nixos/modules/server/services/forgejo/default.nix

{ config, lib, ... }:
with lib;
let cfg = config.void.server.services.forgejo;
in {
  imports = [ ./runner.nix ./woodpecker.nix ./pages.nix ];
  options.void.server.services.forgejo = { enable = mkEnableOption false; };

  config = mkIf cfg.enable {

    networking.firewall.allowedTCPPorts = [ 22 ];

    services.forgejo = {
      enable = true;
      database.type = "postgres";
      lfs.enable = true;
      settings = {
        DEFAULT = {
          APP_NAME = "void-git";
          APP_SLOGAN = "Now on NixOS!";
        };

        database = {
          DB_TYPE = "postgres";
          HOST = "/run/postgresql";
          NAME = "forgejo";
          USER = "forgejo";
          PASSWD = "forgejo";
        };

        cache = {
          ENABLED = true;
          ADAPTER = "redis";
          HOST = "redis://forgejo@localhost:6371";
        };
        "ui.meta" = {
          AUTHOR = "sako!";
          DESCRIPTION = "Something is happening...";
        };

        service.DISABLE_REGISTRATION = true;

        server = {
          ROOT_URL = "https://git.sako.lol";
          DOMAIN = "git.sako.lol";
          START_SSH_SERVER = true;
          SSH_PORT = 22;
          SSH_LISTEN_PORT = 22;
        };
        session = {
          PROVIDER = "redis";
          PROVIDER_CONFIG = "redis://:forgejo@localhost:6371";
        };
      };
    };
    services.nginx.virtualHosts = {
      "git.sako.lol" = {
        forceSSL = true;
        enableACME = true;
        http3 = true;
        locations."/" = { proxyPass = "http://localhost:3000"; };
      };
    };

    services.fail2ban.jails.forgejo = {
      settings = {
        filter = "forgejo";
        action = "iptables-multiport";
        mode = "aggressive";
        maxretry = 5;
        findtime = 3600;
        bantime = 900;
      };
    };
    security.acme.certs."git.sako.lol" = {
      credentialsFile = "/srv/secrets/porkbun";
      dnsProvider = "porkbun";
      webroot = null;
    };
    environment.etc = {
      "fail2ban/filter.d/forgejo.conf".text = ''
        [Definition]
        failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
        journalmatch = _SYSTEMD_UNIT=forgejo.service
      '';
    };
    systemd.services.forgejo = {
      after = [ "postgresql.service" "redis-forgejo.service" ];
      serviceConfig = {
        AmbientCapabilities = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
        CapabilityBoundingSet = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
        PrivateUsers = lib.mkForce false;
      };
    };
  };
}
services init 2024-12-31 19:29:21 +04:00			`{ config, lib, ... }:`
			`with lib;`
asdfjkl; 2024-12-31 19:31:15 +04:00			`let cfg = config.void.server.services.forgejo;`
services init 2024-12-31 19:29:21 +04:00			`in {`
codeberg pages test 2025-01-05 15:22:43 +04:00			`imports = [ ./runner.nix ./woodpecker.nix ./pages.nix ];`
tupid 2024-12-31 19:30:47 +04:00			`options.void.server.services.forgejo = { enable = mkEnableOption false; };`
services init 2024-12-31 19:29:21 +04:00
			`config = mkIf cfg.enable {`
allow forgejo ssh port 2025-01-01 15:03:30 +04:00
			`networking.firewall.allowedTCPPorts = [ 22 ];`

services init 2024-12-31 19:29:21 +04:00			`services.forgejo = {`
			`enable = true;`
init forgejo thing 2025-01-01 14:44:26 +04:00			`database.type = "postgres";`
			`lfs.enable = true;`
			`settings = {`
			`DEFAULT = {`
			`APP_NAME = "void-git";`
			`APP_SLOGAN = "Now on NixOS!";`
			`};`
make postgres module 2024-12-31 22:44:37 +04:00
init forgejo thing 2025-01-01 14:44:26 +04:00			`database = {`
			`DB_TYPE = "postgres";`
			`HOST = "/run/postgresql";`
			`NAME = "forgejo";`
			`USER = "forgejo";`
			`PASSWD = "forgejo";`
			`};`

			`cache = {`
			`ENABLED = true;`
			`ADAPTER = "redis";`
			`HOST = "redis://forgejo@localhost:6371";`
			`};`
			`"ui.meta" = {`
			`AUTHOR = "sako!";`
			`DESCRIPTION = "Something is happening...";`
			`};`

im stupid 2025-01-01 14:45:19 +04:00			`service.DISABLE_REGISTRATION = true;`
init forgejo thing 2025-01-01 14:44:26 +04:00
			`server = {`
			`ROOT_URL = "https://git.sako.lol";`
			`DOMAIN = "git.sako.lol";`
			`START_SSH_SERVER = true;`
			`SSH_PORT = 22;`
			`SSH_LISTEN_PORT = 22;`
			`};`
			`session = {`
			`PROVIDER = "redis";`
			`PROVIDER_CONFIG = "redis://:forgejo@localhost:6371";`
			`};`
			`};`
			`};`
			`services.nginx.virtualHosts = {`
			`"git.sako.lol" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`http3 = true;`
			`locations."/" = { proxyPass = "http://localhost:3000"; };`
			`};`
			`};`

			`services.fail2ban.jails.forgejo = {`
			`settings = {`
			`filter = "forgejo";`
its beginning to look alot like christmas 2025-01-01 15:20:35 +04:00			`action = "iptables-multiport";`
init forgejo thing 2025-01-01 14:44:26 +04:00			`mode = "aggressive";`
			`maxretry = 5;`
			`findtime = 3600;`
			`bantime = 900;`
			`};`
			`};`
iscko mode 2025-01-01 14:47:08 +04:00			`security.acme.certs."git.sako.lol" = {`
			`credentialsFile = "/srv/secrets/porkbun";`
			`dnsProvider = "porkbun";`
			`webroot = null;`
			`};`
init forgejo thing 2025-01-01 14:44:26 +04:00			`environment.etc = {`
			`"fail2ban/filter.d/forgejo.conf".text = ''`
			`[Definition]`
			`failregex = ^.(Failed authentication attempt\|invalid credentials\|Attempted access of unknown user). from <HOST>$`
			`journalmatch = _SYSTEMD_UNIT=forgejo.service`
			`'';`
services init 2024-12-31 19:29:21 +04:00			`};`
do something to forgejo service 2025-01-02 14:38:42 +04:00			`systemd.services.forgejo = {`
			`after = [ "postgresql.service" "redis-forgejo.service" ];`
			`serviceConfig = {`
			`AmbientCapabilities = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];`
			`CapabilityBoundingSet = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];`
			`PrivateUsers = lib.mkForce false;`
			`};`
can't bind on port 22 fix 2025-01-01 14:50:47 +04:00			`};`
services init 2024-12-31 19:29:21 +04:00			`};`
			`}`