diff --git a/nixos/hosts/alisceon-core/configuration.nix b/nixos/hosts/alisceon-core/configuration.nix index 50b0fa4..d51f60f 100644 --- a/nixos/hosts/alisceon-core/configuration.nix +++ b/nixos/hosts/alisceon-core/configuration.nix @@ -27,37 +27,13 @@ let ''; }; - generateForgejoRunnerToken = pkgs.writeShellApplication { - name = "generate-forgejo-runner-token"; - runtimeInputs = [ - pkgs.coreutils - pkgs.util-linux - ]; - text = '' - token_file=${lib.escapeShellArg "/var/lib/forgejo/runner_token"} - - if [ -s "$token_file" ]; then - chmod 0600 "$token_file" - chown root:root "$token_file" - exit 0 - fi - - install -d -m 0750 -o forgejo -g forgejo /var/lib/forgejo - token="$(runuser -u forgejo -- env \ - FORGEJO_WORK_DIR=/var/lib/forgejo \ - FORGEJO_CUSTOM=/var/lib/forgejo/custom \ - ${lib.getExe pkgs.forgejo-lts} actions generate-runner-token)" - - umask 0077 - printf 'TOKEN=%s\n' "$token" > "$token_file" - chown root:root "$token_file" - chmod 0600 "$token_file" - ''; - }; in { imports = [ "${modulesPath}/virtualisation/oci-image.nix" + ../../modules/services/forgejo.nix + ../../modules/services/nginx.nix + ../../modules/services/tor.nix ]; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; @@ -153,129 +129,41 @@ in }; }; - services.forgejo = { - enable = true; - package = pkgs.forgejo-lts; - database.type = "sqlite3"; - lfs.enable = true; - settings = { - server = { - DOMAIN = forgejoDomain; - ROOT_URL = "https://${forgejoDomain}/"; - HTTP_ADDR = "127.0.0.1"; - HTTP_PORT = 3000; - SSH_DOMAIN = forgejoDomain; - SSH_PORT = 22; - DISABLE_SSH = false; - }; - session.COOKIE_SECURE = true; - service = { - DISABLE_REGISTRATION = true; - REQUIRE_SIGNIN_VIEW = false; - }; - actions.ENABLED = true; - repository = { - DEFAULT_PRIVATE = "private"; - DISABLE_HTTP_GIT = false; - }; - "cron.archive_cleanup" = { - ENABLED = true; - RUN_AT_START = true; - SCHEDULE = "@every 24h"; - OLDER_THAN = "72h"; - }; - log.LEVEL = "Warn"; - }; - }; + alisceon.forgejo.domain = forgejoDomain; - services.gitea-actions-runner = { - package = pkgs.forgejo-runner; - instances.alisceon-core-podman = { - enable = true; - name = "alisceon-core-podman"; - url = "https://${forgejoDomain}"; - tokenFile = "/var/lib/forgejo/runner_token"; - labels = [ - "ubuntu-latest:docker://node:22-bookworm" - "debian-latest:docker://node:22-bookworm" - ]; - settings = { - container = { - network = "host"; - privileged = false; - valid_volumes = [ ]; - }; - cache.enabled = false; + services.gitea-actions-runner.instances.alisceon-core-podman.labels = [ + "podman" + "aarch64" + "arm64" + ]; + + services.nginx.virtualHosts = { + ${forgejoDomain} = { + serverName = forgejoDomain; + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + recommendedProxySettings = true; }; }; - }; - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts = { - "_" = { - default = true; - rejectSSL = true; + ${syncthingDomain} = { + serverName = syncthingDomain; + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8384"; + recommendedProxySettings = false; extraConfig = '' - return 421; + proxy_set_header Host $proxy_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 600s; + proxy_send_timeout 600s; ''; }; - ${forgejoDomain} = { - serverName = forgejoDomain; - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - recommendedProxySettings = true; - }; - }; - ${syncthingDomain} = { - serverName = syncthingDomain; - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8384"; - recommendedProxySettings = false; - extraConfig = '' - proxy_set_header Host $proxy_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - ''; - }; - }; - }; - }; - - services.tor = { - enable = true; - client.enable = false; - relay = { - enable = true; - role = "relay"; - }; - settings = { - Nickname = "alisceondotcom"; - ORPort = 24601; - DataDirectory = "/var/lib/tor"; - ExitRelay = false; - ExitPolicy = [ "reject *:*" ]; - RelayBandwidthRate = "25 MBytes"; - RelayBandwidthBurst = "25 MBytes"; - BandwidthRate = "25 MBytes"; - BandwidthBurst = "25 MBytes"; - AccountingStart = "month 1 00:00"; - AccountingMax = "8500 GBytes"; - DirCache = true; - AvoidDiskWrites = 1; - Sandbox = false; }; }; @@ -334,28 +222,8 @@ in }; }; - systemd.services.forgejo-runner-token = { - description = "Generate Forgejo runner registration token"; - wantedBy = [ "multi-user.target" ]; - after = [ "forgejo.service" ]; - requires = [ "forgejo.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - StandardError = "journal+console"; - StandardOutput = "journal+console"; - }; - script = lib.getExe generateForgejoRunnerToken; - }; - - systemd.services."gitea-runner-alisceon\\x2dcore\\x2dpodman" = { - after = [ "forgejo-runner-token.service" ]; - requires = [ "forgejo-runner-token.service" ]; - }; - environment.systemPackages = with pkgs; [ curl - forgejo-lts git htop jq diff --git a/nixos/modules/services/forgejo.nix b/nixos/modules/services/forgejo.nix new file mode 100644 index 0000000..5b5b878 --- /dev/null +++ b/nixos/modules/services/forgejo.nix @@ -0,0 +1,118 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.alisceon.forgejo; + forgejoDomain = cfg.domain; + + generateForgejoRunnerToken = pkgs.writeShellApplication { + name = "generate-forgejo-runner-token"; + runtimeInputs = [ + pkgs.coreutils + pkgs.util-linux + ]; + text = '' + token_file=${lib.escapeShellArg "/var/lib/forgejo/runner_token"} + + if [ -s "$token_file" ]; then + chmod 0600 "$token_file" + chown root:root "$token_file" + exit 0 + fi + + install -d -m 0750 -o forgejo -g forgejo /var/lib/forgejo + token="$(runuser -u forgejo -- env \ + FORGEJO_WORK_DIR=/var/lib/forgejo \ + FORGEJO_CUSTOM=/var/lib/forgejo/custom \ + ${lib.getExe pkgs.forgejo-lts} actions generate-runner-token)" + + umask 0077 + printf 'TOKEN=%s\n' "$token" > "$token_file" + chown root:root "$token_file" + chmod 0600 "$token_file" + ''; + }; +in +{ + options.alisceon.forgejo.domain = lib.mkOption { + type = lib.types.str; + description = "Public domain name for Forgejo."; + }; + + config = { + services.forgejo = { + enable = true; + package = pkgs.forgejo-lts; + database.type = "sqlite3"; + lfs.enable = true; + settings = { + server = { + DOMAIN = forgejoDomain; + ROOT_URL = "https://${forgejoDomain}/"; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 3000; + SSH_DOMAIN = forgejoDomain; + SSH_PORT = 22; + DISABLE_SSH = false; + }; + session.COOKIE_SECURE = true; + service = { + DISABLE_REGISTRATION = true; + REQUIRE_SIGNIN_VIEW = false; + }; + actions.ENABLED = true; + repository = { + DEFAULT_PRIVATE = "private"; + DISABLE_HTTP_GIT = false; + }; + "cron.archive_cleanup" = { + ENABLED = true; + RUN_AT_START = true; + SCHEDULE = "@every 24h"; + OLDER_THAN = "72h"; + }; + log.LEVEL = "Warn"; + }; + }; + + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances.alisceon-core-podman = { + enable = true; + name = "alisceon-core-podman"; + url = "https://${forgejoDomain}"; + tokenFile = "/var/lib/forgejo/runner_token"; + labels = lib.mkDefault [ + "podman" + ]; + settings = { + container = { + network = "host"; + privileged = false; + valid_volumes = [ ]; + }; + cache.enabled = false; + }; + }; + }; + + systemd.services.forgejo-runner-token = { + description = "Generate Forgejo runner registration token"; + wantedBy = [ "multi-user.target" ]; + after = [ "forgejo.service" ]; + requires = [ "forgejo.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StandardError = "journal+console"; + StandardOutput = "journal+console"; + }; + script = lib.getExe generateForgejoRunnerToken; + }; + + systemd.services."gitea-runner-alisceon\\x2dcore\\x2dpodman" = { + after = [ "forgejo-runner-token.service" ]; + requires = [ "forgejo-runner-token.service" ]; + }; + + environment.systemPackages = [ pkgs.forgejo-lts ]; + }; +} diff --git a/nixos/modules/services/nginx.nix b/nixos/modules/services/nginx.nix new file mode 100644 index 0000000..4846f56 --- /dev/null +++ b/nixos/modules/services/nginx.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."_" = { + default = true; + rejectSSL = true; + extraConfig = '' + return 421; + ''; + }; + }; +} diff --git a/nixos/modules/services/tor.nix b/nixos/modules/services/tor.nix new file mode 100644 index 0000000..29ee2ff --- /dev/null +++ b/nixos/modules/services/tor.nix @@ -0,0 +1,27 @@ +{ ... }: +{ + services.tor = { + enable = true; + client.enable = false; + relay = { + enable = true; + role = "relay"; + }; + settings = { + Nickname = "alisceondotcom"; + ORPort = 24601; + DataDirectory = "/var/lib/tor"; + ExitRelay = false; + ExitPolicy = [ "reject *:*" ]; + RelayBandwidthRate = "25 MBytes"; + RelayBandwidthBurst = "25 MBytes"; + BandwidthRate = "25 MBytes"; + BandwidthBurst = "25 MBytes"; + AccountingStart = "month 1 00:00"; + AccountingMax = "8500 GBytes"; + DirCache = true; + AvoidDiskWrites = 1; + Sandbox = false; + }; + }; +}