diff --git a/common/services/gitea.nix b/common/services/gitea.nix new file mode 100644 index 0000000..b9a96f4 --- /dev/null +++ b/common/services/gitea.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkEnableOption mkIf mkOption; + + cfg = config.foehammer.services.forgejo; +in { + options.foehammer.services.forgejo = { + enable = mkEnableOption "Enable Gitea Server"; + + port = mkOption { + type = lib.types.port; + default = 8225; + description = '' + What external port to serve over. + ''; + }; + + ssh-port = mkOption { + type = lib.types.port; + default = 2222; + description = '' + What external port to serve over. + ''; + }; + + domain = mkOption { + type = lib.types.str; + }; + }; + + config = mkIf cfg.enable { + services.forgejo = { + enable = true; + lfs.enable = true; + + settings = { + service = { + DISABLE_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + ui = { + SHOW_USER_EMAIL = false; + }; + server = { + HTTP_PORT = cfg.port; + DOMAIN = cfg.domain; + ROOT_URL = "https://${cfg.domain}"; + SSH_PORT = cfg.ssh-port; + }; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index 653992c..518fe62 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,50 @@ { "nodes": { + "alejandra": { + "inputs": { + "fenix": "fenix", + "flakeCompat": "flakeCompat", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660592437, + "narHash": "sha256-xFumnivtVwu5fFBOrTxrv6fv3geHKF04RGP23EsDVaI=", + "owner": "kamadorueda", + "repo": "alejandra", + "rev": "e7eac49074b70814b542fee987af2987dd0520b5", + "type": "github" + }, + "original": { + "owner": "kamadorueda", + "ref": "3.0.0", + "repo": "alejandra", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "alejandra", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1657607339, + "narHash": "sha256-HaqoAwlbVVZH2n4P3jN2FFPMpVuhxDy1poNOR7kzODc=", + "owner": "nix-community", + "repo": "fenix", + "rev": "b814c83d9e6aa5a28d0cf356ecfdafb2505ad37d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -18,18 +63,34 @@ "type": "github" } }, + "flakeCompat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1765363881, - "narHash": "sha256-3C3xWn8/2Zzr7sxVBmpc1H1QfxjNfta5IMFe3O9ZEPw=", + "lastModified": 1766736597, + "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d2b1213bf5ec5e62d96b003ab4b5cbc42abfc0d0", + "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } @@ -51,9 +112,27 @@ }, "root": { "inputs": { + "alejandra": "alejandra", "flake-parts": "flake-parts", "nixpkgs": "nixpkgs" } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1657557289, + "narHash": "sha256-PRW+nUwuqNTRAEa83SfX+7g+g8nQ+2MMbasQ9nt6+UM=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "caf23f29144b371035b864a1017dbc32573ad56d", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index dbdb0b3..70eae05 100644 --- a/flake.nix +++ b/flake.nix @@ -6,36 +6,37 @@ }; outputs = inputs @ {self, ...}: - inputs.flake-parts.lib.mkFlake {inherit inputs;} (toplevel @ {withSystem, ...}: { - systems = ["aarch64-darwin" "aarch64-linux" "x86_64-linux"]; + inputs.flake-parts.lib.mkFlake {inherit inputs;} (toplevel @ {withSystem, ...}: { + systems = ["aarch64-darwin" "aarch64-linux" "x86_64-linux"]; - perSystem = { - config, - self', - inputs', - pkgs, - system, - ... - }: { - _module.args.pkgs = import inputs.nixpkgs { - localSystem = system; - config = { - allowUnfree = true; - allowAliases = true; - }; - # overlays = [self.overlays.default]; + perSystem = { + config, + self', + inputs', + pkgs, + system, + ... + }: { + _module.args.pkgs = import inputs.nixpkgs { + localSystem = system; + config = { + allowUnfree = true; + allowAliases = true; }; - - # packages = import ./lib/packages.nix pkgs; + # overlays = [self.overlays.default]; }; - flake = { - lib = import ./lib inputs.nixpkgs withSystem; - # overlays.default = final: prev: (import ./lib/packages.nix prev); + # packages = import ./lib/packages.nix pkgs; + }; - nixosModules.default = {...}: { - imports = self.lib.utils.findNixFiles ./common; - }; + flake = { + lib = import ./lib inputs.nixpkgs withSystem; + + # overlays.default = final: prev: (import ./lib/packages.nix prev); + + nixosModules.default = {...}: { + imports = self.lib.utils.findNixFiles ./common; }; - }); + }; + }); } diff --git a/machines/lebesgue/config/configuration.nix b/machines/lebesgue/config/configuration.nix index 0b8e21f..1e6bb38 100644 --- a/machines/lebesgue/config/configuration.nix +++ b/machines/lebesgue/config/configuration.nix @@ -14,6 +14,11 @@ enable = true; }; + services.forgejo = { + enable = true; + domain = "forge.foehammer.me"; + }; + services.vaultwarden = { enable = true; domain = "https://passwords.foehammer.me"; @@ -21,19 +26,6 @@ envPath = config.sops.secrets.vaultwarden-env.path; }; - services.authelia = { - enable = true; - domain = "foehammer.me"; - url = "https://auth.foehammer.me"; - jwtSecretFile = config.sops.secrets.authelia-jwtsecret.path; - - userDbFile = config.sops.secrets.authelia-users.path; - # oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-oidc-privkey.path; - # oidcHmacSecretFile = config.sops.secrets.authelia-oidc-hmac.path; - sessionSecretFile = config.sops.secrets.authelia-session-secret.path; - storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption.path; - }; - backups.restic = { enable = true; @@ -41,7 +33,7 @@ environmentFile = config.sops.secrets.restic-env.path; passwordFile = config.sops.secrets.restic-password.path; - paths = ["/var/lib/vaultwarden" "/var/lib/authelia"]; + paths = ["/var/lib/vaultwarden" "/var/lib/authelia" "/var/lib/forgejo"]; }; tailscale = { diff --git a/machines/lebesgue/config/routing.nix b/machines/lebesgue/config/routing.nix index d33c36c..35027d9 100644 --- a/machines/lebesgue/config/routing.nix +++ b/machines/lebesgue/config/routing.nix @@ -8,14 +8,9 @@ reverse_proxy :${toString config.foehammer.services.vaultwarden.port} ''; }; - "auth.foehammer.me" = { + "forge.foehammer.me" = { extraConfig = '' - reverse_proxy :${toString config.foehammer.services.authelia.port} - ''; - }; - "goatcounter.foehammer.me" = { - extraConfig = '' - reverse_proxy :${toString config.foehammer.services.goatcounter.port} + reverse_proxy :${toString config.foehammer.services.forgejo.port} ''; }; }; diff --git a/machines/lebesgue/config/secrets.nix b/machines/lebesgue/config/secrets.nix index f8538b9..89cbc0e 100644 --- a/machines/lebesgue/config/secrets.nix +++ b/machines/lebesgue/config/secrets.nix @@ -3,10 +3,6 @@ defaultSopsFile = ../secrets/main.yaml; secrets = let - autheliaSecret = { - owner = "authelia-main"; - sopsFile = ../secrets/authelia/secrets.yaml; - }; in { admin-password.neededForUsers = true; @@ -17,16 +13,6 @@ restic-env = {owner = "restic";}; restic-password = {owner = "restic";}; restic-repository = {owner = "restic";}; - - authelia-jwtsecret = autheliaSecret; - authelia-oidc-privkey = autheliaSecret; - authelia-oidc-hmac = autheliaSecret; - authelia-session-secret = autheliaSecret; - authelia-storage-encryption = autheliaSecret; - authelia-users = { - owner = "authelia-main"; - sopsFile = ../secrets/authelia/users.yaml; - }; }; }; } diff --git a/machines/lebesgue/config/state.nix b/machines/lebesgue/config/state.nix index 98db9fa..26efd42 100644 --- a/machines/lebesgue/config/state.nix +++ b/machines/lebesgue/config/state.nix @@ -4,6 +4,7 @@ environment.persistence."/persist" = { directories = [ "/var/cache/restic-backups-s3" + "/var/lib/forgejo" "/var/lib/tailscale" "/var/lib/goatcounter" "/var/log" diff --git a/machines/lebesgue/flake.lock b/machines/lebesgue/flake.lock index a51170c..a1eae4a 100644 --- a/machines/lebesgue/flake.lock +++ b/machines/lebesgue/flake.lock @@ -50,11 +50,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1765838191, - "narHash": "sha256-m5KWt1nOm76ILk/JSCxBM4MfK3rYY7Wq9/TZIIeGnT8=", + "lastModified": 1766736597, + "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c6f52ebd45e5925c188d1a20119978aa4ffd5ef6", + "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", "type": "github" }, "original": {