initial setup for forgejo and caddy

author: Franck Cuny <franck@fcuny.net> 2025-08-12 19:35:22 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-08-12 19:35:22 -0700
commit: ae01076a7dd95c79d97c4b05070b1873fd4b7642 (patch)
tree: 99abe7a1712ce01de92239ebf8af76d7708933e7 /machines/nixos
parent: add a script to apply DNS terraform (diff)
download: infra-ae01076a7dd95c79d97c4b05070b1873fd4b7642.tar.gz
7 files changed, 78 insertions, 6 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix
index eab4a07..d10c656 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/default.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix
@@ -39,6 +39,7 @@
     "${self}/profiles/network/firewall.nix"
     "${self}/profiles/services/podman.nix"
     "${self}/profiles/programs/fish.nix"
+    ./profiles/caddy.nix
   ];
 
   # do not use DHCP, as DigitalOcean provisions IPs using cloud-init
diff --git a/machines/nixos/x86_64-linux/do-rproxy/home.nix b/machines/nixos/x86_64-linux/do-rproxy/home.nix
new file mode 100644
index 0000000..8f0935e
--- /dev/null
+++ b/machines/nixos/x86_64-linux/do-rproxy/home.nix
@@ -0,0 +1,6 @@
+{ self, ... }:
+{
+  imports = [
+    "${self}/home/programs/bat.nix"
+  ];
+}
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix
new file mode 100644
index 0000000..7fab370
--- /dev/null
+++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix
@@ -0,0 +1,44 @@
+{ config, ... }:
+{
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "franck@fcuny.net";
+    certs = {
+      "code.fcuny.net" = {
+        domain = "code.fcuny.net";
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "caddy.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path;
+      };
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    email = "franck@fcuny.net";
+    globalConfig = ''
+      metrics {
+        per_host
+      }
+      admin :2019 {
+        origins 127.0.0.1 10.100.0.0/24
+      }
+    '';
+    virtualHosts = {
+      forgejo = {
+        hostName = "code.fcuny.net";
+        useACMEHost = "code.fcuny.net";
+        extraConfig = ''
+          respond /metrics 403
+          reverse_proxy 10.100.0.40:3000
+        '';
+      };
+    };
+  };
+}
diff --git a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix b/machines/nixos/x86_64-linux/do-rproxy/secrets.nix
index 9116a9f..e2444e2 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/secrets.nix
@@ -2,6 +2,9 @@
 {
   age = {
     secrets = {
+      cloudflare-caddy = {
+        file = "${self}/secrets/cloudflare-caddy.age";
+      };
       wireguard = {
         file = "${self}/secrets/do/wireguard.age";
       };
diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix
index 9fc638b..028905b 100644
--- a/machines/nixos/x86_64-linux/synology-vm/default.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/default.nix
@@ -36,6 +36,7 @@
     "${self}/profiles/services/podman.nix"
     "${self}/profiles/programs/fish.nix"
     ./profiles/git-server.nix
+    ./profiles/forgejo.nix
   ];
 
   boot.loader.efi.canTouchEfiVariables = true;
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
new file mode 100644
index 0000000..b9dac30
--- /dev/null
+++ b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix
@@ -0,0 +1,23 @@
+{ ... }:
+{
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = false;
+    settings = {
+      session.COOKIE_SECURE = true;
+      server = {
+        DOMAIN = "code.fcuny.net";
+        ROOT_URL = "https://code.fcuny.net";
+        HTTP_PORT = 3000;
+        HTTP_ADDR = "10.100.0.40";
+      };
+      metrics = {
+        ENABLED = true;
+        ENABLED_ISSUE_BY_LABEL = true;
+        ENABLED_ISSUE_BY_REPOSITORY = true;
+      };
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+}
diff --git a/machines/nixos/x86_64-linux/synology-vm/secrets.nix b/machines/nixos/x86_64-linux/synology-vm/secrets.nix
index 1b927ae..e323097 100644
--- a/machines/nixos/x86_64-linux/synology-vm/secrets.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/secrets.nix
@@ -8,12 +8,6 @@
       restic_password = {
         file = "${self}/secrets/restic_password.age";
       };
-      cloudflared-tunnel = {
-        file = "${self}/secrets/cloudflared_cragmont.age";
-      };
-      cloudflared-cert = {
-        file = "${self}/secrets/cloudflared_cert.age";
-      };
       nas_client_credentials = {
         file = "${self}/secrets/nas_client.age";
       };
author	Franck Cuny <franck@fcuny.net>	2025-08-12 19:35:22 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-08-12 19:35:22 -0700
commit	ae01076a7dd95c79d97c4b05070b1873fd4b7642 (patch)
tree	99abe7a1712ce01de92239ebf8af76d7708933e7 /machines/nixos
parent	add a script to apply DNS terraform (diff)
download	infra-ae01076a7dd95c79d97c4b05070b1873fd4b7642.tar.gz