diff --git a/common/services/gitea.nix b/common/services/gitea.nix new file mode 100644 index 0000000..b60a41a --- /dev/null +++ b/common/services/gitea.nix @@ -0,0 +1,63 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkEnableOption mkIf mkOption; + + cfg = config.foehammer.services.forgejo; +in { + options.foehammer.services.forgejo = { + enable = mkEnableOption "Enable Gitea Server"; + + port = mkOption { + type = lib.types.port; + default = 8225; + description = '' + What external port to serve over. + ''; + }; + + ssh-port = mkOption { + type = lib.types.port; + default = 22; + description = '' + Where ssh is available. + ''; + }; + + domain = mkOption { + type = lib.types.str; + }; + + ssh-domain = mkOption { + type = lib.types.str; + default = cfg.domain; + }; + }; + + config = mkIf cfg.enable { + services.forgejo = { + enable = true; + lfs.enable = true; + + settings = { + service = { + DISABLE_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + ui = { + SHOW_USER_EMAIL = false; + }; + server = { + HTTP_PORT = cfg.port; + DOMAIN = cfg.domain; + ROOT_URL = "https://${cfg.domain}"; + SSH_DOMAIN = cfg.ssh-domain; + SSH_PORT = cfg.ssh-port; + }; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index 1406691..518fe62 100644 --- a/flake.lock +++ b/flake.lock @@ -1,15 +1,60 @@ { "nodes": { + "alejandra": { + "inputs": { + "fenix": "fenix", + "flakeCompat": "flakeCompat", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660592437, + "narHash": "sha256-xFumnivtVwu5fFBOrTxrv6fv3geHKF04RGP23EsDVaI=", + "owner": "kamadorueda", + "repo": "alejandra", + "rev": "e7eac49074b70814b542fee987af2987dd0520b5", + "type": "github" + }, + "original": { + "owner": "kamadorueda", + "ref": "3.0.0", + "repo": "alejandra", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "alejandra", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1657607339, + "narHash": "sha256-HaqoAwlbVVZH2n4P3jN2FFPMpVuhxDy1poNOR7kzODc=", + "owner": "nix-community", + "repo": "fenix", + "rev": "b814c83d9e6aa5a28d0cf356ecfdafb2505ad37d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "lastModified": 1765495779, + "narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "rev": "5635c32d666a59ec9a55cab87e898889869f7b71", "type": "github" }, "original": { @@ -18,39 +63,76 @@ "type": "github" } }, + "flakeCompat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1749024892, - "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=", + "lastModified": 1766736597, + "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef", + "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1738452942, - "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "lastModified": 1761765539, + "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" } }, "root": { "inputs": { + "alejandra": "alejandra", "flake-parts": "flake-parts", "nixpkgs": "nixpkgs" } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1657557289, + "narHash": "sha256-PRW+nUwuqNTRAEa83SfX+7g+g8nQ+2MMbasQ9nt6+UM=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "caf23f29144b371035b864a1017dbc32573ad56d", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 2477894..70eae05 100644 --- a/flake.nix +++ b/flake.nix @@ -1,41 +1,42 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; flake-parts.url = "github:hercules-ci/flake-parts"; }; outputs = inputs @ {self, ...}: - inputs.flake-parts.lib.mkFlake {inherit inputs;} (toplevel @ {withSystem, ...}: { - systems = ["aarch64-darwin" "aarch64-linux" "x86_64-linux"]; + inputs.flake-parts.lib.mkFlake {inherit inputs;} (toplevel @ {withSystem, ...}: { + systems = ["aarch64-darwin" "aarch64-linux" "x86_64-linux"]; - perSystem = { - config, - self', - inputs', - pkgs, - system, - ... - }: { - _module.args.pkgs = import inputs.nixpkgs { - localSystem = system; - config = { - allowUnfree = true; - allowAliases = true; - }; - # overlays = [self.overlays.default]; + perSystem = { + config, + self', + inputs', + pkgs, + system, + ... + }: { + _module.args.pkgs = import inputs.nixpkgs { + localSystem = system; + config = { + allowUnfree = true; + allowAliases = true; }; - - # packages = import ./lib/packages.nix pkgs; + # overlays = [self.overlays.default]; }; - flake = { - lib = import ./lib inputs.nixpkgs withSystem; - # overlays.default = final: prev: (import ./lib/packages.nix prev); + # packages = import ./lib/packages.nix pkgs; + }; - nixosModules.default = {...}: { - imports = self.lib.utils.findNixFiles ./common; - }; + flake = { + lib = import ./lib inputs.nixpkgs withSystem; + + # overlays.default = final: prev: (import ./lib/packages.nix prev); + + nixosModules.default = {...}: { + imports = self.lib.utils.findNixFiles ./common; }; - }); + }; + }); } diff --git a/machines/lebesgue/config/configuration.nix b/machines/lebesgue/config/configuration.nix index 0b8e21f..9df77b6 100644 --- a/machines/lebesgue/config/configuration.nix +++ b/machines/lebesgue/config/configuration.nix @@ -14,6 +14,12 @@ enable = true; }; + services.forgejo = { + enable = true; + domain = "forge.foehammer.me"; + ssh-domain = "lebesgue"; + }; + services.vaultwarden = { enable = true; domain = "https://passwords.foehammer.me"; @@ -21,19 +27,6 @@ envPath = config.sops.secrets.vaultwarden-env.path; }; - services.authelia = { - enable = true; - domain = "foehammer.me"; - url = "https://auth.foehammer.me"; - jwtSecretFile = config.sops.secrets.authelia-jwtsecret.path; - - userDbFile = config.sops.secrets.authelia-users.path; - # oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-oidc-privkey.path; - # oidcHmacSecretFile = config.sops.secrets.authelia-oidc-hmac.path; - sessionSecretFile = config.sops.secrets.authelia-session-secret.path; - storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption.path; - }; - backups.restic = { enable = true; @@ -41,7 +34,7 @@ environmentFile = config.sops.secrets.restic-env.path; passwordFile = config.sops.secrets.restic-password.path; - paths = ["/var/lib/vaultwarden" "/var/lib/authelia"]; + paths = ["/var/lib/vaultwarden" "/var/lib/authelia" "/var/lib/forgejo"]; }; tailscale = { diff --git a/machines/lebesgue/config/routing.nix b/machines/lebesgue/config/routing.nix index d33c36c..6d5c70a 100644 --- a/machines/lebesgue/config/routing.nix +++ b/machines/lebesgue/config/routing.nix @@ -8,16 +8,16 @@ reverse_proxy :${toString config.foehammer.services.vaultwarden.port} ''; }; - "auth.foehammer.me" = { - extraConfig = '' - reverse_proxy :${toString config.foehammer.services.authelia.port} - ''; - }; "goatcounter.foehammer.me" = { extraConfig = '' reverse_proxy :${toString config.foehammer.services.goatcounter.port} ''; }; + "forge.foehammer.me" = { + extraConfig = '' + reverse_proxy :${toString config.foehammer.services.forgejo.port} + ''; + }; }; }; } diff --git a/machines/lebesgue/config/secrets.nix b/machines/lebesgue/config/secrets.nix index f8538b9..89cbc0e 100644 --- a/machines/lebesgue/config/secrets.nix +++ b/machines/lebesgue/config/secrets.nix @@ -3,10 +3,6 @@ defaultSopsFile = ../secrets/main.yaml; secrets = let - autheliaSecret = { - owner = "authelia-main"; - sopsFile = ../secrets/authelia/secrets.yaml; - }; in { admin-password.neededForUsers = true; @@ -17,16 +13,6 @@ restic-env = {owner = "restic";}; restic-password = {owner = "restic";}; restic-repository = {owner = "restic";}; - - authelia-jwtsecret = autheliaSecret; - authelia-oidc-privkey = autheliaSecret; - authelia-oidc-hmac = autheliaSecret; - authelia-session-secret = autheliaSecret; - authelia-storage-encryption = autheliaSecret; - authelia-users = { - owner = "authelia-main"; - sopsFile = ../secrets/authelia/users.yaml; - }; }; }; } diff --git a/machines/lebesgue/config/state.nix b/machines/lebesgue/config/state.nix index 98db9fa..26efd42 100644 --- a/machines/lebesgue/config/state.nix +++ b/machines/lebesgue/config/state.nix @@ -4,6 +4,7 @@ environment.persistence."/persist" = { directories = [ "/var/cache/restic-backups-s3" + "/var/lib/forgejo" "/var/lib/tailscale" "/var/lib/goatcounter" "/var/log" diff --git a/machines/lebesgue/deploy b/machines/lebesgue/deploy index 5e6d86a..18858c1 100755 --- a/machines/lebesgue/deploy +++ b/machines/lebesgue/deploy @@ -1,10 +1,10 @@ #!/usr/bin/env bash function deploy() { - nixos-rebuild $1 --flake .#default --target-host admin@lebesgue --use-remote-sudo --verbose + nix develop -c nixos-rebuild $1 --flake .#default --target-host admin@lebesgue --use-remote-sudo --verbose } -nix flake lock --update-input common +nix flake update common if [[ -n $1 ]]; then deploy $1 diff --git a/machines/lebesgue/flake.lock b/machines/lebesgue/flake.lock index 37ed9f3..a1eae4a 100644 --- a/machines/lebesgue/flake.lock +++ b/machines/lebesgue/flake.lock @@ -20,11 +20,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "lastModified": 1765495779, + "narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "rev": "5635c32d666a59ec9a55cab87e898889869f7b71", "type": "github" }, "original": { @@ -50,55 +50,58 @@ }, "nixpkgs": { "locked": { - "lastModified": 1749024892, - "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=", + "lastModified": 1766736597, + "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef", + "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1738452942, - "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "lastModified": 1761765539, + "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1748889542, - "narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=", + "lastModified": 1765838191, + "narHash": "sha256-m5KWt1nOm76ILk/JSCxBM4MfK3rYY7Wq9/TZIIeGnT8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922", + "rev": "c6f52ebd45e5925c188d1a20119978aa4ffd5ef6", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_3": { "locked": { - "lastModified": 1731763621, - "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=", + "lastModified": 1763618868, + "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d", + "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942", "type": "github" }, "original": { @@ -121,11 +124,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1738291974, - "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=", + "lastModified": 1764021963, + "narHash": "sha256-1m84V2ROwNEbqeS9t37/mkry23GBhfMt8qb6aHHmjuc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7", + "rev": "c482a1c1bbe030be6688ed7dc84f7213f304f1ec", "type": "github" }, "original": { diff --git a/machines/lebesgue/flake.nix b/machines/lebesgue/flake.nix index 7392f46..9c6748f 100644 --- a/machines/lebesgue/flake.nix +++ b/machines/lebesgue/flake.nix @@ -2,7 +2,7 @@ inputs = { common.url = "path:../.."; - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; sops-nix = { url = "github:Mic92/sops-nix";