From d143dbef2197b434edd730a5d3f8795f96947559 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Sat, 6 Apr 2024 16:59:44 -0300 Subject: [PATCH 1/8] wip --- flake.lock | 6 +++--- hosts/phantom/default.nix | 1 + hosts/phantom/forgejo.nix | 40 ++++++++++++++++++++++++++++++++++++++ hosts/phantom/mastodon.nix | 1 + 4 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 hosts/phantom/forgejo.nix diff --git a/flake.lock b/flake.lock index 8f9720a..9f50cd4 100644 --- a/flake.lock +++ b/flake.lock @@ -866,11 +866,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1710695816, - "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "lastModified": 1712310679, + "narHash": "sha256-XgC/a/giEeNkhme/AV1ToipoZ/IVm1MV2ntiK4Tm+pw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "rev": "72da83d9515b43550436891f538ff41d68eecc7f", "type": "github" }, "original": { diff --git a/hosts/phantom/default.nix b/hosts/phantom/default.nix index 47b8757..782b783 100644 --- a/hosts/phantom/default.nix +++ b/hosts/phantom/default.nix @@ -12,6 +12,7 @@ ./writefreely.nix ./renawiki.nix ./email.nix + ./forgejo.nix ]; # # Enable networking diff --git a/hosts/phantom/forgejo.nix b/hosts/phantom/forgejo.nix new file mode 100644 index 0000000..ca31329 --- /dev/null +++ b/hosts/phantom/forgejo.nix @@ -0,0 +1,40 @@ +{ lib, pkgs, config, ... }: +let + cfg = config.services.forgejo; + srv = cfg.settings.server; +in +{ + services.nginx = { + virtualHosts.${cfg.settings.server.DOMAIN} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; + }; + }; + + services.openssh = { + authorizedKeysFiles = [ + "${config.services.forgejo.stateDir}/.ssh/authorized_keys" + ]; + # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh + settings.AcceptEnv = "GIT_PROTOCOL"; + }; + + services.forgejo = { + enable = true; + database.type = "postgres"; + lfs.enable = true; + settings = { + service.DISABLE_REGISTRATION = true; + server = { + DOMAIN = "git.lelgenio.xyz"; + HTTP_PORT = 3000; + ROOT_URL = "${srv.PROTOCOL}://${srv.DOMAIN}/"; + SSH_PORT = 9022; + }; + }; + }; +} diff --git a/hosts/phantom/mastodon.nix b/hosts/phantom/mastodon.nix index 3e629d7..adfaf0d 100644 --- a/hosts/phantom/mastodon.nix +++ b/hosts/phantom/mastodon.nix @@ -6,5 +6,6 @@ smtp.fromAddress = "lelgenio@disroot.org"; streamingProcesses = 2; extraConfig.SINGLE_USER_MODE = "true"; + mediaAutoRemove.olderThanDays = 10; }; } From 6e207cc20e328e1a41ce5e6d513b967fe4dbffde Mon Sep 17 00:00:00 2001 From: lelgenio Date: Sat, 6 Apr 2024 17:49:00 -0300 Subject: [PATCH 2/8] Adicionar .forgejo/workflows/demo.yaml --- .forgejo/workflows/demo.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .forgejo/workflows/demo.yaml diff --git a/.forgejo/workflows/demo.yaml b/.forgejo/workflows/demo.yaml new file mode 100644 index 0000000..21280bd --- /dev/null +++ b/.forgejo/workflows/demo.yaml @@ -0,0 +1,6 @@ +on: [push] +jobs: + test: + runs-on: docker + steps: + - run: echo All Good \ No newline at end of file From 2655e93b8b7c6af6432af75d17fd11e29045eea6 Mon Sep 17 00:00:00 2001 From: lelgenio Date: Sat, 6 Apr 2024 17:49:45 -0300 Subject: [PATCH 3/8] Atualizar .forgejo/workflows/demo.yaml --- .forgejo/workflows/demo.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/demo.yaml b/.forgejo/workflows/demo.yaml index 21280bd..e883d77 100644 --- a/.forgejo/workflows/demo.yaml +++ b/.forgejo/workflows/demo.yaml @@ -1,6 +1,6 @@ on: [push] jobs: test: - runs-on: docker + runs-on: ubuntu-latest steps: - run: echo All Good \ No newline at end of file From 0d80bd1b6d7d85b4ce3672716468325c299fe9e6 Mon Sep 17 00:00:00 2001 From: lelgenio Date: Sat, 6 Apr 2024 20:31:46 -0300 Subject: [PATCH 4/8] Atualizar .forgejo/workflows/demo.yaml --- .forgejo/workflows/demo.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/demo.yaml b/.forgejo/workflows/demo.yaml index e883d77..6c0609d 100644 --- a/.forgejo/workflows/demo.yaml +++ b/.forgejo/workflows/demo.yaml @@ -3,4 +3,4 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo All Good \ No newline at end of file + - run: echo All Good, or is it?; false \ No newline at end of file From 5edca9c2c6de8fb069a108c7edf105b15e16fef8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Sat, 6 Apr 2024 20:38:35 -0300 Subject: [PATCH 5/8] phandom: add forgejo server --- hosts/phantom/default.nix | 1 + hosts/phantom/email.nix | 10 +++- hosts/phantom/forgejo.nix | 56 ++++++++++++++++++++ hosts/phantom/users.nix | 2 +- secrets/phantom-forgejo-mailer-password.age | Bin 0 -> 678 bytes secrets/secrets.nix | 1 + system/secrets.nix | 2 + 7 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 hosts/phantom/forgejo.nix create mode 100644 secrets/phantom-forgejo-mailer-password.age diff --git a/hosts/phantom/default.nix b/hosts/phantom/default.nix index 47b8757..782b783 100644 --- a/hosts/phantom/default.nix +++ b/hosts/phantom/default.nix @@ -12,6 +12,7 @@ ./writefreely.nix ./renawiki.nix ./email.nix + ./forgejo.nix ]; # # Enable networking diff --git a/hosts/phantom/email.nix b/hosts/phantom/email.nix index 8d3021b..fbe33d7 100644 --- a/hosts/phantom/email.nix +++ b/hosts/phantom/email.nix @@ -9,13 +9,21 @@ mailserver = { enable = true; fqdn = "mail.lelgenio.xyz"; - domains = [ "lelgenio.xyz" ]; + domains = [ + "lelgenio.xyz" + "git.lelgenio.xyz" + ]; certificateScheme = "acme-nginx"; + # Create passwords with + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' loginAccounts = { "lelgenio@lelgenio.xyz" = { hashedPassword = "$2y$05$z5s7QCXcs5uTFsfyYpwNJeWzb3RmzgWxNgcPCr0zjSytkLFF/qZmS"; aliases = [ "postmaster@lelgenio.xyz" ]; }; + "noreply@git.lelgenio.xyz" = { + hashedPassword = "$2b$05$TmR1R7ZwXfec7yrOfeBL7u3ZtyXf0up5dEO6uMWSvb/O7LPEm.j0."; + }; }; }; diff --git a/hosts/phantom/forgejo.nix b/hosts/phantom/forgejo.nix new file mode 100644 index 0000000..94b7169 --- /dev/null +++ b/hosts/phantom/forgejo.nix @@ -0,0 +1,56 @@ +{ lib, pkgs, config, ... }: +let + cfg = config.services.forgejo; + srv = cfg.settings.server; +in +{ + services.nginx = { + virtualHosts.${cfg.settings.server.DOMAIN} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; + }; + }; + + services.openssh = { + authorizedKeysFiles = [ + "${config.services.forgejo.stateDir}/.ssh/authorized_keys" + ]; + # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh + settings.AcceptEnv = "GIT_PROTOCOL"; + }; + + services.forgejo = { + enable = true; + database.type = "postgres"; + lfs.enable = true; + settings = { + service.DISABLE_REGISTRATION = true; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + server = { + DOMAIN = "git.lelgenio.xyz"; + HTTP_PORT = 3000; + ROOT_URL = "https://${srv.DOMAIN}/"; + }; + mailer = { + ENABLED = true; + SMTP_ADDR = "mail.lelgenio.xyz"; + FROM = "noreply@git.lelgenio.xyz"; + USER = "noreply@git.lelgenio.xyz"; + }; + }; + mailerPasswordFile = config.age.secrets.phantom-forgejo-mailer-password.path; + }; + + age.secrets.phantom-forgejo-mailer-password = { + file = ../../secrets/phantom-forgejo-mailer-password.age; + mode = "400"; + owner = "forgejo"; + }; +} diff --git a/hosts/phantom/users.nix b/hosts/phantom/users.nix index 5cc853a..75aee27 100644 --- a/hosts/phantom/users.nix +++ b/hosts/phantom/users.nix @@ -2,7 +2,7 @@ security.rtkit.enable = true; services.openssh = { enable = true; - ports = [ 9022 ]; + ports = [ 9022 22 ]; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; diff --git a/secrets/phantom-forgejo-mailer-password.age b/secrets/phantom-forgejo-mailer-password.age new file mode 100644 index 0000000000000000000000000000000000000000..90fbe735e74103886baaf56a7bef66d16e8233ab GIT binary patch literal 678 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#{zDlf0_Nau2MH1kaM@bJw@ z)VDDAur#W2_VCJd3(_|UDlsw-4U901a?ZnDN0JO^zy0TN)5CuHcStwu=MiI%+RikbW6#~@N|jtFb+s@)6OW)$_Vo` zt+4d3aL$QxiS)>c@HES}wA9Z}^>Po-bu16d;fe~$GssB_H}S}EDRDOOF7x$BjkGMv zcCJkH4Nh@R4{>vka4R)SNvkOJjIyZ8cCs)u@Cm92N-;?C3y*O3N#Y9iGpO=1j0iEQ z$}G$b2`)4>F)DM;%5w@7mf4KyxuD)KH1NlWrGHTDYf z%gyFW@(N2zEe#LJjB=^)Pc1SIcghWL4$Zglj!dnnFiy_Q^zpCA3^XY*&rb>W^EEf| zjqnU9a5eA_sBkawE-EnPvh?@NPjpKyH%Kz{3Aao(cD2kfa(DKw$TTSR)z|kl_Hywl zFDP^~4)HZE3XdocOp2m_D#+y3<^)PFfH&2HFV|LcK#-FG{c_ Date: Sat, 6 Apr 2024 20:38:46 -0300 Subject: [PATCH 6/8] mastodon: clean up media more often --- hosts/phantom/mastodon.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/phantom/mastodon.nix b/hosts/phantom/mastodon.nix index 3e629d7..adfaf0d 100644 --- a/hosts/phantom/mastodon.nix +++ b/hosts/phantom/mastodon.nix @@ -6,5 +6,6 @@ smtp.fromAddress = "lelgenio@disroot.org"; streamingProcesses = 2; extraConfig.SINGLE_USER_MODE = "true"; + mediaAutoRemove.olderThanDays = 10; }; } From 68a7125822b0d7a2bfd4fd480b69754dbc335922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Sat, 6 Apr 2024 20:44:20 -0300 Subject: [PATCH 7/8] phantom: add script to update, fmt --- hosts/phantom/vpsadminos.nix | 5 +++-- switch-phantom | 12 ++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100755 switch-phantom diff --git a/hosts/phantom/vpsadminos.nix b/hosts/phantom/vpsadminos.nix index 070017e..40401cd 100644 --- a/hosts/phantom/vpsadminos.nix +++ b/hosts/phantom/vpsadminos.nix @@ -13,7 +13,8 @@ let "1.1.1.1" "2606:4700:4700::1111" ]; -in { +in +{ networking.nameservers = mkDefault nameservers; services.resolved = mkDefault { fallbackDns = nameservers; }; networking.dhcpcd.extraConfig = "noipv4ll"; @@ -21,7 +22,7 @@ in { systemd.services.systemd-sysctl.enable = false; systemd.services.systemd-oomd.enable = false; systemd.sockets."systemd-journald-audit".enable = false; - systemd.mounts = [ {where = "/sys/kernel/debug"; enable = false;} ]; + systemd.mounts = [{ where = "/sys/kernel/debug"; enable = false; }]; systemd.services.rpc-gssd.enable = false; # Due to our restrictions in /sys, the default systemd-udev-trigger fails diff --git a/switch-phantom b/switch-phantom new file mode 100755 index 0000000..c824b0c --- /dev/null +++ b/switch-phantom @@ -0,0 +1,12 @@ +#!/bin/sh + +nix fmt + +git diff + +nixos-rebuild switch --flake .#phantom \ + --update-input nixpkgs \ + --no-write-lock-file \ + --build-host phantom \ + --target-host phantom \ + "$@" From 5b963a48c6b2b31a602ebe9b6fc1b72f265903e4 Mon Sep 17 00:00:00 2001 From: lelgenio Date: Sat, 6 Apr 2024 20:51:33 -0300 Subject: [PATCH 8/8] Atualizar .forgejo/workflows/demo.yaml --- .forgejo/workflows/demo.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/demo.yaml b/.forgejo/workflows/demo.yaml index 6c0609d..88bd500 100644 --- a/.forgejo/workflows/demo.yaml +++ b/.forgejo/workflows/demo.yaml @@ -3,4 +3,4 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo All Good, or is it?; false \ No newline at end of file + - run: echo All Good! \ No newline at end of file