56 lines
1.7 KiB
Nix
56 lines
1.7 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
{
|
|
services.forgejo = {
|
|
enable = true;
|
|
stateDir = "/var/lib/forgejo";
|
|
repositoryRoot = "${config.services.forgejo.stateDir}/repositories";
|
|
database.createDatabase = true;
|
|
|
|
settings = {
|
|
session.COOKIE_SECURE = true;
|
|
server = {
|
|
DOMAIN = "git.${config.homelab.domain}";
|
|
ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}";
|
|
SSH_PORT = 22;
|
|
# PROTOCOL = "https";
|
|
HTTP_PORT = 3000;
|
|
};
|
|
|
|
security.REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
|
|
|
|
service = {
|
|
DISABLE_REGISTRATION = true;
|
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
SHOW_REGISTRATION_BUTTON = false;
|
|
ENABLE_PASSWORD_SIGNIN_FORM = false;
|
|
};
|
|
};
|
|
};
|
|
|
|
# configure anubis to prevent AI scrapers from overloading the git server.
|
|
services.anubis.instances.forgejo = {
|
|
enable = true;
|
|
settings = {
|
|
TARGET = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}";
|
|
SERVE_ROBOTS_TXT = true;
|
|
BIND_NETWORK = "tcp";
|
|
BIND = ":3333";
|
|
};
|
|
};
|
|
|
|
# forgejo has user keys under its own .ssh/authorizedKeys file.
|
|
# nix blocks me from using users.users.<name>.openssh.authorizedKeys.keyFiles
|
|
# in order to only allow that to the forgejo user as it has "/var"
|
|
services.openssh.authorizedKeysInHomedir = lib.mkForce true;
|
|
|
|
services.caddy.virtualHosts."git.${config.homelab.domain}" = {
|
|
useACMEHost = config.homelab.domain;
|
|
extraConfig = ''
|
|
reverse_proxy http://127.0.0.1${toString config.services.anubis.instances.forgejo.settings.BIND} {
|
|
header_up X-Real-Ip {remote_host}
|
|
header_up X-Http-Version {http.request.proto}
|
|
}
|
|
'';
|
|
};
|
|
}
|