add forgejo module

2025-01-28 15:49:35 -06:00 · 2025-01-28 15:49:35 -06:00 · cb4b3793a3
commit cb4b3793a3
parent 0473f830f6
3 changed files with 102 additions and 0 deletions
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -6,5 +6,6 @@
 }: {
  imports = [
    ./trash
+    ./services
  ];
 }
--- a/nixos/services/default.nix
+++ b/nixos/services/default.nix
@ -0,0 +1,10 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./forgejo
+  ];
+}
--- a/nixos/services/forgejo/default.nix
+++ b/nixos/services/forgejo/default.nix
@ -0,0 +1,91 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.options.trivium.services.forgejo;
+in {
+  options.trivium.services.forgejo = {
+    enable = mkEnableOption "forgejo settings";
+
+    fail2ban = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable fail2ban jail for failed authentication attempt, invalid credentials, attempted access of unknown user.";
+    };
+
+    virtualHost = mkOption {
+      type = types.string;
+      description = "Virtualhost to use for nginx's reverse proxy. Usually something likge git.<your server>.com";
+    };
+
+    appName = mkOption {
+      type = types.string;
+      description = "You guess what this does";
+    };
+
+    disableRegistration = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Turn this off just to create the first admin account.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
+    services = {
+      nginx = {
+        virtualHosts."${cfg.virtualHost}" = {
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 128;
+          '';
+          locations."/".proxyPass = "http://localhost:9170";
+        };
+      };
+
+      fail2ban.jails.gitea.settings = mkIf cfg.fail2ban {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
+      forgejo = {
+        enable = true;
+        lfs.enable = true;
+        useWizard = false;
+        settings = {
+          general.APP_NAME = "${cfg.appName}";
+          ui.DEFAULT_THEME = "forgejo-dark";
+          server = {
+            DOMAIN = "${cfg.virtualHost}";
+            ROOT_URL = "https://${cfg.virtualHost}";
+            HTTP_PORT = 9170;
+            LANDING_PAGE = "explore";
+          };
+
+          service.DISABLE_REGISTRATION = ${cfg.disableRegistration};
+
+          actions = {
+            ENABLED = true;
+          };
+          mailer = {
+            ENABLED = false;
+          };
+        };
+      };
+    };
+  };
+}