notohh
ccd69ee47e
replaces (most) values that are repeatedly used w/ a let binding so they can be updated from one place.
89 lines
2.3 KiB
Nix
89 lines
2.3 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
...
|
|
}: let
|
|
sshPort = 2222;
|
|
dbHost = "192.168.1.211";
|
|
dbLogin = "forgejo";
|
|
in {
|
|
sops.secrets.smtp2go-pwd = {owner = "forgejo";};
|
|
networking.firewall.allowedTCPPorts = [2222];
|
|
services.forgejo = {
|
|
enable = true;
|
|
stateDir = "/var/lib/forgejo";
|
|
settings = {
|
|
service.DISABLE_REGISTRATION = true;
|
|
DEFAULT.APP_NAME = "forgejo";
|
|
log.LEVEL = "Debug";
|
|
ui = {
|
|
DEFAULT_THEME = "forgejo-dark";
|
|
SHOW_USER_EMAIL = true;
|
|
};
|
|
actions = {
|
|
ENABLED = false;
|
|
DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
|
|
};
|
|
server = {
|
|
HTTP_PORT = 3200;
|
|
DOMAIN = "git.flake.sh";
|
|
ROOT_URL = "https://git.flake.sh";
|
|
LANDING_PAGE = "/explore/repos";
|
|
START_SSH_SERVER = true;
|
|
SSH_DOMAIN = "git.flake.sh";
|
|
SSH_PORT = sshPort;
|
|
SSH_LISTEN_PORT = sshPort;
|
|
SSH_LISTEN_HOST = "100.121.201.47";
|
|
};
|
|
session = {
|
|
COOKIE_SECURE = true;
|
|
};
|
|
security = {
|
|
LOGIN_REMEMBER_DAYS = 14;
|
|
};
|
|
database = {
|
|
DB_TYPE = lib.mkForce "postgres";
|
|
HOST = "${dbHost}:5432";
|
|
NAME = dbLogin;
|
|
USER = dbLogin;
|
|
PASSWD = dbLogin;
|
|
};
|
|
cache = {
|
|
ENABLED = true;
|
|
ADAPTER = lib.mkForce "redis";
|
|
HOST = "redis://:forgejo@${dbHost}:6379";
|
|
};
|
|
metrics = {
|
|
ENABLED = true;
|
|
ENABLED_ISSUE_BY_REPOSITORY = true;
|
|
ENABLED_ISSUE_BY_LABEL = true;
|
|
};
|
|
mailer = {
|
|
ENABLED = true;
|
|
FROM = "forgejo@flake.sh";
|
|
PROTOCOL = "smtp+starttls";
|
|
SMTP_ADDR = "mail.smtp2go.com";
|
|
SMTP_PORT = 587;
|
|
USER = "forgejo-mailer";
|
|
};
|
|
};
|
|
mailerPasswordFile = config.sops.secrets.smtp2go-pwd.path;
|
|
};
|
|
services.fail2ban.jails.forgejo = {
|
|
settings = {
|
|
filter = "forgejo";
|
|
action = ''iptables-allports'';
|
|
mode = "aggressive";
|
|
maxretry = 3;
|
|
findtime = 3600;
|
|
bantime = 900;
|
|
};
|
|
};
|
|
environment.etc = {
|
|
"fail2ban/filter.d/forgejo.conf".text = ''
|
|
[Definition]
|
|
failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
|
|
journalmatch = _SYSTEMD_UNIT=forgejo.service
|
|
'';
|
|
};
|
|
}
|