diff --git a/hosts/sakoserver/configuration.nix b/hosts/sakoserver/configuration.nix index 98a581a0..1438b3a1 100644 --- a/hosts/sakoserver/configuration.nix +++ b/hosts/sakoserver/configuration.nix @@ -78,6 +78,18 @@ enable = true; # runner.enable = true; woodpecker.enable = true; + pages = { + enable = true; + settings = { + HOST = "127.0.0.1"; + PORT = "4563"; + ACME_ACCEPT_TERMS = true; + ENABLE_HTTP_SERVER = true; + GITEA_ROOT = "git.sako.lol"; + PAGES_DOMAIN = "pages.sako.lol"; + RAW_DOMAIN = "raw.pages.sako.lol"; + }; + }; }; headscale.enable = true; redlib.enable = true; diff --git a/modules/server/services/forgejo/default.nix b/modules/server/services/forgejo/default.nix index 6f846b20..083a41a4 100644 --- a/modules/server/services/forgejo/default.nix +++ b/modules/server/services/forgejo/default.nix @@ -2,7 +2,7 @@ with lib; let cfg = config.void.server.services.forgejo; in { - imports = [ ./runner.nix ./woodpecker.nix ]; + imports = [ ./runner.nix ./woodpecker.nix ./pages.nix ]; options.void.server.services.forgejo = { enable = mkEnableOption false; }; config = mkIf cfg.enable { diff --git a/modules/server/services/forgejo/pages.nix b/modules/server/services/forgejo/pages.nix new file mode 100644 index 00000000..8947a8ec --- /dev/null +++ b/modules/server/services/forgejo/pages.nix @@ -0,0 +1,137 @@ +# this pr https://github.com/NixOS/nixpkgs/pull/370864 +{ config, pkgs, lib, ... }: +let + inherit (lib) mkIf mkOption mkEnableOption mkPackageOption; + inherit (lib) types; + + cfg = config.void.services.forgjeo.pages; +in { + meta.maintainers = with lib.maintainers; [ NotAShelf ]; + + options = { + void.server.services.pages = { + enable = mkEnableOption "Codeberg pages server"; + package = mkPackageOption pkgs "codeberg-pages" { }; + stateDir = mkOption { + type = types.str; + default = "/var/lib/codeberg-pages"; + description = "Directory in which state will be stored"; + }; + + user = mkOption { + type = types.str; + default = "codeberg-pages"; + description = "User account under which Codeberg Pages will run."; + }; + + group = mkOption { + type = types.str; + default = "codeberg-pages"; + description = "Group under under which Codeberg Pages will run."; + }; + + settings = mkOption { + type = with types; submodule { freeformType = attrsOf str; }; + default = { }; + example = { + ACME_ACCEPT_TERMS = true; + ENABLE_HTTP_SERVER = true; + + GITEA_ROOT = "git.exampledomain.tld"; + }; + + description = '' + Configuration values to be passed to the codeberg pages server + as environment variables. + [pages-server documentation]: https://codeberg.org/Codeberg/pages-server#environment-variables + See [pages-server documentation] for available options. + For sensitive values, prefer using {option}`services.pages-server.environmentFile`. + ''; + }; + + environmentFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/run/secret/pages-server.env"; + description = '' + An environment file as defined in {manpage}`systemd.exec(5)`. + Sensitive information, such as `GITEA_API_TOKEN`, may be passed + to the service without adding them to the world-readable Nix store. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd = { + tmpfiles.rules = + [ "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" ]; + + services.codeberg-pages = { + description = "Codeberg Pages Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = cfg.settings; + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + StateDirectory = cfg.stateDir; + WorkingDirectory = cfg.stateDir; + ReadWritePaths = [ cfg.stateDir ]; + ExecStart = "${lib.getExe cfg.package}"; + EnvironmentFile = + lib.optional (cfg.environmentFile != null) cfg.environmentFile; + Restart = "on-failure"; + # Security section directly mimics the one of Forgejo module + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" + "setrlimit" + ]; + }; + }; + }; + + users.users = mkIf (cfg.user == "codeberg-pages") { + codeberg-pages = { + home = cfg.stateDir; + useDefaultShell = true; + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = + mkIf (cfg.group == "codeberg-pages") { codeberg-pages = { }; }; + + services.nginx.virtualHosts."*.pages.sako.lol" = { + locations."/" = { proxyPass = "http://localhost:4563"; }; + }; + }; +}