Compare commits
5 commits
e4d9fe3b4d
...
ac3f794578
Author | SHA1 | Date | |
---|---|---|---|
ac3f794578 | |||
e320317d27 | |||
2e69421f10 | |||
5155280203 | |||
8070852806 |
4 changed files with 55 additions and 11 deletions
|
@ -1,14 +1,20 @@
|
|||
{lib, ...}: {
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
sops.secrets.smtp2go-pwd = {owner = "forgejo";};
|
||||
networking.firewall.allowedTCPPorts = [2222];
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
stateDir = "/var/lib/forgejo";
|
||||
settings = {
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
service.DISABLE_REGISTRATION = false;
|
||||
DEFAULT.APP_NAME = "forgejo";
|
||||
log.LEVEL = "Debug";
|
||||
ui = {
|
||||
DEFAULT_THEME = "forgejo-dark";
|
||||
SHOW_USER_EMAIL = true;
|
||||
};
|
||||
actions = {
|
||||
ENABLED = true;
|
||||
|
@ -25,6 +31,9 @@
|
|||
SSH_LISTEN_PORT = 2222;
|
||||
SSH_LISTEN_HOST = "100.121.201.47";
|
||||
};
|
||||
session = {
|
||||
COOKIE_SECURE = true;
|
||||
};
|
||||
database = {
|
||||
DB_TYPE = lib.mkForce "postgres";
|
||||
HOST = "192.168.1.211:5432";
|
||||
|
@ -42,6 +51,32 @@
|
|||
ENABLED_ISSUE_BY_REPOSITORY = true;
|
||||
ENABLED_ISSUE_BY_LABEL = true;
|
||||
};
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
FROM = "forgejo@flake.sh";
|
||||
PROTOCOL = "smtp+starttls";
|
||||
SMTP_ADDR = "mail.smtp2go.com";
|
||||
SMTP_PORT = 587;
|
||||
USER = "forgejo-mailer";
|
||||
};
|
||||
};
|
||||
mailerPasswordFile = config.sops.secrets.smtp2go-pwd.path;
|
||||
};
|
||||
services.fail2ban.jails.forgejo = {
|
||||
settings = {
|
||||
filter = "forgejo";
|
||||
action = ''iptables-allports'';
|
||||
mode = "aggressive";
|
||||
maxretry = 3;
|
||||
findtime = 3600;
|
||||
bantime = 900;
|
||||
};
|
||||
};
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/forgejo.conf".text = ''
|
||||
[Definition]
|
||||
failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
|
||||
journalmatch = _SYSTEMD_UNIT=forgejo.service
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -135,12 +135,15 @@
|
|||
};
|
||||
};
|
||||
services = {
|
||||
forgejo.loadBalancer = {
|
||||
passHostHeader = true;
|
||||
servers = [{url = "http://100.121.201.47:3200";}];
|
||||
};
|
||||
uptime-kuma.loadBalancer.servers = [{url = "http://100.104.42.96:4000";}];
|
||||
gotify.loadBalancer.servers = [{url = "http://100.104.42.96:3000";}];
|
||||
conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}];
|
||||
authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}];
|
||||
foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}];
|
||||
forgejo.loadBalancer.servers = [{url = "http://100.121.201.47:3200";}];
|
||||
rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}];
|
||||
grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}];
|
||||
hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}];
|
||||
|
|
|
@ -40,13 +40,16 @@
|
|||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
"net.core.default_qdisc" = "cake";
|
||||
};
|
||||
|
||||
boot.kernelModules = ["tcp_bbr"];
|
||||
|
||||
# So we don't have to do this later...
|
||||
services.openssh.settings.LogLevel = "VERBOSE";
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "github@notohh.dev";
|
||||
};
|
||||
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
bantime = "1h";
|
||||
|
@ -55,15 +58,17 @@
|
|||
"192.168.0.0/16"
|
||||
"172.16.0.0/12"
|
||||
"10.0.0.0/8"
|
||||
"5.161.181.184/32"
|
||||
"5.161.102.107/32"
|
||||
"100.71.49.65/10"
|
||||
"100.82.146.40/10"
|
||||
];
|
||||
jails.DEFAULT = {
|
||||
jails = {
|
||||
DEFAULT = {
|
||||
settings = {
|
||||
findtime = 100000;
|
||||
mode = "aggressive";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -12,6 +12,7 @@ snowflake-runner-token: ENC[AES256_GCM,data:CYtnZeCCd3IbNq95xCAoftYRxYf5QdZk1cw2
|
|||
basegbot-runner-token: ENC[AES256_GCM,data:US3VkT2+S9sKPJ7zPNNBudV/884/cNfmEZVdmWHnL4WWdvUej5aIbQ==,iv:mEjU7DF4NCX7WwLP4+CxlV3aKZOkL7t6wyM4Mz7sPrg=,tag:JrMiiQ2TT3OET4iyO6pUog==,type:str]
|
||||
searxng-secret: ENC[AES256_GCM,data:SSvspQVRp79zJq0hzaqzuJIWFtVUoaqHGH9PXUViiXb9UKJM34t82o2J5K69RcOSBL7HadqmxcT4Eh8e8ZUJnquD7rrPdWb2Ih4zS7MmG94=,iv:wrQNNU7CjzfePNe1tWEXmN30vC0jTp+PtgfI3/XH22g=,tag:QAt/QL846hLLIMLQZUM3mQ==,type:str]
|
||||
neko-admin: ENC[AES256_GCM,data:E5goYrVyM2uQ1WLLHdcOzqX8gGO5EXJRqCRtaqAjrbUAeFRDU8A=,iv:Osh2SCeFYIvossZZ1NZH0xMrfhTcYAa6nssJhhmNNP0=,tag:m7shoTDw+Cya6Cg50yWaZg==,type:str]
|
||||
smtp2go-pwd: ENC[AES256_GCM,data:03OCDnG73T8B2Q3TJLt1kg==,iv:QFI34ZoM88AuGvOwVmxsplkNKWFgwqBn1AFdHNREses=,tag:9YABs0nAh7Cx2vybuIW9sA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -27,8 +28,8 @@ sops:
|
|||
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
|
||||
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-12-10T15:17:04Z"
|
||||
mac: ENC[AES256_GCM,data:jUsI4YvoAkEAtRVz4CUQV3pJ7W7CYwOADUVeN2C9AleqVwfTuRlhQB8lVU+hEBcPY1ntMRHUnJmO9RO2xYQjJSVvAfLODCbhtMY7/s61jQa7r2gi7btlYHCOm1Qh3S4EusfyS22J2p39lF82GAyl6KHeXOmAFnGhpg8+PfKBL3I=,iv:oasWdhlkWuuU/LNrIHdgGTH5JuWqcuLjbDu9ohyRPAQ=,tag:oG6LsuuDh5D+33tR1ymY+Q==,type:str]
|
||||
lastmodified: "2023-12-30T16:22:09Z"
|
||||
mac: ENC[AES256_GCM,data:LV5mRsqxzOTGcmoTZRjfAw5713AbDvWWngcnmAJtCTNjWbFsnIuNwd452i0SHkHsV0czR1BemmHzHYIp+ZCUZGBYDQcBJjCMsYUdLGzNGAZeImc38C3pXK2Vu0WSIdHmECch21HEw0L8OI07v7MToCy4OS2ITm0OAXGFo0el0xI=,iv:k5/mDqkRsnyOdFjb+EPm782DEx4HdXUt3mb3tkYGp18=,tag:Flckc72wh4qM0t+OEfjDqg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
Loading…
Reference in a new issue