2023-09-22 05:20:36 +01:00
|
|
|
{
|
|
|
|
pkgs,
|
|
|
|
config,
|
2023-10-07 21:14:43 +01:00
|
|
|
lib,
|
2023-09-22 05:20:36 +01:00
|
|
|
...
|
|
|
|
}: let
|
2022-10-12 19:43:24 +01:00
|
|
|
domain = "gitea.${config.services.nginx.domain}";
|
|
|
|
in {
|
2023-12-29 15:11:16 +00:00
|
|
|
services.forgejo = {
|
2022-10-12 19:43:24 +01:00
|
|
|
enable = true;
|
|
|
|
database.type = "postgres";
|
2021-04-12 01:41:31 +01:00
|
|
|
|
2023-01-11 01:59:54 +00:00
|
|
|
settings = {
|
2023-07-28 10:23:56 +01:00
|
|
|
server = {
|
|
|
|
DOMAIN = domain;
|
|
|
|
HTTP_ADDR = "127.0.0.1";
|
|
|
|
ROOT_URL = "https://${domain}/";
|
|
|
|
SSH_PORT = 2222;
|
|
|
|
};
|
|
|
|
|
2023-10-07 21:14:43 +01:00
|
|
|
metrics = {
|
|
|
|
ENABLED = true;
|
|
|
|
TOKEN = "#metricstoken#";
|
|
|
|
};
|
2023-01-11 01:59:54 +00:00
|
|
|
service.DISABLE_REGISTRATION = true;
|
|
|
|
session.COOKIE_SECURE = true;
|
|
|
|
};
|
2022-10-12 19:43:24 +01:00
|
|
|
};
|
2021-04-28 23:02:27 +01:00
|
|
|
|
2023-12-29 15:11:16 +00:00
|
|
|
systemd.services.forgejo.serviceConfig.ExecStartPre = let
|
2023-10-07 21:14:43 +01:00
|
|
|
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
|
2023-12-29 15:11:16 +00:00
|
|
|
secretPath = config.sops.secrets."forgejo/metrics-token".path;
|
|
|
|
runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
|
2023-10-07 21:14:43 +01:00
|
|
|
in [
|
|
|
|
"+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
|
|
|
|
];
|
|
|
|
|
2022-10-12 19:43:24 +01:00
|
|
|
# Set up SSL
|
|
|
|
services.nginx.virtualHosts."${domain}" = let
|
2023-12-29 15:11:16 +00:00
|
|
|
httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
|
|
|
|
httpPort = config.services.forgejo.settings.server.HTTP_PORT;
|
2022-10-12 19:43:24 +01:00
|
|
|
in {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
extraConfig = ''
|
|
|
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
2023-10-07 21:14:43 +01:00
|
|
|
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
2022-10-12 19:43:24 +01:00
|
|
|
'';
|
2021-04-12 01:41:31 +01:00
|
|
|
|
2022-10-12 19:43:24 +01:00
|
|
|
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
2023-10-07 21:14:43 +01:00
|
|
|
locations."/metrics" = {
|
|
|
|
extraConfig = ''
|
|
|
|
access_log off;
|
|
|
|
allow 127.0.0.1;
|
|
|
|
${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
2021-04-12 01:41:31 +01:00
|
|
|
};
|
2022-10-14 01:11:15 +01:00
|
|
|
|
|
|
|
# Block repeated failed login attempts
|
|
|
|
#
|
2023-12-29 15:11:16 +00:00
|
|
|
# TODO(tlater): Update this - we switched to forgejo, who knows what
|
|
|
|
# the new matches are.
|
|
|
|
# environment.etc = {
|
|
|
|
# "fail2ban/filter.d/gitea.conf".text = ''
|
|
|
|
# [Definition]
|
|
|
|
# failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
|
|
|
# journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
|
|
|
|
# '';
|
|
|
|
# };
|
2022-10-14 01:11:15 +01:00
|
|
|
|
2023-12-29 15:11:16 +00:00
|
|
|
# services.fail2ban.jails = {
|
|
|
|
# gitea = ''
|
|
|
|
# enabled = true
|
|
|
|
# '';
|
|
|
|
# };
|
2023-09-22 05:20:36 +01:00
|
|
|
|
2024-03-02 01:27:24 +00:00
|
|
|
services.backups.forgejo = {
|
|
|
|
user = "forgejo";
|
|
|
|
paths = [
|
|
|
|
"/var/lib/forgejo/forgejo-db.sql"
|
|
|
|
"/var/lib/forgejo/repositories/"
|
|
|
|
"/var/lib/forgejo/data/"
|
|
|
|
"/var/lib/forgejo/custom/"
|
|
|
|
# Conf is backed up via nix
|
|
|
|
];
|
|
|
|
preparation = {
|
|
|
|
packages = [config.services.postgresql.package];
|
|
|
|
text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
|
|
|
|
};
|
|
|
|
cleanup = {
|
|
|
|
packages = [pkgs.coreutils];
|
|
|
|
text = "rm /var/lib/forgejo/forgejo-db.sql";
|
|
|
|
};
|
|
|
|
pauseServices = ["forgejo.service"];
|
|
|
|
};
|
2021-04-12 01:41:31 +01:00
|
|
|
}
|