diff --git a/.forgejo/workflows/demo.yaml b/.forgejo/workflows/demo.yaml deleted file mode 100644 index 88bd500..0000000 --- a/.forgejo/workflows/demo.yaml +++ /dev/null @@ -1,6 +0,0 @@ -on: [push] -jobs: - test: - runs-on: ubuntu-latest - steps: - - run: echo All Good! \ No newline at end of file diff --git a/flake.lock b/flake.lock index 9f50cd4..8f9720a 100644 --- a/flake.lock +++ b/flake.lock @@ -866,11 +866,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1712310679, - "narHash": "sha256-XgC/a/giEeNkhme/AV1ToipoZ/IVm1MV2ntiK4Tm+pw=", + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "72da83d9515b43550436891f538ff41d68eecc7f", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", "type": "github" }, "original": { diff --git a/hosts/phantom/email.nix b/hosts/phantom/email.nix index 8d3021b..fbe33d7 100644 --- a/hosts/phantom/email.nix +++ b/hosts/phantom/email.nix @@ -9,13 +9,21 @@ mailserver = { enable = true; fqdn = "mail.lelgenio.xyz"; - domains = [ "lelgenio.xyz" ]; + domains = [ + "lelgenio.xyz" + "git.lelgenio.xyz" + ]; certificateScheme = "acme-nginx"; + # Create passwords with + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' loginAccounts = { "lelgenio@lelgenio.xyz" = { hashedPassword = "$2y$05$z5s7QCXcs5uTFsfyYpwNJeWzb3RmzgWxNgcPCr0zjSytkLFF/qZmS"; aliases = [ "postmaster@lelgenio.xyz" ]; }; + "noreply@git.lelgenio.xyz" = { + hashedPassword = "$2b$05$TmR1R7ZwXfec7yrOfeBL7u3ZtyXf0up5dEO6uMWSvb/O7LPEm.j0."; + }; }; }; diff --git a/hosts/phantom/forgejo.nix b/hosts/phantom/forgejo.nix index ca31329..94b7169 100644 --- a/hosts/phantom/forgejo.nix +++ b/hosts/phantom/forgejo.nix @@ -29,12 +29,28 @@ in lfs.enable = true; settings = { service.DISABLE_REGISTRATION = true; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; server = { DOMAIN = "git.lelgenio.xyz"; HTTP_PORT = 3000; - ROOT_URL = "${srv.PROTOCOL}://${srv.DOMAIN}/"; - SSH_PORT = 9022; + ROOT_URL = "https://${srv.DOMAIN}/"; + }; + mailer = { + ENABLED = true; + SMTP_ADDR = "mail.lelgenio.xyz"; + FROM = "noreply@git.lelgenio.xyz"; + USER = "noreply@git.lelgenio.xyz"; }; }; + mailerPasswordFile = config.age.secrets.phantom-forgejo-mailer-password.path; + }; + + age.secrets.phantom-forgejo-mailer-password = { + file = ../../secrets/phantom-forgejo-mailer-password.age; + mode = "400"; + owner = "forgejo"; }; } diff --git a/hosts/phantom/users.nix b/hosts/phantom/users.nix index 5cc853a..75aee27 100644 --- a/hosts/phantom/users.nix +++ b/hosts/phantom/users.nix @@ -2,7 +2,7 @@ security.rtkit.enable = true; services.openssh = { enable = true; - ports = [ 9022 ]; + ports = [ 9022 22 ]; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; diff --git a/hosts/phantom/vpsadminos.nix b/hosts/phantom/vpsadminos.nix index 070017e..40401cd 100644 --- a/hosts/phantom/vpsadminos.nix +++ b/hosts/phantom/vpsadminos.nix @@ -13,7 +13,8 @@ let "1.1.1.1" "2606:4700:4700::1111" ]; -in { +in +{ networking.nameservers = mkDefault nameservers; services.resolved = mkDefault { fallbackDns = nameservers; }; networking.dhcpcd.extraConfig = "noipv4ll"; @@ -21,7 +22,7 @@ in { systemd.services.systemd-sysctl.enable = false; systemd.services.systemd-oomd.enable = false; systemd.sockets."systemd-journald-audit".enable = false; - systemd.mounts = [ {where = "/sys/kernel/debug"; enable = false;} ]; + systemd.mounts = [{ where = "/sys/kernel/debug"; enable = false; }]; systemd.services.rpc-gssd.enable = false; # Due to our restrictions in /sys, the default systemd-udev-trigger fails diff --git a/secrets/phantom-forgejo-mailer-password.age b/secrets/phantom-forgejo-mailer-password.age new file mode 100644 index 0000000..90fbe73 Binary files /dev/null and b/secrets/phantom-forgejo-mailer-password.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9bc7c27..9a5fe2b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,4 +10,5 @@ in "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ]; "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ]; "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ]; + "phantom-forgejo-mailer-password.age".publicKeys = [ main_ssh_public_key ]; } diff --git a/switch-phantom b/switch-phantom new file mode 100755 index 0000000..c824b0c --- /dev/null +++ b/switch-phantom @@ -0,0 +1,12 @@ +#!/bin/sh + +nix fmt + +git diff + +nixos-rebuild switch --flake .#phantom \ + --update-input nixpkgs \ + --no-write-lock-file \ + --build-host phantom \ + --target-host phantom \ + "$@" diff --git a/system/secrets.nix b/system/secrets.nix index 0d0870b..22c5d14 100644 --- a/system/secrets.nix +++ b/system/secrets.nix @@ -10,5 +10,7 @@ ../secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age; secrets.monolith-nix-serve-privkey.file = ../secrets/monolith-nix-serve-privkey.age; + secrets.phantom-forgejo-mailer-password.file = + ../secrets/phantom-forgejo-mailer-password.age; }; }