2024-12-11 13:27:37 +01:00
|
|
|
{ config, pkgs, ... }:
|
2024-11-18 10:48:16 +01:00
|
|
|
let
|
|
|
|
domain = "git.fediversity.eu";
|
|
|
|
in
|
|
|
|
{
|
|
|
|
services.forgejo = {
|
|
|
|
enable = true;
|
2024-11-26 12:26:33 +01:00
|
|
|
lfs.enable = true;
|
2024-11-18 10:48:16 +01:00
|
|
|
settings = {
|
|
|
|
service = {
|
|
|
|
DISABLE_REGISTRATION = true;
|
|
|
|
};
|
|
|
|
server = {
|
|
|
|
DOMAIN = "${domain}";
|
|
|
|
ROOT_URL = "https://${domain}/";
|
|
|
|
HTTP_ADDR = "127.0.0.1";
|
|
|
|
LANDING_PAGE = "explore";
|
|
|
|
};
|
|
|
|
};
|
2024-11-27 13:04:23 +01:00
|
|
|
|
|
|
|
settings.service.ENABLE_NOTIFY_MAIL = true;
|
|
|
|
settings.mailer = {
|
|
|
|
ENABLED = true;
|
|
|
|
PROTOCOL = "smtp+starttls";
|
|
|
|
SMTP_ADDR = "mail.protagio.nl";
|
|
|
|
SMTP_PORT = "587";
|
|
|
|
FROM = "git@fediversity.eu";
|
|
|
|
USER = "git@fediversity.eu";
|
|
|
|
};
|
2024-12-11 13:27:37 +01:00
|
|
|
secrets.mailer.PASSWD = config.age.secrets.forgejo-email-password.path;
|
2024-11-27 13:04:23 +01:00
|
|
|
|
2024-11-18 10:48:16 +01:00
|
|
|
database = {
|
|
|
|
type = "mysql";
|
|
|
|
socket = "/run/mysqld/mysqld.sock";
|
2024-12-11 13:27:37 +01:00
|
|
|
passwordFile = config.age.secrets.forgejo-database-password.path;
|
2024-11-18 10:48:16 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-12-11 13:27:37 +01:00
|
|
|
age.secrets.forgejo-database-password = {
|
|
|
|
file = ../../secrets/forgejo-database-password.age;
|
|
|
|
owner = "forgejo";
|
|
|
|
group = "forgejo";
|
|
|
|
mode = "440";
|
|
|
|
};
|
|
|
|
age.secrets.forgejo-email-password.file = ../../secrets/forgejo-email-password.age;
|
|
|
|
|
2024-11-18 10:48:16 +01:00
|
|
|
users.groups.keys.members = [ "forgejo" ];
|
2024-11-18 12:11:32 +01:00
|
|
|
|
2024-11-18 10:48:16 +01:00
|
|
|
services.mysql = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.mariadb;
|
|
|
|
ensureDatabases = [ "forgejo" ];
|
|
|
|
ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "forgejo";
|
|
|
|
ensurePermissions = {
|
|
|
|
"forgejo.*" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
|
|
|
defaults.email = "beheer@procolix.com";
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
clientMaxBodySize = "500m";
|
|
|
|
appendHttpConfig = ''
|
|
|
|
|
2024-11-18 12:11:32 +01:00
|
|
|
|
2024-11-18 10:48:16 +01:00
|
|
|
map $uri $forgejo_access_log {
|
|
|
|
default 1;
|
|
|
|
/api/actions/runner.v1.RunnerService/FetchTask 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Add HSTS header with preloading to HTTPS requests.
|
|
|
|
# Adding this header to HTTP requests is discouraged
|
|
|
|
map $scheme $hsts_header {
|
|
|
|
https "max-age=31536000; includeSubdomains; always";
|
|
|
|
}
|
|
|
|
add_header Strict-Transport-Security $hsts_header;
|
2024-11-18 12:11:32 +01:00
|
|
|
'';
|
2024-11-18 10:48:16 +01:00
|
|
|
virtualHosts.${domain} = {
|
|
|
|
listenAddresses = [
|
|
|
|
"185.206.232.34"
|
|
|
|
"[2a00:51c0:12:1201::20]"
|
2024-11-18 12:11:32 +01:00
|
|
|
];
|
2024-11-18 10:48:16 +01:00
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:3000/";
|
|
|
|
extraConfig = ''
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
#access_log /var/log/nginx/access.log info if=$forgejo_access_log;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|