diff --git a/nixos/configurations/Cape/default.nix b/nixos/configurations/Cape/default.nix index 2b3c5e0..e49cc71 100644 --- a/nixos/configurations/Cape/default.nix +++ b/nixos/configurations/Cape/default.nix @@ -4,6 +4,7 @@ }: { imports = [ + ./forgejo.nix ./networking.nix ./stylix.nix ./hardware-configuration.nix diff --git a/nixos/configurations/Cape/forgejo.nix b/nixos/configurations/Cape/forgejo.nix new file mode 100644 index 0000000..ee4cdd6 --- /dev/null +++ b/nixos/configurations/Cape/forgejo.nix @@ -0,0 +1,18 @@ +{ config, ... }: +{ + youthlic.containers.forgejo = { + enable = true; + domain = "forgejo.youthlic.fun"; + sshPort = 2222; + httpPort = 8480; + interface = "ens3"; + }; + networking.firewall.allowedTCPPorts = [ 2222 ]; + services.caddy.virtualHosts = { + "forgejo.${config.youthlic.programs.caddy.baseDomain}" = { + extraConfig = '' + reverse_proxy 10.231.136.102:8480 + ''; + }; + }; +} diff --git a/nixos/modules/containers/default.nix b/nixos/modules/containers/default.nix new file mode 100644 index 0000000..88f8d6d --- /dev/null +++ b/nixos/modules/containers/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + imports = [ + ./forgejo.nix + ]; +} diff --git a/nixos/modules/containers/forgejo.nix b/nixos/modules/containers/forgejo.nix new file mode 100644 index 0000000..83f0c19 --- /dev/null +++ b/nixos/modules/containers/forgejo.nix @@ -0,0 +1,120 @@ +{ config, lib, ... }: +let + cfg = config.youthlic.containers.forgejo; +in +{ + options = { + youthlic.containers.forgejo = { + enable = lib.mkEnableOption "forgejo container"; + domain = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "forgejo.example.com"; + }; + sshPort = lib.mkOption { + type = lib.types.port; + default = 2222; + }; + httpPort = lib.mkOption { + type = lib.types.port; + default = 8480; + }; + interface = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "ens3"; + }; + }; + }; + config = lib.mkIf cfg.enable { + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = cfg.interface; + enableIPv6 = true; + }; + containers."forgejo" = { + ephemeral = true; + autoStart = true; + privateNetwork = true; + hostAddress = "10.231.136.1"; + localAddress = "10.231.136.102"; + bindMounts = { + "/var/lib/forgejo" = { + hostPath = "/mnt/containers/forgejo/state"; + isReadOnly = false; + }; + "/var/lib/postgresql" = { + hostPath = "/mnt/containers/forgejo/dataset"; + isReadOnly = false; + }; + }; + forwardPorts = [ + { + containerPort = cfg.sshPort; + hostPort = 2222; + protocol = "tcp"; + } + { + containerPort = cfg.sshPort; + hostPort = 2222; + protocol = "udp"; + } + ]; + + config = + { lib, ... }: + { + imports = [ + ./../forgejo.nix + ./../postgresql.nix + ]; + + systemd.tmpfiles.rules = [ + "d /var/lib/forgejo 770 forgejo forgejo -" + "d /var/lib/postgresql 770 postgres postgres -" + ]; + + youthlic.programs = { + forgejo = { + enable = true; + domain = cfg.domain; + sshPort = cfg.sshPort; + httpPort = cfg.httpPort; + database = { + user = "forgejo"; + }; + }; + postgresql = { + enable = true; + database = "forgejo"; + auth_method = "peer"; + version = "17"; + }; + }; + + systemd.services.forgejo = { + wants = [ "postgresql.service" ]; + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + wantedBy = [ "default.target" ]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + cfg.httpPort + cfg.sshPort + ]; + allowedUDPPorts = [ + cfg.httpPort + cfg.sshPort + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + system.stateVersion = "24.11"; + }; + }; + }; +} diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 47a7734..0fcd2b8 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -16,6 +16,9 @@ disko.nixosModules.disko ]) ++ [ + ./containers + ./postgresql.nix + ./forgejo.nix ./deploy ./nix.nix ./home.nix diff --git a/nixos/modules/forgejo.nix b/nixos/modules/forgejo.nix new file mode 100644 index 0000000..3e4af47 --- /dev/null +++ b/nixos/modules/forgejo.nix @@ -0,0 +1,105 @@ +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.youthlic.programs.forgejo; +in +{ + options = { + youthlic.programs.forgejo = { + enable = lib.mkEnableOption "forgejo"; + domain = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "example.com"; + description = '' + which domain does the server use + ''; + }; + sshPort = lib.mkOption { + type = lib.types.port; + default = 2222; + }; + httpPort = lib.mkOption { + type = lib.types.port; + default = 8480; + }; + database = { + user = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "forgejo"; + }; + socket = lib.mkOption { + type = lib.types.nonEmptyStr; + default = "/run/postgresql"; + }; + }; + }; + }; + config = lib.mkMerge [ + (lib.mkIf cfg.enable { + services.forgejo = { + enable = true; + lfs = { + enable = true; + }; + group = "postgres"; + database = { + type = "postgres"; + user = cfg.database.user; + socket = cfg.database.socket; + createDatabase = false; + }; + settings = { + DEFAULT = { + RUN_MODE = "prod"; + }; + cron = { + ENABLE = true; + RUN_AT_START = true; + SCHEDULE = "@every 24h"; + }; + repository = { + DEFAULT_PRIVATE = "last"; + DEFAULT_BRANCH = "master"; + }; + service = { + DISABLE_REGISTRATION = true; + }; + mailer = { + ENABLED = true; + MAILER_TYPE = "sendmail"; + FROM = "do-not-reply@${config.services.forgejo.settings.server.DOMAIN}"; + SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail"; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; + server = { + PROTOCOL = "http"; + DOMAIN = "${cfg.domain}"; + START_SSH_SERVER = true; + SSH_PORT = cfg.sshPort; + HTTP_PORT = cfg.httpPort; + }; + }; + }; + }) + ( + let + caddy-cfg = config.youthlic.programs.caddy; + in + lib.mkIf (cfg.enable && caddy-cfg.enable) { + services.caddy.virtualHosts = { + "forgejo.${caddy-cfg.baseDomain}" = { + extraConfig = '' + reverse_proxy 127.0.0.1:${cfg.httpPort} + ''; + }; + }; + } + ) + ]; +} diff --git a/nixos/modules/postgresql.nix b/nixos/modules/postgresql.nix new file mode 100644 index 0000000..2d66235 --- /dev/null +++ b/nixos/modules/postgresql.nix @@ -0,0 +1,46 @@ +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.youthlic.programs.postgresql; +in +{ + options = { + youthlic.programs.postgresql = { + enable = lib.mkEnableOption "postgresql"; + database = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "forgejo"; + }; + auth_method = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "peer"; + }; + version = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "17"; + }; + }; + }; + config = lib.mkIf cfg.enable { + # default socket: /var/lib/postgresql + services.postgresql = { + enable = true; + ensureDatabases = [ cfg.database ]; + ensureUsers = [ + { + name = "${cfg.database}"; + ensureDBOwnership = true; + } + ]; + package = pkgs."postgresql_${cfg.version}"; + authentication = '' + #type database DBuser auth-method + local sameuser all ${cfg.auth_method} + ''; + }; + }; +}