add forgejo module

2025-01-28 15:49:35 -06:00 · 2025-01-28 15:49:35 -06:00 · 95a9b8b751
parent 0473f830f6
commit 95a9b8b751
2 changed files with 101 additions and 0 deletions
--- a/nixos/services/default.nix
+++ b/nixos/services/default.nix
@ -0,0 +1,10 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  imports = [
    ./forgejo
  ];
 }
--- a/nixos/services/forgejo/default.nix
+++ b/nixos/services/forgejo/default.nix
@ -0,0 +1,91 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.options.trivium.services.forgejo;
 in {
  options.trivium.services.forgejo = {
    enable = mkEnableOption "forgejo settings";
    fail2ban = mkOption {
      type = types.bool;
      default = true;
      description = "Enable fail2ban jail for failed authentication attempt, invalid credentials, attempted access of unknown user.";
    };
    virtualHost = mkOption {
      type = types.string;
      description = "Virtualhost to use for nginx's reverse proxy. Usually something likge git.<your server>.com";
    };
    appName = mkOption {
      type = types.string;
      description = "You guess what this does";
    };
    disableRegistration = mkOption {
      type = types.bool;
      default = true;
      description = "Turn this off just to create the first admin account.";
    };
  };
  config = mkIf cfg.enable {
    environment.etc."fail2ban/filter.d/gitea.local".text = ''
      [Definition]
      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
      ignoreregex =
    '';
    services = {
      nginx = {
        virtualHosts."${cfg.virtualHost}" = {
          enableACME = true;
          forceSSL = true;
          extraConfig = ''
            proxy_headers_hash_max_size 512;
            proxy_headers_hash_bucket_size 128;
          '';
          locations."/".proxyPass = "http://localhost:9170";
        };
      };
      fail2ban.jails.gitea.settings = mkIf cfg.fail2ban {
        filter = "gitea";
        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
        maxretry = "10";
        findtime = "3600";
        bantime = "900";
        action = "iptables-allports";
      };
      forgejo = {
        enable = true;
        lfs.enable = true;
        useWizard = false;
        settings = {
          general.APP_NAME = "${cfg.appName}";
          ui.DEFAULT_THEME = "forgejo-dark";
          server = {
            DOMAIN = "${cfg.virtualHost}";
            ROOT_URL = "https://${cfg.virtualHost}";
            HTTP_PORT = 9170;
            LANDING_PAGE = "explore";
          };
          service.DISABLE_REGISTRATION = ${cfg.disableRegistration};
          actions = {
            ENABLED = true;
          };
          mailer = {
            ENABLED = false;
          };
        };
      };
    };
  };
 }