{ lib, pkgs, modulesPath, ... }: let forgejoDomain = "git.alisceon.com"; forgejoRunnerTokenFile = "/var/lib/forgejo/runner_token"; fetchOciAuthorizedKeys = pkgs.writeShellApplication { name = "fetch-oci-authorized-keys"; runtimeInputs = [ pkgs.coreutils pkgs.curl ]; text = '' install -d -m 0700 -o alisceon -g users /home/alisceon/.ssh if [ -s /home/alisceon/.ssh/authorized_keys ]; then echo "OCI authorized_keys already present for alisceon" exit 0 fi curl --fail --silent --show-error --location \ --header "Authorization: Bearer Oracle" \ --output /home/alisceon/.ssh/authorized_keys \ http://169.254.169.254/opc/v2/instance/metadata/ssh_authorized_keys chown alisceon:users /home/alisceon/.ssh/authorized_keys chmod 0600 /home/alisceon/.ssh/authorized_keys ''; }; generateForgejoRunnerToken = pkgs.writeShellApplication { name = "generate-forgejo-runner-token"; runtimeInputs = [ pkgs.coreutils pkgs.util-linux ]; text = '' token_file=${lib.escapeShellArg forgejoRunnerTokenFile} if [ -s "$token_file" ]; then chmod 0600 "$token_file" chown root:root "$token_file" exit 0 fi install -d -m 0750 -o forgejo -g forgejo /var/lib/forgejo token="$(runuser -u forgejo -- env \ FORGEJO_WORK_DIR=/var/lib/forgejo \ FORGEJO_CUSTOM=/var/lib/forgejo/custom \ ${lib.getExe pkgs.forgejo-lts} actions generate-runner-token)" umask 0077 printf 'TOKEN=%s\n' "$token" > "$token_file" chown root:root "$token_file" chmod 0600 "$token_file" ''; }; in { imports = [ "${modulesPath}/virtualisation/oci-image.nix" ]; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; networking = { hostName = "alisceon-core"; networkmanager.enable = lib.mkForce false; firewall.allowedTCPPorts = [ 22 80 443 9001 ]; }; boot = { initrd.availableKernelModules = [ "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_net" "xhci_pci" ]; loader.systemd-boot.configurationLimit = lib.mkForce 3; }; nix = { settings = { min-free = lib.mkForce (512 * 1024 * 1024); max-free = lib.mkForce (2 * 1024 * 1024 * 1024); }; gc = { dates = lib.mkForce "daily"; options = lib.mkForce "--delete-older-than 3d"; }; }; virtualisation = { docker.enable = lib.mkForce false; podman = { enable = true; dockerSocket.enable = true; autoPrune = { enable = true; dates = "daily"; flags = [ "--all" ]; }; }; }; users.users.alisceon.extraGroups = [ "systemd-journal" ]; security = { acme = { acceptTerms = true; defaults.email = "acme@alisceon.com"; }; sudo-rs.wheelNeedsPassword = false; }; services.openssh.settings = { PasswordAuthentication = false; PermitRootLogin = lib.mkForce "prohibit-password"; }; services.forgejo = { enable = true; package = pkgs.forgejo-lts; database.type = "sqlite3"; lfs.enable = true; settings = { server = { DOMAIN = forgejoDomain; ROOT_URL = "https://${forgejoDomain}/"; HTTP_ADDR = "127.0.0.1"; HTTP_PORT = 3000; SSH_DOMAIN = forgejoDomain; SSH_PORT = 22; DISABLE_SSH = false; }; session.COOKIE_SECURE = true; service = { DISABLE_REGISTRATION = true; REQUIRE_SIGNIN_VIEW = false; }; actions.ENABLED = true; repository = { DEFAULT_PRIVATE = "private"; DISABLE_HTTP_GIT = false; }; "cron.archive_cleanup" = { ENABLED = true; RUN_AT_START = true; SCHEDULE = "@every 24h"; OLDER_THAN = "72h"; }; log.LEVEL = "Warn"; }; }; services.gitea-actions-runner = { package = pkgs.forgejo-runner; instances.alisceon-core-podman = { enable = true; name = "alisceon-core-podman"; url = "https://${forgejoDomain}"; tokenFile = forgejoRunnerTokenFile; labels = [ "ubuntu-latest:docker://node:22-bookworm" "debian-latest:docker://node:22-bookworm" ]; settings = { container = { network = "host"; privileged = false; valid_volumes = [ ]; }; cache.enabled = false; }; }; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { "_" = { default = true; rejectSSL = true; extraConfig = '' return 421; ''; }; ${forgejoDomain} = { serverName = forgejoDomain; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3000"; recommendedProxySettings = true; }; }; }; }; services.tor = { enable = true; client.enable = false; relay = { enable = true; role = "relay"; }; settings = { Nickname = "alisceondotcom"; ORPort = 9001; DataDirectory = "/var/lib/tor"; ExitRelay = false; ExitPolicy = [ "reject *:*" ]; RelayBandwidthRate = "2700 KBytes"; RelayBandwidthBurst = "2700 KBytes"; BandwidthRate = "2700 KBytes"; BandwidthBurst = "2700 KBytes"; AccountingStart = "month 1 00:00"; AccountingMax = "7500 GBytes"; DirCache = true; AvoidDiskWrites = 1; Sandbox = true; }; }; services.cloud-init = { enable = true; network.enable = true; settings = { datasource_list = [ "Oracle" "ConfigDrive" "NoCloud" ]; users = [ "default" ]; system_info.default_user = { name = "alisceon"; gecos = "Alisceon"; groups = [ "wheel" "systemd-journal" ]; shell = "/run/current-system/sw/bin/xonsh"; lock_passwd = true; }; }; }; systemd.services.fetch-oci-authorized-keys = { description = "Fetch OCI metadata authorized_keys for alisceon"; wantedBy = [ "sshd.service" ]; before = [ "sshd.service" ]; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; StandardError = "journal+console"; StandardOutput = "journal+console"; }; script = lib.getExe fetchOciAuthorizedKeys; }; systemd.services.fetch-ssh-keys.enable = false; systemd.services.forgejo-runner-token = { description = "Generate Forgejo runner registration token"; wantedBy = [ "multi-user.target" ]; after = [ "forgejo.service" ]; requires = [ "forgejo.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; StandardError = "journal+console"; StandardOutput = "journal+console"; }; script = lib.getExe generateForgejoRunnerToken; }; systemd.services."gitea-runner-alisceon\\x2dcore\\x2dpodman" = { after = [ "forgejo-runner-token.service" ]; requires = [ "forgejo-runner-token.service" ]; }; environment.systemPackages = with pkgs; [ curl forgejo-lts git htop jq vim wget ]; system.stateVersion = lib.mkForce "25.11"; }