From cdee22e1650f89374aeb2ebb152ad18fd03c0a16 Mon Sep 17 00:00:00 2001
From: Nico <nico@astolfo.org>
Date: Sat, 17 May 2025 20:35:06 +1000
Subject: [PATCH] forgejo: protect with anubis

https://anubis.techaro.lol/docs/
---
 modules/services/forgejo.nix | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix
index 351212b..26a91e7 100644
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@@ -17,6 +17,8 @@
         HTTP_PORT = 3000;
       };
 
+      security.REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
+
       service = {
         DISABLE_REGISTRATION = true;
         ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
@@ -26,6 +28,17 @@
     };
   };
 
+  # configure anubis to prevent AI scrapers from overloading the git server.
+  services.anubis.instances.forgejo = {
+    enable = true;
+    settings = {
+      TARGET = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}";
+      SERVE_ROBOTS_TXT = true;
+      BIND_NETWORK = "tcp";
+      BIND = ":3333";
+    };
+  };
+
   # forgejo has user keys under its own .ssh/authorizedKeys file.
   # nix blocks me from using users.users.<name>.openssh.authorizedKeys.keyFiles
   # in order to only allow that to the forgejo user as it has "/var"
@@ -34,7 +47,10 @@
   services.caddy.virtualHosts."git.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''
-      reverse_proxy http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
+      reverse_proxy http://127.0.0.1${toString config.services.anubis.instances.forgejo.settings.BIND} {
+        header_up X-Real-Ip {remote_host}
+        header_up X-Http-Version {http.request.proto}
+      }
     '';
   };
 }