p-body: start forgejo instance

3 files changed, 79 insertions, 25 deletions

diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix
index 2892ee7..7005854 100644
--- a/hosts/p-body/default.nix
+++ b/hosts/p-body/default.nix
@@ -7,6 +7,7 @@
 }: {
   imports = [
     (modulesPath + "/virtualisation/digital-ocean-image.nix")
+    ./forgejo.nix
     ./nginx.nix
   ];
 
diff --git a/hosts/p-body/forgejo.nix b/hosts/p-body/forgejo.nix
new file mode 100644
index 0000000..034dd5a
--- /dev/null
+++ b/hosts/p-body/forgejo.nix
@@ -0,0 +1,68 @@
+{
+  config,
+  lib,
+  pkgs,
+  nixpkgsUnstable,
+  ...
+}: let
+  theme = pkgs.fetchzip {
+    url = "https://github.com/catppuccin/gitea/releases/download/v0.2.1/catppuccin-gitea.tar.gz";
+    sha256 = "sha256-HqVLW58lKPn81p3gTSjzkACHSBbmqPqeobAlJMubb8Y=";
+    stripRoot = false;
+  };
+in {
+  users.users.forgejo = {
+    useDefaultShell = true;
+    home = "/var/lib/gitea";
+    group = "gitea";
+    isSystemUser = true;
+  };
+
+  services.gitea = let
+    domain = "git.${config.networking.domain}";
+  in {
+    enable = true;
+    package = (import nixpkgsUnstable {inherit (pkgs) system;}).forgejo;
+    inherit domain;
+    rootUrl = "https://${domain}/";
+    appName = "forgejo: with daddy issues";
+    httpAddress = "127.0.0.1";
+    user = "forgejo";
+    database.user = "forgejo";
+    settings = {
+      indexer.REPO_INDEXER_ENABLED = true;
+      session = {
+        COOKIE_SECURE = true;
+        PROVIDER = "db";
+        SAME_SITE = "strict";
+      };
+
+      service.DISABLE_REGISTRATION = true;
+
+      server = {
+        BUILTIN_SSH_USER = "forgejo";
+        ENABLE_GZIP = true;
+        SSH_AUTHORIZED_KEYS_BACKUP = false;
+        SSH_DOMAIN = domain;
+      };
+
+      ui = {
+        THEMES =
+          builtins.concatStringsSep
+          ","
+          (["auto"]
+            ++ (map (name: lib.removePrefix "theme-" (lib.removeSuffix ".css" name))
+              (builtins.attrNames (builtins.readDir theme))));
+        DEFAULT_THEME = "catppuccin-mocha-pink";
+      };
+    };
+  };
+
+  systemd.services.gitea = {
+    preStart = lib.mkAfter ''
+      rm -rf ${config.services.gitea.stateDir}/custom/public
+      mkdir -p ${config.services.gitea.stateDir}/custom/public
+      ln -sf ${theme} ${config.services.gitea.stateDir}/custom/public/css
+    '';
+  };
+}
diff --git a/hosts/p-body/nginx.nix b/hosts/p-body/nginx.nix
index 58b471c..775bd05 100644
--- a/hosts/p-body/nginx.nix
+++ b/hosts/p-body/nginx.nix
@@ -15,36 +15,14 @@ in {
   services.nginx = {
     enable = true;
 
+    additionalModules = [pkgs.nginxModules.fancyindex];
+
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    commonHttpConfig = ''
-
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
-      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
-
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
-
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
-    '';
+    statusPage = true;
 
     virtualHosts = let
       mkProxy = endpoint: port: {
@@ -80,6 +58,13 @@ in {
 
         locations = mkProxy "/" "8080";
       };
+
+      "git.${domain}" = {
+        enableACME = true;
+        serverAliases = ["www.git.${domain}"];
+
+        locations = mkProxy "/" "3000";
+      };
     };
   };
 }