From ec5430ee34ea5bf87209f44a63a8a89054fe3c93 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 14 Jan 2024 23:19:41 +0100 Subject: [PATCH] Add and configure new Git server using Forgejo --- config/hosts/git/configuration.nix | 7 +++ config/hosts/git/default.nix | 11 +++++ config/hosts/git/forgejo.nix | 73 ++++++++++++++++++++++++++++++ config/hosts/git/networking.nix | 20 ++++++++ config/hosts/git/nginx.nix | 41 +++++++++++++++++ config/hosts/git/redis.nix | 16 +++++++ flake.nix | 14 ++++++ 7 files changed, 182 insertions(+) create mode 100644 config/hosts/git/configuration.nix create mode 100644 config/hosts/git/default.nix create mode 100644 config/hosts/git/forgejo.nix create mode 100644 config/hosts/git/networking.nix create mode 100644 config/hosts/git/nginx.nix create mode 100644 config/hosts/git/redis.nix diff --git a/config/hosts/git/configuration.nix b/config/hosts/git/configuration.nix new file mode 100644 index 0000000..0166768 --- /dev/null +++ b/config/hosts/git/configuration.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + networking.hostName = "git"; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/git/default.nix b/config/hosts/git/default.nix new file mode 100644 index 0000000..e2f517b --- /dev/null +++ b/config/hosts/git/default.nix @@ -0,0 +1,11 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./configuration.nix + ./forgejo.nix + ./networking.nix + ./nginx.nix + ./redis.nix + ]; +} diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix new file mode 100644 index 0000000..f907552 --- /dev/null +++ b/config/hosts/git/forgejo.nix @@ -0,0 +1,73 @@ +# Sources for this configuration: +# - https://forgejo.org/ +# - https://forgejo.org/docs/latest/ +# - https://forgejo.org/docs/latest/admin/database-preparation/ +# - https://forgejo.org/docs/latest/admin/config-cheat-sheet/ +# - https://forgejo.org/docs/latest/admin/recommendations/ +# - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md +# - https://forgejo.org/docs/latest/admin/email-setup/ + +{ ... }: + +{ + services.forgejo = { + enable = true; + database.type = "postgres"; + mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret"; + + settings = { + DEFAULT = { + APP_NAME = "CCCHH Git"; + }; + server = { + DOMAIN = "git.hamburg.ccc.de"; + PROTOCOL = "http"; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 3000; + ROOT_URL = "https://git.hamburg.ccc.de/"; + # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. + # Doesn't need to be set. + }; + admin = { + DISABLE_REGULAR_ORG_CREATION = false; + }; + session = { + COOKIE_SECURE = true; + }; + "ui.meta" = { + AUTHOR = "CCCHH Git"; + DESCRIPTION = "Git instance of the CCCHH."; + KEYWORDS = "git,forge,forgejo,ccchh"; + }; + service = { + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + DEFAULT_USER_VISIBILITY = "limited"; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + }; + mailer = { + ENABLED = true; + FROM = "no-reply@git.hamburg.ccc.de"; + PROTOCOL = "smtps"; + SMTP_ADDR = "cow.hamburg.ccc.de"; + SMTP_PORT = 465; + USER = "no-reply@git.hamburg.ccc.de"; + }; + cache = { + ENABLED = true; + ADAPTER = "redis"; + HOST = "redis+socket:///run/redis-forgejo/redis.sock"; + }; + }; + }; + + deployment.keys = { + "forgejo-git-smtp-password.secret" = { + keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/git/smtp_password" ]; + destDir = "/secrets"; + user = "forgejo"; + group = "forgejo"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/git/networking.nix b/config/hosts/git/networking.nix new file mode 100644 index 0000000..088d7ea --- /dev/null +++ b/config/hosts/git/networking.nix @@ -0,0 +1,20 @@ +{ ... }: + +{ + networking.interfaces.net0 = { + ipv4.addresses = [ + { + address = "212.12.51.136"; + prefixLength = 28; + } + ]; + }; + networking.defaultGateway = "212.12.51.129"; + networking.nameservers = [ "212.12.50.158" "192.76.134.90" ]; + networking.search = [ "hamburg.ccc.de" ]; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "92:7B:E6:12:A4:FA"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/git/nginx.nix b/config/hosts/git/nginx.nix new file mode 100644 index 0000000..1dd0aad --- /dev/null +++ b/config/hosts/git/nginx.nix @@ -0,0 +1,41 @@ +# Sources for this configuration: +# - https://forgejo.org/docs/latest/admin/reverse-proxy/ + +{ config, pkgs, ... }: + +{ + services.nginx = { + enable = true; + + virtualHosts."git.hamburg.ccc.de" = { + default = true; + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "${config.services.forgejo.settings.server.PROTOCOL}://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + + # Disallow crawling archives to save disk space. + # See: https://forgejo.org/docs/latest/admin/search-engines-indexation/ + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\""; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; +} diff --git a/config/hosts/git/redis.nix b/config/hosts/git/redis.nix new file mode 100644 index 0000000..f8738df --- /dev/null +++ b/config/hosts/git/redis.nix @@ -0,0 +1,16 @@ +# Sources for this configuration: +# - https://github.com/NixOS/nixpkgs/blob/d45794fd254a7da62cc2d3c4f54a1d65e39760d9/nixos/modules/services/web-apps/nextcloud.nix#L1086 + +{ ... }: + +{ + services.redis.servers.forgejo = { + enable = true; + user = "forgejo"; + }; + + systemd.services.forgejo = { + after = [ "redis-forgejo.service" ]; + requires = [ "redis-forgejo.service" ]; + }; +} diff --git a/flake.nix b/flake.nix index 6e7ea64..086c076 100644 --- a/flake.nix +++ b/flake.nix @@ -164,6 +164,20 @@ ./config/hosts/public-web-static ]; }; + + git = { + deployment = { + targetHost = "git.hamburg.ccc.de"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "chaosknoten" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/git + ]; + }; }; packages.x86_64-linux = {