alisceon/nixos_config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cleaning and refactoring alisceon-core

Browse source
This commit is contained in:
alisceon 2026-05-29 18:13:23 +02:00
parent 6c60161d1a
commit e2b41c8129
4 changed files with 194 additions and 164 deletions
Download patch file Download diff file Expand all files Collapse all files

196
nixos/hosts/alisceon-core/configuration.nix
View file

@ -27,37 +27,13 @@ let
'';
};
generateForgejoRunnerToken = pkgs.writeShellApplication {
name = "generate-forgejo-runner-token";
runtimeInputs = [
pkgs.coreutils
pkgs.util-linux
];
text = ''
token_file=${lib.escapeShellArg "/var/lib/forgejo/runner_token"}
if [ -s "$token_file" ]; then
chmod 0600 "$token_file"
chown root:root "$token_file"
exit 0
fi
install -d -m 0750 -o forgejo -g forgejo /var/lib/forgejo
token="$(runuser -u forgejo -- env \
FORGEJO_WORK_DIR=/var/lib/forgejo \
FORGEJO_CUSTOM=/var/lib/forgejo/custom \
${lib.getExe pkgs.forgejo-lts} actions generate-runner-token)"
umask 0077
printf 'TOKEN=%s\n' "$token" > "$token_file"
chown root:root "$token_file"
chmod 0600 "$token_file"
'';
};
in
{
imports = [
"${modulesPath}/virtualisation/oci-image.nix"
../../modules/services/forgejo.nix
../../modules/services/nginx.nix
../../modules/services/tor.nix
];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
@ -153,129 +129,41 @@ in
};
};
services.forgejo = {
enable = true;
package = pkgs.forgejo-lts;
database.type = "sqlite3";
lfs.enable = true;
settings = {
server = {
DOMAIN = forgejoDomain;
ROOT_URL = "https://${forgejoDomain}/";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
SSH_DOMAIN = forgejoDomain;
SSH_PORT = 22;
DISABLE_SSH = false;
};
session.COOKIE_SECURE = true;
service = {
DISABLE_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = false;
};
actions.ENABLED = true;
repository = {
DEFAULT_PRIVATE = "private";
DISABLE_HTTP_GIT = false;
};
"cron.archive_cleanup" = {
ENABLED = true;
RUN_AT_START = true;
SCHEDULE = "@every 24h";
OLDER_THAN = "72h";
};
log.LEVEL = "Warn";
};
};
alisceon.forgejo.domain = forgejoDomain;
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.alisceon-core-podman = {
enable = true;
name = "alisceon-core-podman";
url = "https://${forgejoDomain}";
tokenFile = "/var/lib/forgejo/runner_token";
labels = [
"ubuntu-latest:docker://node:22-bookworm"
"debian-latest:docker://node:22-bookworm"
];
settings = {
container = {
network = "host";
privileged = false;
valid_volumes = [ ];
};
cache.enabled = false;
services.gitea-actions-runner.instances.alisceon-core-podman.labels = [
"podman"
"aarch64"
"arm64"
];
services.nginx.virtualHosts = {
${forgejoDomain} = {
serverName = forgejoDomain;
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
recommendedProxySettings = true;
};
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"_" = {
default = true;
rejectSSL = true;
${syncthingDomain} = {
serverName = syncthingDomain;
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
recommendedProxySettings = false;
extraConfig = ''
return 421;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
'';
};
${forgejoDomain} = {
serverName = forgejoDomain;
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
recommendedProxySettings = true;
};
};
${syncthingDomain} = {
serverName = syncthingDomain;
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
'';
};
};
};
};
services.tor = {
enable = true;
client.enable = false;
relay = {
enable = true;
role = "relay";
};
settings = {
Nickname = "alisceondotcom";
ORPort = 24601;
DataDirectory = "/var/lib/tor";
ExitRelay = false;
ExitPolicy = [ "reject *:*" ];
RelayBandwidthRate = "25 MBytes";
RelayBandwidthBurst = "25 MBytes";
BandwidthRate = "25 MBytes";
BandwidthBurst = "25 MBytes";
AccountingStart = "month 1 00:00";
AccountingMax = "8500 GBytes";
DirCache = true;
AvoidDiskWrites = 1;
Sandbox = false;
};
};
@ -334,28 +222,8 @@ in
};
};
systemd.services.forgejo-runner-token = {
description = "Generate Forgejo runner registration token";
wantedBy = [ "multi-user.target" ];
after = [ "forgejo.service" ];
requires = [ "forgejo.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
StandardError = "journal+console";
StandardOutput = "journal+console";
};
script = lib.getExe generateForgejoRunnerToken;
};
systemd.services."gitea-runner-alisceon\\x2dcore\\x2dpodman" = {
after = [ "forgejo-runner-token.service" ];
requires = [ "forgejo-runner-token.service" ];
};
environment.systemPackages = with pkgs; [
curl
forgejo-lts
git
htop
jq