From 18fdce9c161fc6118d09079aa2fc521c94607c28 Mon Sep 17 00:00:00 2001
From: alisceon <alisceon@protonmail.com>
Date: Wed, 27 May 2026 22:44:34 +0200
Subject: [PATCH] lgtm ship it

---
 nixos/hosts/alisceon-core/configuration.nix | 180 +++++++++++++++++++-
 1 file changed, 172 insertions(+), 8 deletions(-)

diff --git a/nixos/hosts/alisceon-core/configuration.nix b/nixos/hosts/alisceon-core/configuration.nix
index e53d655..d55944e 100644
--- a/nixos/hosts/alisceon-core/configuration.nix
+++ b/nixos/hosts/alisceon-core/configuration.nix
@@ -1,5 +1,8 @@
 { lib, pkgs, modulesPath, ... }:
 let
+  forgejoDomain = "git.alisceon.com";
+  forgejoRunnerTokenFile = "/var/lib/forgejo/runner_token";
+
   fetchOciAuthorizedKeys = pkgs.writeShellApplication {
     name = "fetch-oci-authorized-keys";
     runtimeInputs = [
@@ -23,6 +26,34 @@ let
       chmod 0600 /home/alisceon/.ssh/authorized_keys
     '';
   };
+
+  generateForgejoRunnerToken = pkgs.writeShellApplication {
+    name = "generate-forgejo-runner-token";
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.util-linux
+    ];
+    text = ''
+      token_file=${lib.escapeShellArg forgejoRunnerTokenFile}
+
+      if [ -s "$token_file" ]; then
+        chmod 0600 "$token_file"
+        chown root:root "$token_file"
+        exit 0
+      fi
+
+      install -d -m 0750 -o forgejo -g forgejo /var/lib/forgejo
+      token="$(runuser -u forgejo -- env \
+        FORGEJO_WORK_DIR=/var/lib/forgejo \
+        FORGEJO_CUSTOM=/var/lib/forgejo/custom \
+        ${lib.getExe pkgs.forgejo-lts} actions generate-runner-token)"
+
+      umask 0077
+      printf 'TOKEN=%s\n' "$token" > "$token_file"
+      chown root:root "$token_file"
+      chmod 0600 "$token_file"
+    '';
+  };
 in
 {
   imports = [
@@ -34,25 +65,138 @@ in
   networking = {
     hostName = "alisceon-core";
     networkmanager.enable = lib.mkForce false;
+    firewall.allowedTCPPorts = [
+      22
+      80
+      443
+    ];
   };
 
-  boot.initrd.availableKernelModules = [
-    "virtio_pci"
-    "virtio_blk"
-    "virtio_scsi"
-    "virtio_net"
-    "xhci_pci"
-  ];
+  boot = {
+    initrd.availableKernelModules = [
+      "virtio_pci"
+      "virtio_blk"
+      "virtio_scsi"
+      "virtio_net"
+      "xhci_pci"
+    ];
+    loader.systemd-boot.configurationLimit = lib.mkForce 3;
+  };
+
+  nix = {
+    settings = {
+      min-free = lib.mkForce (512 * 1024 * 1024);
+      max-free = lib.mkForce (2 * 1024 * 1024 * 1024);
+    };
+    gc = {
+      dates = lib.mkForce "daily";
+      options = lib.mkForce "--delete-older-than 3d";
+    };
+  };
+
+  virtualisation = {
+    docker.enable = lib.mkForce false;
+    podman = {
+      enable = true;
+      dockerSocket.enable = true;
+      autoPrune = {
+        enable = true;
+        dates = "daily";
+        flags = [ "--all" ];
+      };
+    };
+  };
 
   users.users.alisceon.extraGroups = [ "systemd-journal" ];
 
-  security.sudo-rs.wheelNeedsPassword = false;
+  security = {
+    acme = {
+      acceptTerms = true;
+      defaults.email = "acme@alisceon.com";
+    };
+    sudo-rs.wheelNeedsPassword = false;
+  };
 
   services.openssh.settings = {
     PasswordAuthentication = false;
     PermitRootLogin = lib.mkForce "prohibit-password";
   };
 
+  services.forgejo = {
+    enable = true;
+    package = pkgs.forgejo-lts;
+    database.type = "sqlite3";
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = forgejoDomain;
+        ROOT_URL = "https://${forgejoDomain}/";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3000;
+        SSH_DOMAIN = forgejoDomain;
+        SSH_PORT = 22;
+        DISABLE_SSH = false;
+      };
+      session.COOKIE_SECURE = true;
+      service = {
+        DISABLE_REGISTRATION = true;
+        REQUIRE_SIGNIN_VIEW = false;
+      };
+      actions.ENABLED = true;
+      repository = {
+        DEFAULT_PRIVATE = "private";
+        DISABLE_HTTP_GIT = false;
+      };
+      };
+      "cron.archive_cleanup" = {
+        ENABLED = true;
+        RUN_AT_START = true;
+        SCHEDULE = "@every 24h";
+        OLDER_THAN = "72h";
+      };
+      log.LEVEL = "Warn";
+    };
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances.alisceon-core-podman = {
+      enable = true;
+      name = "alisceon-core-podman";
+      url = "https://${forgejoDomain}";
+      tokenFile = forgejoRunnerTokenFile;
+      labels = [
+        "ubuntu-latest:docker://node:22-bookworm"
+        "debian-latest:docker://node:22-bookworm"
+      ];
+      settings = {
+        container = {
+          network = "host";
+          privileged = false;
+          valid_volumes = [ ];
+        };
+        cache.enabled = false;
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts.${forgejoDomain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3000";
+        recommendedProxySettings = true;
+      };
+    };
+  };
+;
+
   services.cloud-init = {
     enable = true;
     network.enable = true;
@@ -86,8 +230,28 @@ in
 
   systemd.services.fetch-ssh-keys.enable = false;
 
+  systemd.services.forgejo-runner-token = {
+    description = "Generate Forgejo runner registration token";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "forgejo.service" ];
+    requires = [ "forgejo.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      StandardError = "journal+console";
+      StandardOutput = "journal+console";
+    };
+    script = lib.getExe generateForgejoRunnerToken;
+  };
+
+  systemd.services."gitea-runner-alisceon\\x2dcore\\x2dpodman" = {
+    after = [ "forgejo-runner-token.service" ];
+    requires = [ "forgejo-runner-token.service" ];
+  };
+
   environment.systemPackages = with pkgs; [
     curl
+    forgejo-lts
     git
     htop
     jq