added vaultwarden and forgejo

2025-02-19 23:34:08 +10:00 · 2025-02-19 23:34:08 +10:00 · db9479fa96
commit db9479fa96
parent 0f3a016a3d
3 changed files with 294 additions and 22 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 ISSUES/
+secrets/

 result
--- a/hosts/hyrule/default.nix
+++ b/hosts/hyrule/default.nix
@ -9,10 +9,6 @@
    sha256 = "0c07xj74vsj37d3a8f98i9rhhhr99ckwlp45n40f0qkmigm3pk8s";
  };
 in {
-  # TODO:
-  #    - add github:charmbracelet/soft-serve
-  #    - add forgejo
-
  imports = [
    ./hardware-configuration.nix
    (import "${home-manager}/nixos")
@ -79,10 +75,15 @@ in {
      allowedTCPPorts = [
        22 # sshd
        80 # nginx
+        # 143 # IMAP4
        443 # nginx
-        2222 # wishlist
+        # 587 # SMTPS
+        2222 # forgejo ssh
        2035 # debug (for my job)
+        # 3000 (INTERNAL) forgejo
+        # 3306 (INTERNAL) forgejo sqlite3 database
        5000 # debug (for my job)
+        # 8222 (INTERNAL) vaultwarden
      ];
    };
  };
@ -141,24 +142,69 @@ in {

  services = {
    # simple nginx instance to host static construction page
+    # TODO: I want sshd and forgejo's ssh server to both be bound to port 22
+    #       So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
+    #       and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
    nginx = {
      enable = true;

-      # package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
+      # in wake of CVE-2022-3602/CVE-2022-3786
+      package = pkgs.nginxStable.override {openssl = pkgs.libressl;};

      #virtualHosts."imbored.dev".locations."/" = {
-      virtualHosts."imbored.dev" = {
-        addSSL = true;
-        enableACME = true;
-        root = "/var/www/imbored";
-        #index = "index.html";
-        #root = pkgs.writeTextDir "index.html" ''
-        #  <html>
-        #  <body>
-        #  Give me your mittens!
-        #  </body>
-        #  </html>
-        #'';
+      virtualHosts = {
+        "imbored.dev" = {
+          # "http:imbored.dev" = {
+          default = true;
+          # serverName = "imbored.dev";
+          # listenAddresses = ["imbored.dev"];
+          enableACME = true;
+          addSSL = true; # forceSSL = true;
+          root = "/var/www/imbored";
+          #index = "index.html";
+          #root = pkgs.writeTextDir "index.html" ''
+          #  <html>
+          #  <body>
+          #  Give me your mittens!
+          #  </body>
+          #  </html>
+          #'';
+        };
+        # "ssh:imbored.dev" = {
+        #   serverName = "imbored.dev";
+        #   listen = [{
+        #     addr = "imbored.dev";
+        #     port= 22;
+        #   }];
+        #   locations."/".proxyPass = "ssh://127.0.0.1:2222";
+        # };
+        # Route "vault" subdomain to vaultwarden
+        "vault.imbored.dev" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://127.0.0.1:8222";
+        };
+        # Route "forge" subdomain to forgejo
+        "forge.imbored.dev" = {
+          # "https:forge.imbored.dev" = {
+          #serverName = "forge.imbored.dev";
+          #listenAddresses = ["forge.imbored.dev"]; # NOTE: I think this is wrong
+          enableACME = true; # TODO: maybe use `forgejo.settings.server.ENABLE_ACME` instead?
+          forceSSL = true;
+          extraConfig = ''
+            client_max_body_size 512M;
+          '';
+          locations."/".proxyPass = "http://127.0.0.1:3000";
+        };
+        # NOTE: would it work if I used "ssh://forge.imbored.dev" and "https://forge.imbored.dev" instead?
+        # "ssh:forge.imbored.dev" = {
+        #   serverName = "forge.imbored.dev";
+        #   listen = [{
+        #     addr = "forge.imbored.dev";
+        #     port = 22;
+        #   }];
+        #   locations."/".proxyPass = "ssh://127.0.0.2:22";
+        # };
      };
    };

@ -174,13 +220,233 @@ in {
      };
    };

-    #wishlist = {
-    #  enable = true;
-    #};
+    vaultwarden = {
+      enable = true;
+      dbBackend = "sqlite";
+
+      # backupDir = "/var/backup/vaultwarden"; # disable with null
+
+      # https://mynixos.com/nixpkgs/option/services.vaultwarden.config
+      config = {
+        # internal address and port to listen on
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+
+        # hostname to listen for
+        DOMAIN = "https://vault.imbored.dev";
+        SIGNUPS_ALLOWED = false;
+      };
+      # https://mynixos.com/nixpkgs/option/services.vaultwarden.environmentFile
+      environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
+    };
+
+    # stalwart-mail = let
+    #   domain = "imbored.dev";
+    # in {
+    #   enable = false; # true;
+    #   # openFirewall = true; # im doing this manually rn
+    #   settings = {
+    #     certificate."${domain}" = {
+    #       cert = "file://${certs.${domain}.cert}";
+    #       private-key = "file://${certs.${domain}.key}";
+    #     };
+    #     server = {
+    #       hostname = domain;
+    #       tls = {
+    #         certificate = "${domain}";
+    #         enable = true;
+    #         implicit = false;
+    #       };
+    #       listener = {
+    #         "smtp-submission" = {
+    #           bind = ["127.0.0.1:587"];
+    #           protocol = "smtp";
+    #         };
+    #         "imap" = {
+    #           bind = ["127.0.0.1:143"];
+    #           protocol = "imap";
+    #         };
+    #       };
+    #     };
+    #     session = {
+    #       rcpt.directory = "in-memory";
+    #       auth = {
+    #         mechanisms = ["PLAIN"];
+    #         directory = "in-memory";
+    #       };
+    #     };
+    #     jmap.directory = "in-memory";
+    #     queue.outbound.next-hop = ["local"];
+    #     directory."in-memory" = {
+    #       type = "memory";
+    #       users = [
+    #         {
+    #           name = "me";
+    #           secret = "foobar";
+    #           email = ["me@${domain}"];
+    #         }
+    #         {
+    #           name = "Emile";
+    #           secret = "foobar";
+    #           email = ["emile@${domain}"];
+    #         }
+    #       ];
+    #     };
+    #   };
+    # };
+
+    # more options here: https://mynixos.com/nixpkgs/options/services.forgejo
+    # TODO: set a favicon https://forgejo.org/docs/next/contributor/customization/#changing-the-logo
+    #       (might need me to override settings in the nixpkg)
+    # TODO: create a custom theme for forgejo (modify the source files most likely)
+    forgejo = {
+      enable = true;
+      # enable support for Git Large File Storage
+      lfs.enable = true;
+      database = {
+        type = "sqlite3"; # postgres
+        host = "127.0.0.1";
+        port = "3306"; # 5432 if postgres
+      };
+      # settings are written directly to the `app.ini` config file
+      # refer to: https://forgejo.org/docs/latest/admin/config-cheat-sheet/
+      settings = {
+        server = {
+          # ENABLE_ACME = true;
+          # ACME_EMAIL = "eclarkboman@gmail.com"; # change this to "me@imbored.dev"
+          DOMAIN = "forge.imbored.dev"; # should this be "imbored.dev"?
+          ROOT_URL = "https://forge.imbored.dev"; # full public URL of the Forgejo server
+          # address and port to listen on
+          HTTP_ADDR = "127.0.0.1";
+          HTTP_PORT = 3000;
+          PROTOCOL = "http"; # http internally, reverse proxy uses https externally
+
+          DISABLE_SSH = false;
+          SSH_PORT = 2222;
+          # TODO: idk what this is, surely I need it to be true right???
+          # START_SSH_SERVER = true;
+        };
+
+        DEFAULT = {
+          APP_NAME = "Emile's Forge";
+          APP_SLOGIN = "Cozy";
+          APP_DISPLAY_NAME_FORMAT = "{APP_NAME}: {APP_SLOGAN}";
+        };
+
+        repository = {
+          DEFAULT_PRIVATE = "private"; # last, private, public
+          DEFAULT_PUSH_CREATE_PRIVATE = true;
+          MAX_CREATION_LIMIT = -1;
+        };
+
+        "repository.upload" = {
+          # max per-file size in MB
+          FILE_MAX_SIZE = 50;
+          # max number of files per upload
+          MAX_FILES = 5;
+        };
+
+        badges = let
+          # flat, flat-square, plastic, for-the-badge, social
+          style = "for-the-badge";
+        in {
+          ENABLED = true;
+          GENERATOR_URL_TEMPLATE = "https://img.shields.io/badge/{{.label}}-{{.text}}-{{.color}}?style=${style}";
+        };
+
+        ui = {
+          DEFAULT_THEME = "forgejo-dark";
+          THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
+        };
+        "ui.meta" = {
+          AUTHOR = "Emile Clark-Boman - emileclarkb";
+          DESCRIPTION = "This is my personal self-hosted git forge, where I keep and maintain personal projects!";
+          KEYWORDS = "emileclarkb,git,forge,forgejo,self-hosted";
+        };
+
+        markdown = {
+          ENABLE_HARD_LINE_BREAK_IN_COMMENTS = true;
+          ENABLE_MATH = true;
+        };
+
+        admin = {
+          DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
+          SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
+        };
+
+        security = {
+          # Controls access to the installation page.
+          # When set to “true”, the installation page is not accessible.
+          #INSTALL_LOCK = false;
+
+          PASSWORD_HASH_ALGO = "argon2"; # ARGON2 BEST ALGO FR!!
+          MIN_PASSWORD_LENGTH = 12;
+          PASSWORD_COMPLEXITY = "lower,upper,digit,spec";
+          PASSWORD_CHECK_PWN = true;
+        };
+
+        service = {
+          # toggle to create an admin user
+          DISABLE_REGISTRATION = true;
+          #DEFAULT_USER_IS_RESTRICTED = true;
+          # Forbid login with third-party services (ie github)
+          ALLOW_ONLY_INTERNAL_REGISTRATION = true;
+          ENABLE_CAPTCHA = true;
+          REQUIRE_CAPTCHA_FOR_LOGIN = true;
+          REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA = true;
+          LOGIN_REMEMBER_DAYS = 365;
+          ENABLE_NOTIFY_MAIL = true;
+        };
+        "service.explore" = {
+          REQUIRE_SIGNIN_VIEW = false;
+          DISABLE_USERS_PAGE = false;
+          DISABLE_ORGANIZATIONS_PAGE = false;
+          DISABLE_CODE_PAGE = false;
+        };
+
+        cache = {
+          ADAPTER = "twoqueue";
+          HOST = "{\"size\":100, \"recent_ratio\":0.25, \"ghost_ratio\":0.5}";
+          ITEM_TTL = "16h";
+        };
+
+        # TODO: fill this in once my mail server is configured
+        # email.incoming = { ... };
+
+        # optional
+        # TODO: fill this in once my mail server is configured
+        mailer = {
+          ENABLED = false;
+          SMTP_ADDR = "mail.imbored.dev";
+          FROM = "noreply@imbored.dev";
+          USER = "noreply@imbored.dev";
+        };
+
+        log = {
+          MODE = "file";
+          LEVEL = "Info"; # "Trace", "Debug", "Info", "Warn", "Error", "Critical"
+          ENABLE_SSH_LOG = true;
+        };
+
+        cron = {
+          ENABLED = true;
+          RUN_AT_START = false;
+        };
+
+        other = {
+          SHOW_FOOTER_VERSION = true;
+          SHOW_FOOTER_TEMPLATE_LOAD_TIME = true;
+          SHOW_FOOTER_POWERED_BY = true;
+          ENABLE_SITEMAP = true;
+          ENABLE_FEED = true;
+        };
+      };
+    };
  };
  # accept Lets Encrypt's security policy (for nginx)
  security.acme = {
    acceptTerms = true;
+    # TODO: change this to me@imbored.dev
    defaults.email = "eclarkboman@gmail.com";
  };

--- a/hosts/myputer/default.nix
+++ b/hosts/myputer/default.nix
@ -135,7 +135,8 @@ in {
            colmena-new

            gitkraken
-            keyguard # bitwarden client app
+            # NOTE: downloadthing this causes my PC to freak!! ("too many open files" error)
+            #keyguard # bitwarden client app
          ];
      };

@ -210,6 +211,10 @@ in {
    wget
    tree
    unzip
+
+    # Cryptography
+    openssl
+    libargon2
  ];

  # DEBUG: configuring xdg portal here instead?