From 5edca9c2c6de8fb069a108c7edf105b15e16fef8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sat, 6 Apr 2024 20:38:35 -0300
Subject: [PATCH 1/3] phandom: add forgejo server

---
 hosts/phantom/default.nix                   |   1 +
 hosts/phantom/email.nix                     |  10 +++-
 hosts/phantom/forgejo.nix                   |  56 ++++++++++++++++++++
 hosts/phantom/users.nix                     |   2 +-
 secrets/phantom-forgejo-mailer-password.age | Bin 0 -> 678 bytes
 secrets/secrets.nix                         |   1 +
 system/secrets.nix                          |   2 +
 7 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 hosts/phantom/forgejo.nix
 create mode 100644 secrets/phantom-forgejo-mailer-password.age

diff --git a/hosts/phantom/default.nix b/hosts/phantom/default.nix
index 47b8757..782b783 100644
--- a/hosts/phantom/default.nix
+++ b/hosts/phantom/default.nix
@@ -12,6 +12,7 @@
     ./writefreely.nix
     ./renawiki.nix
     ./email.nix
+    ./forgejo.nix
   ];
 
   # # Enable networking
diff --git a/hosts/phantom/email.nix b/hosts/phantom/email.nix
index 8d3021b..fbe33d7 100644
--- a/hosts/phantom/email.nix
+++ b/hosts/phantom/email.nix
@@ -9,13 +9,21 @@
   mailserver = {
     enable = true;
     fqdn = "mail.lelgenio.xyz";
-    domains = [ "lelgenio.xyz" ];
+    domains = [
+      "lelgenio.xyz"
+      "git.lelgenio.xyz"
+    ];
     certificateScheme = "acme-nginx";
+    # Create passwords with
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
     loginAccounts = {
       "lelgenio@lelgenio.xyz" = {
         hashedPassword = "$2y$05$z5s7QCXcs5uTFsfyYpwNJeWzb3RmzgWxNgcPCr0zjSytkLFF/qZmS";
         aliases = [ "postmaster@lelgenio.xyz" ];
       };
+      "noreply@git.lelgenio.xyz" = {
+        hashedPassword = "$2b$05$TmR1R7ZwXfec7yrOfeBL7u3ZtyXf0up5dEO6uMWSvb/O7LPEm.j0.";
+      };
     };
   };
 
diff --git a/hosts/phantom/forgejo.nix b/hosts/phantom/forgejo.nix
new file mode 100644
index 0000000..94b7169
--- /dev/null
+++ b/hosts/phantom/forgejo.nix
@@ -0,0 +1,56 @@
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
+{
+  services.nginx = {
+    virtualHosts.${cfg.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+    };
+  };
+
+  services.openssh = {
+    authorizedKeysFiles = [
+      "${config.services.forgejo.stateDir}/.ssh/authorized_keys"
+    ];
+    # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh
+    settings.AcceptEnv = "GIT_PROTOCOL";
+  };
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      service.DISABLE_REGISTRATION = true;
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+      server = {
+        DOMAIN = "git.lelgenio.xyz";
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://${srv.DOMAIN}/";
+      };
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "mail.lelgenio.xyz";
+        FROM = "noreply@git.lelgenio.xyz";
+        USER = "noreply@git.lelgenio.xyz";
+      };
+    };
+    mailerPasswordFile = config.age.secrets.phantom-forgejo-mailer-password.path;
+  };
+
+  age.secrets.phantom-forgejo-mailer-password = {
+    file = ../../secrets/phantom-forgejo-mailer-password.age;
+    mode = "400";
+    owner = "forgejo";
+  };
+}
diff --git a/hosts/phantom/users.nix b/hosts/phantom/users.nix
index 5cc853a..75aee27 100644
--- a/hosts/phantom/users.nix
+++ b/hosts/phantom/users.nix
@@ -2,7 +2,7 @@
   security.rtkit.enable = true;
   services.openssh = {
     enable = true;
-    ports = [ 9022 ];
+    ports = [ 9022 22 ];
     settings = {
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
diff --git a/secrets/phantom-forgejo-mailer-password.age b/secrets/phantom-forgejo-mailer-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..90fbe735e74103886baaf56a7bef66d16e8233ab
GIT binary patch
literal 678
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#{zDlf0_Nau2MH1kaM@bJw@
z)VDDAur#W2_VCJd3(_|UDlsw-4U901a<oh{F)%YRtT4_sDl693jxtX&3yg@$^mEBK
z_X*<)_X^2OGBq@I$}!Ka%J&U1PmVPAb*zevC=96ZD9sMcHqJ8&^mfutH!e@p&MOY|
zFDvm+j>?ZnDN0JO^zy0TN)5CuHcStwu=MiI%+RikbW6#~@N|jtFb+s@)6OW)$_Vo`
zt+4d3aL$QxiS)>c@HES}wA9Z}^>Po-bu16d;fe~$GssB_H}S}EDRDOOF7x$BjkGMv
zcCJkH4Nh@R4{>vka4R)SNvkOJjIyZ8cCs)u@Cm92N-;?C3y*O3N#Y9iGpO=1j0iEQ
z$}G$b2`)4>F)DM;%5<r4HV^a2NjLZLFAL0YHS<r>w@7mf4KyxuD)KH1NlWrGHTDYf
z%gyFW@(N2zEe#LJjB=^)Pc1SIcghWL4$Zglj!dnnFiy_Q^zpCA3^XY*&rb>W^EEf|
zjqnU9a5eA_sBkawE-EnPvh?@NPjpKyH%Kz{3Aao(cD2kfa(DKw$TTSR)z|kl_Hywl
zFDP^~4)HZE3XdocOp2<gDoqOT_4JE!2{ExO;3^NwvkVCH^GFRz^oa^D*7q*XvdD4s
zE6j9pEAb3;Pbm!u(+|$~^fNN7F!Br5c8)ADD-JYFD#%KzFn20WH{jyZ)zww-G%2wR
zPfc@lFHi9)tul1hPEIK;^GT}o&os>m_D#+y3<^)PFfH&2HFV|LcK#-FG{c_<a*8~2
zRo6V59y*0x&2)-Z!lU-4m05WQm3dx-?r)jEvg}Om!51B7+PyP&NapEgC*FE4l~K=i
M=kF_3{w+c20L4S)*Z=?k

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9bc7c27..9a5fe2b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,4 +10,5 @@ in
   "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
   "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
   "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
+  "phantom-forgejo-mailer-password.age".publicKeys = [ main_ssh_public_key ];
 }
diff --git a/system/secrets.nix b/system/secrets.nix
index 0d0870b..22c5d14 100644
--- a/system/secrets.nix
+++ b/system/secrets.nix
@@ -10,5 +10,7 @@
       ../secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
     secrets.monolith-nix-serve-privkey.file =
       ../secrets/monolith-nix-serve-privkey.age;
+    secrets.phantom-forgejo-mailer-password.file =
+      ../secrets/phantom-forgejo-mailer-password.age;
   };
 }

From d0dd646246021dfb88620e64e1a3b5783055e9f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sat, 6 Apr 2024 20:38:46 -0300
Subject: [PATCH 2/3] mastodon: clean up media more often

---
 hosts/phantom/mastodon.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/phantom/mastodon.nix b/hosts/phantom/mastodon.nix
index 3e629d7..adfaf0d 100644
--- a/hosts/phantom/mastodon.nix
+++ b/hosts/phantom/mastodon.nix
@@ -6,5 +6,6 @@
     smtp.fromAddress = "lelgenio@disroot.org";
     streamingProcesses = 2;
     extraConfig.SINGLE_USER_MODE = "true";
+    mediaAutoRemove.olderThanDays = 10;
   };
 }

From 68a7125822b0d7a2bfd4fd480b69754dbc335922 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sat, 6 Apr 2024 20:44:20 -0300
Subject: [PATCH 3/3] phantom: add script to update, fmt

---
 hosts/phantom/vpsadminos.nix |  5 +++--
 switch-phantom               | 12 ++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100755 switch-phantom

diff --git a/hosts/phantom/vpsadminos.nix b/hosts/phantom/vpsadminos.nix
index 070017e..40401cd 100644
--- a/hosts/phantom/vpsadminos.nix
+++ b/hosts/phantom/vpsadminos.nix
@@ -13,7 +13,8 @@ let
     "1.1.1.1"
     "2606:4700:4700::1111"
   ];
-in {
+in
+{
   networking.nameservers = mkDefault nameservers;
   services.resolved = mkDefault { fallbackDns = nameservers; };
   networking.dhcpcd.extraConfig = "noipv4ll";
@@ -21,7 +22,7 @@ in {
   systemd.services.systemd-sysctl.enable = false;
   systemd.services.systemd-oomd.enable = false;
   systemd.sockets."systemd-journald-audit".enable = false;
-  systemd.mounts = [ {where = "/sys/kernel/debug"; enable = false;} ];
+  systemd.mounts = [{ where = "/sys/kernel/debug"; enable = false; }];
   systemd.services.rpc-gssd.enable = false;
 
   # Due to our restrictions in /sys, the default systemd-udev-trigger fails
diff --git a/switch-phantom b/switch-phantom
new file mode 100755
index 0000000..c824b0c
--- /dev/null
+++ b/switch-phantom
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+nix fmt
+
+git diff
+
+nixos-rebuild switch --flake .#phantom \
+  --update-input nixpkgs \
+  --no-write-lock-file \
+  --build-host phantom \
+  --target-host phantom \
+  "$@"