forgejo: protect with anubis

https://anubis.techaro.lol/docs/
This commit is contained in:
Nico 2025-05-17 20:35:06 +10:00
parent 85d99dae25
commit cdee22e165

View file

@ -17,6 +17,8 @@
HTTP_PORT = 3000; HTTP_PORT = 3000;
}; };
security.REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
@ -26,6 +28,17 @@
}; };
}; };
# configure anubis to prevent AI scrapers from overloading the git server.
services.anubis.instances.forgejo = {
enable = true;
settings = {
TARGET = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}";
SERVE_ROBOTS_TXT = true;
BIND_NETWORK = "tcp";
BIND = ":3333";
};
};
# forgejo has user keys under its own .ssh/authorizedKeys file. # forgejo has user keys under its own .ssh/authorizedKeys file.
# nix blocks me from using users.users.<name>.openssh.authorizedKeys.keyFiles # nix blocks me from using users.users.<name>.openssh.authorizedKeys.keyFiles
# in order to only allow that to the forgejo user as it has "/var" # in order to only allow that to the forgejo user as it has "/var"
@ -34,7 +47,10 @@
services.caddy.virtualHosts."git.${config.homelab.domain}" = { services.caddy.virtualHosts."git.${config.homelab.domain}" = {
useACMEHost = config.homelab.domain; useACMEHost = config.homelab.domain;
extraConfig = '' extraConfig = ''
reverse_proxy http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT} reverse_proxy http://127.0.0.1${toString config.services.anubis.instances.forgejo.settings.BIND} {
header_up X-Real-Ip {remote_host}
header_up X-Http-Version {http.request.proto}
}
''; '';
}; };
} }