     

       92
       92
       +
                 };

     

       109
       93
        
       

     

       110
       110
       -
                     picture = {

     

       111
       111
       -
                       AVATAR_MAX_FILE_SIZE = 5242880;

     

       112
       112
       -
                       ENABLE_FEDERATED_AVATAR = true;

     

       113
       113
       -
                     };

     

       94
       94
       +
                 repository = {

     

       95
       95
       +
                   DEFAULT_BRANCH = "main";

     

       96
       96
       +
                   ENABLE_PUSH_CREATE_ORG = true;

     

       97
       97
       +
                   ENABLE_PUSH_CREATE_USER = true;

     

       98
       98
       +
                   PREFERRED_LICENSES = "GPL-3.0";

     

       99
       99
       +
                 };

     

       114
       100
        
       

     

       115
       115
       -
                     repository = {

     

       116
       116
       -
                       DEFAULT_BRANCH = "main";

     

       117
       117
       -
                       ENABLE_PUSH_CREATE_ORG = true;

     

       118
       118
       -
                       ENABLE_PUSH_CREATE_USER = true;

     

       119
       119
       -
                       PREFERRED_LICENSES = "GPL-3.0";

     

       120
       120
       -
                     };

     

       121
       121
       -
       

     

       122
       122
       -
                     security.PASSWORD_CHECK_PWN = true;

     

       123
       123
       -
       

     

       124
       124
       -
                     server = {

     

       125
       125
       -
                       DOMAIN = service.vHost;

     

       126
       126
       -
                       HTTP_PORT = service.port;

     

       127
       127
       -
                       LANDING_PAGE = "explore";

     

       128
       128
       -
                       LFS_START_SERVER = true;

     

       129
       129
       -
                       ROOT_URL = "https://${service.vHost}/";

     

       130
       130
       -
                       DISABLE_SSH = true;

     

       131
       131
       -
                     };

     

       132
       132
       -
       

     

       133
       133
       -
                     service = {

     

       134
       134
       -
                       ALLOW_ONLY_INTERNAL_REGISTRATION = true;

     

       135
       135
       -
                       DISABLE_REGISTRATION = true;

     

       136
       136
       -
                       ENABLE_NOTIFY_MAIL = true;

     

       137
       137
       -
                     };

     

       138
       138
       -
       

     

       139
       139
       -
                     session.COOKIE_SECURE = true;

     

       140
       140
       -
       

     

       141
       141
       -
                     storage = {

     

       142
       142
       -
                       STORAGE_TYPE = "local";

     

       143
       143
       -
                       PATH = "/var/lib/forgejo/data";

     

       144
       144
       -
                     };

     

       101
       101
       +
                 security.PASSWORD_CHECK_PWN = true;

     

       145
       102
        
       

     

       146
       146
       -
                     ui.DEFAULT_THEME = "forgejo-auto";

     

       147
       147
       -
       

     

       148
       148
       -
                     "ui.meta" = {

     

       149
       149
       -
                       AUTHOR = "Ayla";

     

       150
       150
       -
                       DESCRIPTION = "i can't set up ssh via cloudflare tunnels!";

     

       151
       151
       -
                       KEYWORDS = "git,source code,forge,forgejo,aylac";

     

       152
       152
       -
                     };

     

       153
       153
       -
                   };

     

       103
       103
       +
                 server = {

     

       104
       104
       +
                   DOMAIN = service.vHost;

     

       105
       105
       +
                   HTTP_PORT = service.port;

     

       106
       106
       +
                   LANDING_PAGE = "explore";

     

       107
       107
       +
                   LFS_START_SERVER = true;

     

       108
       108
       +
                   ROOT_URL = "https://${service.vHost}/";

     

       109
       109
       +
                   DISABLE_SSH = true;

     

       154
       110
        
                 };

     

       155
       111
        
       

     

       156
       156
       -
                 fail2ban = {

     

       157
       157
       -
                   enable = true;

     

       158
       158
       -
                   ignoreIP = ["100.64.0.0/10"];

     

       159
       159
       -
                   bantime = "24h";

     

       160
       160
       -
                   bantime-increment.enable = true;

     

       161
       161
       -
                   extraPackages = [pkgs.curl pkgs.jq pkgs.uutils-coreutils-noprefix];

     

       162
       162
       -
                   jails.forgejo.settings = {

     

       163
       163
       -
                     action = ''

     

       164
       164
       -
                       mycloudflare

     

       165
       165
       -
                         iptables-allports

     

       166
       166
       -
                         ntfy'';

     

       167
       167
       -
                     bantime = 900;

     

       168
       168
       -
                     filter = "forgejo";

     

       169
       169
       -
                     findtime = 3600;

     

       170
       170
       -
                     maxretry = 4;

     

       171
       171
       -
                   };

     

       112
       112
       +
                 service = {

     

       113
       113
       +
                   ALLOW_ONLY_INTERNAL_REGISTRATION = true;

     

       114
       114
       +
                   DISABLE_REGISTRATION = true;

     

       115
       115
       +
                   ENABLE_NOTIFY_MAIL = true;

     

       172
       116
        
                 };

     

       173
       173
       -
               };

     

       174
       117
        
       

     

       175
       175
       -
               environment.etc = {

     

       176
       176
       -
                 "fail2ban/action.d/mycloudflare.conf" = {

     

       177
       177
       -
                   user = "root";

     

       178
       178
       -
                   group = "root";

     

       179
       179
       -
                   mode = "0640";

     

       180
       180
       -
                   source = config.age.secrets.cloudflareFail2ban.path;

     

       181
       181
       -
                 };

     

       118
       118
       +
                 session.COOKIE_SECURE = true;

     

       182
       119
        
       

     

       183
       183
       -
                 "fail2ban/action.d/ntfy.conf".text = ''

     

       184
       184
       -
                   [Definition]

     

       185
       185
       -
                   actionban = ${mkNotify {

     

       186
       186
       -
                     message = "Arrested <ip> for trying to rob <name> at ${config.networking.hostName}";

     

       187
       187
       -
                     channel = "fail2ban";

     

       188
       188
       -
                     priority = 3;

     

       189
       189
       -
                   }}

     

       190
       190
       -
                   actionunban = ${mkNotify {

     

       191
       191
       -
                     message = "Released <ip> from the jail at ${config.networking.hostName}";

     

       192
       192
       -
                     channel = "fail2ban";

     

       193
       193
       -
                     priority = 2;

     

       194
       194
       -
                   }}

     

       195
       195
       -
                 '';

     

       120
       120
       +
                 storage = {

     

       121
       121
       +
                   STORAGE_TYPE = "local";

     

       122
       122
       +
                   PATH = "/var/lib/forgejo/data";

     

       123
       123
       +
                 };

     

       196
       124
        
       

     

       197
       197
       -
                 "fail2ban/filter.d/forgejo.conf".text = ''

     

       198
       198
       -
                   [Definition]

     

       199
       199
       -
                   failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>

     

       200
       200
       -
                   journalmatch = _SYSTEMD_UNIT=forgejo.service

     

       201
       201
       -
                 '';

     

       202
       202
       -
               };

     

       125
       125
       +
                 ui.DEFAULT_THEME = "forgejo-auto";

     

       203
       126
        
       

     

       204
       204
       -
               systemd.services.forgejo = lib.mkIf (cfg.db

     

       205
       205
       -
                 == "postgresql") {

     

       206
       206
       -
                 after = lib.mkForce ["network.target" "forgejo-secrets.service"];

     

       207
       207
       -
                 requires = lib.mkForce ["forgejo-secrets.service"];

     

       127
       127
       +
                 "ui.meta" = {

     

       128
       128
       +
                   AUTHOR = "Ayla";

     

       129
       129
       +
                   DESCRIPTION = "i can't set up ssh via cloudflare tunnels!";

     

       130
       130
       +
                   KEYWORDS = "git,source code,forge,forgejo,aylac";

     

       131
       131
       +
                 };

     

       208
       132
        
               };

     

       209
       209
       -
       

     

       210
       210
       -
               system.stateVersion = "25.11";

     

       211
       133
        
             };

     

       212
       212
       -
           };

     

       213
       213
       -
       

     

       214
       214
       -
           systemd.services."container@forgejo" = {

     

       215
       215
       -
             requires = ["postgresql.service"];

     

       216
       216
       -
             after = ["postgresql.service"];

     

       217
       134
        
           };

     

       218
       135
        
         };

     

       219
       136
        
       }

+2 -11

modules/nixos/services/miniflux/default.nix

···

       23
       23
        
         config = lib.mkIf cfg.enable {

     

       24
       24
        
           age.secrets.miniflux.file = "${self.inputs.secrets}/miniflux.age";

     

       25
       25
        
       

     

       26
       26
       -
           myNixOS.services.postgresql = {

     

       27
       27
       -
             enable = true;

     

       28
       28
       -
             databases = ["miniflux"];

     

       29
       29
       -
           };

     

       26
       26
       +
           myNixOS.services.postgresql.enable = true;

     

       30
       27
        
       

     

       31
       28
        
           services = {

     

       32
       29
        
             caddy.virtualHosts."${service.vHost}".extraConfig = lib.mkIf cfg.autoProxy ''

     
···

       38
       35
        
             miniflux = {

     

       39
       36
        
               enable = true;

     

       40
       37
        
               adminCredentialsFile = config.age.secrets.miniflux.path;

     

       41
       41
       -
               createDatabaseLocally = false;

     

       38
       38
       +
               createDatabaseLocally = true;

     

       42
       39
        
               config = {

     

       43
       40
        
                 BATCH_SIZE = 100;

     

       44
       41
        
                 CLEANUP_FREQUENCY_HOURS = 48;

     

       45
       42
        
                 LISTEN_ADDR = "${service.hostName}:${toString service.port}";

     

       46
       43
        
                 BASE_URL = "https://${service.vHost}";

     

       47
       47
       -
                 DATABASE_URL = ''user=miniflux dbname=miniflux sslmode=disable'';

     

       48
       44
        
               };

     

       49
       45
        
             };

     

       50
       50
       -
           };

     

       51
       51
       -
       

     

       52
       52
       -
           systemd.services."miniflux" = {

     

       53
       53
       -
             requires = ["postgresql.service"];

     

       54
       54
       -
             after = ["postgresql.service"];

     

       55
       46
        
           };

     

       56
       47
        
         };

     

       57
       48
        
       }

+1 -8

modules/nixos/services/postgresql/default.nix

···

       11
       11
        
           enable = lib.mkEnableOption "${name} server";

     

       12
       12
        
           databases = lib.mkOption {

     

       13
       13
        
             type = lib.types.listOf lib.types.str;

     

       14
       14
       -
             default = {};

     

       14
       14
       +
             default = [];

     

       15
       15
        
             description = "PostgreSQL databases.";

     

       16
       16
        
           };

     

       17
       17
        
         };

     
···

       29
       29
        
                 ensureDBOwnership = true;

     

       30
       30
        
               })

     

       31
       31
        
               cfg.databases;

     

       32
       32
       -
       

     

       33
       33
       -
             authentication = lib.concatStringsSep "\n" (

     

       34
       34
       -
               lib.map (dbName: ''

     

       35
       35
       -
                 host ${dbName} ${dbName} samehost trust

     

       36
       36
       -
               '')

     

       37
       37
       -
               cfg.databases

     

       38
       38
       -
             );

     

       39
       32
        
           };

     

       40
       33
        
         };

     

       41
       34
        
       }