diff options
Diffstat (limited to 'machines/nixos/x86_64-linux')
5 files changed, 105 insertions, 44 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix index 7fab370..d426a53 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix @@ -16,6 +16,13 @@ reloadServices = [ "caddy.service" ]; credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path; }; + "id.fcuny.net" = { + domain = "id.fcuny.net"; + dnsProvider = "cloudflare"; + dnsResolver = "1.1.1.1"; + reloadServices = [ "caddy.service" ]; + credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path; + }; }; }; @@ -39,6 +46,13 @@ reverse_proxy 10.100.0.40:3000 ''; }; + auth = { + hostName = "id.fcuny.net"; + useACMEHost = "id.fcuny.net"; + extraConfig = '' + reverse_proxy 10.100.0.40:8080 + ''; + }; }; }; } diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix index 028905b..2da20c3 100644 --- a/machines/nixos/x86_64-linux/synology-vm/default.nix +++ b/machines/nixos/x86_64-linux/synology-vm/default.nix @@ -35,8 +35,8 @@ "${self}/profiles/network/firewall.nix" "${self}/profiles/services/podman.nix" "${self}/profiles/programs/fish.nix" - ./profiles/git-server.nix ./profiles/forgejo.nix + ./profiles/keycloak.nix ]; boot.loader.efi.canTouchEfiVariables = true; diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix index b9dac30..a323981 100644 --- a/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix +++ b/machines/nixos/x86_64-linux/synology-vm/profiles/forgejo.nix @@ -1,23 +1,92 @@ -{ ... }: +{ self, config, ... }: { + age.secrets.forgejo-fastmail = { + file = "${self}/secrets/forgejo-fastmail.age"; + }; + services.forgejo = { enable = true; database.type = "postgres"; lfs.enable = false; + secrets = { + mailer.PASSWD = config.age.secrets.forgejo-fastmail.path; + }; settings = { - session.COOKIE_SECURE = true; + DEFAULT.APP_NAME = "¯\\_(ツ)_/¯"; + session = { + COOKIE_SECURE = true; + PROVIDER = "db"; + PROVIDER_CONFIG = ""; + SESSION_LIFE_TIME = 86400 * 5; + }; server = { DOMAIN = "code.fcuny.net"; ROOT_URL = "https://code.fcuny.net"; HTTP_PORT = 3000; HTTP_ADDR = "10.100.0.40"; + LANDING_PAGE = "explore"; + }; + mailer = { + ENABLED = true; + PROTOCOL = "smtp+starttls"; + FROM = "code <forgejo@code.fcuny.net>"; + USER = "franck@fcuny.net"; + SMTP_ADDR = "smtp.fastmail.com"; }; metrics = { ENABLED = true; ENABLED_ISSUE_BY_LABEL = true; ENABLED_ISSUE_BY_REPOSITORY = true; }; - service.DISABLE_REGISTRATION = true; + service = { + REGISTER_EMAIL_CONFIRM = true; + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + SHOW_REGISTRATION_BUTTON = true; + }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + }; + oauth2_client = { + REGISTER_EMAIL_CONFIRM = false; + ENABLE_AUTO_REGISTRATION = true; + USERNAME = "preferred_username"; + ACCOUNT_LINKING = "auto"; + }; + repository = { + DEFAULT_PRIVATE = "public"; + DEFAULT_PUSH_CREATE_PRIVATE = true; + ENABLE_PUSH_CREATE_USER = true; + PREFERRED_LICENSES = "GPL-3.0-or-later,MIT"; + DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; + DISABLE_STARS = true; # self-hosting so, doesn't make sense + }; + "service.explore" = { + DISABLE_USERS_PAGE = true; + }; + federation = { + ENABLED = true; + }; + ui = { + # To protect privacy of users. + SHOW_USER_EMAIL = false; + }; }; }; + + my.modules.backups = { + local.paths = [ "/var/lib/forgejo" ]; + local.exclude = [ + "/var/lib/forgejo/data/indexers" + "/var/lib/forgejo/data/repo-archive" + "/var/lib/forgejo/data/tmp" + ]; + remote.paths = [ "/var/lib/forgejo" ]; + remote.exclude = [ + "/var/lib/forgejo/data/indexers" + "/var/lib/forgejo/data/repo-archive" + "/var/lib/forgejo/data/tmp" + ]; + }; } diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/git-server.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/git-server.nix deleted file mode 100644 index 6f523a8..0000000 --- a/machines/nixos/x86_64-linux/synology-vm/profiles/git-server.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ pkgs, ... }: -{ - services.gitolite = { - enable = true; - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; - user = "git"; - group = "git"; - extraGitoliteRc = '' - # Make dirs/files group readable, needed for webserver/cgit. (Default - # setting is 0077.) - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; - $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; - push( @{$RC{ENABLE}}, 'symbolic-ref' ); - ''; - }; - - # let's make sure the default branch is `main'. - systemd.tmpfiles.rules = [ - "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" '' - [init] - defaultBranch = main - ''}" - ]; - - my.modules.backups = { - local.paths = [ "/var/lib/gitolite" ]; - local.exclude = [ - "/var/lib/gitolite/.bash_history" - "/var/lib/gitolite/.ssh" - "/var/lib/gitolite/.viminfo" - ]; - remote.paths = [ "/var/lib/gitolite" ]; - remote.exclude = [ - "/var/lib/gitolite/.bash_history" - "/var/lib/gitolite/.ssh" - "/var/lib/gitolite/.viminfo" - ]; - }; -} diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix new file mode 100644 index 0000000..fc1fe2d --- /dev/null +++ b/machines/nixos/x86_64-linux/synology-vm/profiles/keycloak.nix @@ -0,0 +1,18 @@ +{ config, self, ... }: +{ + age.secrets.keycloak-db-password = { + file = "${self}/secrets/keycloak-db-password.age"; + }; + + services.keycloak = { + enable = true; + database.passwordFile = config.age.secrets.keycloak-db-password.path; + settings = { + hostname = "id.fcuny.net"; + http-host = "10.100.0.40"; + http-port = 8080; + proxy-headers = "xforwarded"; + http-enabled = true; + }; + }; +} |