diff options
| -rw-r--r-- | hosts/p-body/default.nix | 1 | ||||
| -rw-r--r-- | hosts/p-body/forgejo.nix | 68 | ||||
| -rw-r--r-- | hosts/p-body/nginx.nix | 35 |
3 files changed, 79 insertions, 25 deletions
diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix index 2892ee7..7005854 100644 --- a/hosts/p-body/default.nix +++ b/hosts/p-body/default.nix @@ -7,6 +7,7 @@ }: { imports = [ (modulesPath + "/virtualisation/digital-ocean-image.nix") + ./forgejo.nix ./nginx.nix ]; diff --git a/hosts/p-body/forgejo.nix b/hosts/p-body/forgejo.nix new file mode 100644 index 0000000..034dd5a --- /dev/null +++ b/hosts/p-body/forgejo.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + pkgs, + nixpkgsUnstable, + ... +}: let + theme = pkgs.fetchzip { + url = "https://github.com/catppuccin/gitea/releases/download/v0.2.1/catppuccin-gitea.tar.gz"; + sha256 = "sha256-HqVLW58lKPn81p3gTSjzkACHSBbmqPqeobAlJMubb8Y="; + stripRoot = false; + }; +in { + users.users.forgejo = { + useDefaultShell = true; + home = "/var/lib/gitea"; + group = "gitea"; + isSystemUser = true; + }; + + services.gitea = let + domain = "git.${config.networking.domain}"; + in { + enable = true; + package = (import nixpkgsUnstable {inherit (pkgs) system;}).forgejo; + inherit domain; + rootUrl = "https://${domain}/"; + appName = "forgejo: with daddy issues"; + httpAddress = "127.0.0.1"; + user = "forgejo"; + database.user = "forgejo"; + settings = { + indexer.REPO_INDEXER_ENABLED = true; + session = { + COOKIE_SECURE = true; + PROVIDER = "db"; + SAME_SITE = "strict"; + }; + + service.DISABLE_REGISTRATION = true; + + server = { + BUILTIN_SSH_USER = "forgejo"; + ENABLE_GZIP = true; + SSH_AUTHORIZED_KEYS_BACKUP = false; + SSH_DOMAIN = domain; + }; + + ui = { + THEMES = + builtins.concatStringsSep + "," + (["auto"] + ++ (map (name: lib.removePrefix "theme-" (lib.removeSuffix ".css" name)) + (builtins.attrNames (builtins.readDir theme)))); + DEFAULT_THEME = "catppuccin-mocha-pink"; + }; + }; + }; + + systemd.services.gitea = { + preStart = lib.mkAfter '' + rm -rf ${config.services.gitea.stateDir}/custom/public + mkdir -p ${config.services.gitea.stateDir}/custom/public + ln -sf ${theme} ${config.services.gitea.stateDir}/custom/public/css + ''; + }; +} diff --git a/hosts/p-body/nginx.nix b/hosts/p-body/nginx.nix index 58b471c..775bd05 100644 --- a/hosts/p-body/nginx.nix +++ b/hosts/p-body/nginx.nix @@ -15,36 +15,14 @@ in { services.nginx = { enable = true; + additionalModules = [pkgs.nginxModules.fancyindex]; + recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - commonHttpConfig = '' - - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - ''; + statusPage = true; virtualHosts = let mkProxy = endpoint: port: { @@ -80,6 +58,13 @@ in { locations = mkProxy "/" "8080"; }; + + "git.${domain}" = { + enableACME = true; + serverAliases = ["www.git.${domain}"]; + + locations = mkProxy "/" "3000"; + }; }; }; } |