emileclarkb/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added vaultwarden and forgejo

Browse source
This commit is contained in:
Emile Clark-Boman 2025-02-19 23:34:08 +10:00
parent 0f3a016a3d
commit db9479fa96
3 changed files with 294 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,3 +1,4 @@
ISSUES/ ISSUES/
secrets/
result result

286
hosts/hyrule/default.nix
View file

@ -9,10 +9,6 @@
sha256 = "0c07xj74vsj37d3a8f98i9rhhhr99ckwlp45n40f0qkmigm3pk8s"; sha256 = "0c07xj74vsj37d3a8f98i9rhhhr99ckwlp45n40f0qkmigm3pk8s";
}; };
in { in {
# TODO:
# - add github:charmbracelet/soft-serve
# - add forgejo
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
(import "${home-manager}/nixos") (import "${home-manager}/nixos")
@ -79,10 +75,15 @@ in {
allowedTCPPorts = [ allowedTCPPorts = [
22 # sshd 22 # sshd
80 # nginx 80 # nginx
# 143 # IMAP4
443 # nginx 443 # nginx
2222 # wishlist # 587 # SMTPS
2222 # forgejo ssh
2035 # debug (for my job) 2035 # debug (for my job)
# 3000 (INTERNAL) forgejo
# 3306 (INTERNAL) forgejo sqlite3 database
5000 # debug (for my job) 5000 # debug (for my job)
# 8222 (INTERNAL) vaultwarden
]; ];
}; };
}; };
@ -141,15 +142,24 @@ in {
services = { services = {
# simple nginx instance to host static construction page # simple nginx instance to host static construction page
# TODO: I want sshd and forgejo's ssh server to both be bound to port 22
# So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
# and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
nginx = { nginx = {
enable = true; enable = true;
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; }; # in wake of CVE-2022-3602/CVE-2022-3786
package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
#virtualHosts."imbored.dev".locations."/" = { #virtualHosts."imbored.dev".locations."/" = {
virtualHosts."imbored.dev" = { virtualHosts = {
addSSL = true; "imbored.dev" = {
# "http:imbored.dev" = {
default = true;
# serverName = "imbored.dev";
# listenAddresses = ["imbored.dev"];
enableACME = true; enableACME = true;
addSSL = true; # forceSSL = true;
root = "/var/www/imbored"; root = "/var/www/imbored";
#index = "index.html"; #index = "index.html";
#root = pkgs.writeTextDir "index.html" '' #root = pkgs.writeTextDir "index.html" ''
@ -160,6 +170,42 @@ in {
# </html> # </html>
#''; #'';
}; };
# "ssh:imbored.dev" = {
# serverName = "imbored.dev";
# listen = [{
# addr = "imbored.dev";
# port= 22;
# }];
# locations."/".proxyPass = "ssh://127.0.0.1:2222";
# };
# Route "vault" subdomain to vaultwarden
"vault.imbored.dev" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:8222";
};
# Route "forge" subdomain to forgejo
"forge.imbored.dev" = {
# "https:forge.imbored.dev" = {
#serverName = "forge.imbored.dev";
#listenAddresses = ["forge.imbored.dev"]; # NOTE: I think this is wrong
enableACME = true; # TODO: maybe use `forgejo.settings.server.ENABLE_ACME` instead?
forceSSL = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://127.0.0.1:3000";
};
# NOTE: would it work if I used "ssh://forge.imbored.dev" and "https://forge.imbored.dev" instead?
# "ssh:forge.imbored.dev" = {
# serverName = "forge.imbored.dev";
# listen = [{
# addr = "forge.imbored.dev";
# port = 22;
# }];
# locations."/".proxyPass = "ssh://127.0.0.2:22";
# };
};
}; };
openssh = { openssh = {
@ -174,13 +220,233 @@ in {
}; };
}; };
#wishlist = { vaultwarden = {
enable = true;
dbBackend = "sqlite";
# backupDir = "/var/backup/vaultwarden"; # disable with null
# https://mynixos.com/nixpkgs/option/services.vaultwarden.config
config = {
# internal address and port to listen on
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
# hostname to listen for
DOMAIN = "https://vault.imbored.dev";
SIGNUPS_ALLOWED = false;
};
# https://mynixos.com/nixpkgs/option/services.vaultwarden.environmentFile
environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
};
# stalwart-mail = let
# domain = "imbored.dev";
# in {
# enable = false; # true;
# # openFirewall = true; # im doing this manually rn
# settings = {
# certificate."${domain}" = {
# cert = "file://${certs.${domain}.cert}";
# private-key = "file://${certs.${domain}.key}";
# };
# server = {
# hostname = domain;
# tls = {
# certificate = "${domain}";
# enable = true; # enable = true;
#}; # implicit = false;
# };
# listener = {
# "smtp-submission" = {
# bind = ["127.0.0.1:587"];
# protocol = "smtp";
# };
# "imap" = {
# bind = ["127.0.0.1:143"];
# protocol = "imap";
# };
# };
# };
# session = {
# rcpt.directory = "in-memory";
# auth = {
# mechanisms = ["PLAIN"];
# directory = "in-memory";
# };
# };
# jmap.directory = "in-memory";
# queue.outbound.next-hop = ["local"];
# directory."in-memory" = {
# type = "memory";
# users = [
# {
# name = "me";
# secret = "foobar";
# email = ["me@${domain}"];
# }
# {
# name = "Emile";
# secret = "foobar";
# email = ["emile@${domain}"];
# }
# ];
# };
# };
# };
# more options here: https://mynixos.com/nixpkgs/options/services.forgejo
# TODO: set a favicon https://forgejo.org/docs/next/contributor/customization/#changing-the-logo
# (might need me to override settings in the nixpkg)
# TODO: create a custom theme for forgejo (modify the source files most likely)
forgejo = {
enable = true;
# enable support for Git Large File Storage
lfs.enable = true;
database = {
type = "sqlite3"; # postgres
host = "127.0.0.1";
port = "3306"; # 5432 if postgres
};
# settings are written directly to the `app.ini` config file
# refer to: https://forgejo.org/docs/latest/admin/config-cheat-sheet/
settings = {
server = {
# ENABLE_ACME = true;
# ACME_EMAIL = "eclarkboman@gmail.com"; # change this to "me@imbored.dev"
DOMAIN = "forge.imbored.dev"; # should this be "imbored.dev"?
ROOT_URL = "https://forge.imbored.dev"; # full public URL of the Forgejo server
# address and port to listen on
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
PROTOCOL = "http"; # http internally, reverse proxy uses https externally
DISABLE_SSH = false;
SSH_PORT = 2222;
# TODO: idk what this is, surely I need it to be true right???
# START_SSH_SERVER = true;
};
DEFAULT = {
APP_NAME = "Emile's Forge";
APP_SLOGIN = "Cozy";
APP_DISPLAY_NAME_FORMAT = "{APP_NAME}: {APP_SLOGAN}";
};
repository = {
DEFAULT_PRIVATE = "private"; # last, private, public
DEFAULT_PUSH_CREATE_PRIVATE = true;
MAX_CREATION_LIMIT = -1;
};
"repository.upload" = {
# max per-file size in MB
FILE_MAX_SIZE = 50;
# max number of files per upload
MAX_FILES = 5;
};
badges = let
# flat, flat-square, plastic, for-the-badge, social
style = "for-the-badge";
in {
ENABLED = true;
GENERATOR_URL_TEMPLATE = "https://img.shields.io/badge/{{.label}}-{{.text}}-{{.color}}?style=${style}";
};
ui = {
DEFAULT_THEME = "forgejo-dark";
THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
};
"ui.meta" = {
AUTHOR = "Emile Clark-Boman - emileclarkb";
DESCRIPTION = "This is my personal self-hosted git forge, where I keep and maintain personal projects!";
KEYWORDS = "emileclarkb,git,forge,forgejo,self-hosted";
};
markdown = {
ENABLE_HARD_LINE_BREAK_IN_COMMENTS = true;
ENABLE_MATH = true;
};
admin = {
DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
};
security = {
# Controls access to the installation page.
# When set to “true”, the installation page is not accessible.
#INSTALL_LOCK = false;
PASSWORD_HASH_ALGO = "argon2"; # ARGON2 BEST ALGO FR!!
MIN_PASSWORD_LENGTH = 12;
PASSWORD_COMPLEXITY = "lower,upper,digit,spec";
PASSWORD_CHECK_PWN = true;
};
service = {
# toggle to create an admin user
DISABLE_REGISTRATION = true;
#DEFAULT_USER_IS_RESTRICTED = true;
# Forbid login with third-party services (ie github)
ALLOW_ONLY_INTERNAL_REGISTRATION = true;
ENABLE_CAPTCHA = true;
REQUIRE_CAPTCHA_FOR_LOGIN = true;
REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA = true;
LOGIN_REMEMBER_DAYS = 365;
ENABLE_NOTIFY_MAIL = true;
};
"service.explore" = {
REQUIRE_SIGNIN_VIEW = false;
DISABLE_USERS_PAGE = false;
DISABLE_ORGANIZATIONS_PAGE = false;
DISABLE_CODE_PAGE = false;
};
cache = {
ADAPTER = "twoqueue";
HOST = "{\"size\":100, \"recent_ratio\":0.25, \"ghost_ratio\":0.5}";
ITEM_TTL = "16h";
};
# TODO: fill this in once my mail server is configured
# email.incoming = { ... };
# optional
# TODO: fill this in once my mail server is configured
mailer = {
ENABLED = false;
SMTP_ADDR = "mail.imbored.dev";
FROM = "noreply@imbored.dev";
USER = "noreply@imbored.dev";
};
log = {
MODE = "file";
LEVEL = "Info"; # "Trace", "Debug", "Info", "Warn", "Error", "Critical"
ENABLE_SSH_LOG = true;
};
cron = {
ENABLED = true;
RUN_AT_START = false;
};
other = {
SHOW_FOOTER_VERSION = true;
SHOW_FOOTER_TEMPLATE_LOAD_TIME = true;
SHOW_FOOTER_POWERED_BY = true;
ENABLE_SITEMAP = true;
ENABLE_FEED = true;
};
};
};
}; };
# accept Lets Encrypt's security policy (for nginx) # accept Lets Encrypt's security policy (for nginx)
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
# TODO: change this to me@imbored.dev
defaults.email = "eclarkboman@gmail.com"; defaults.email = "eclarkboman@gmail.com";
}; };

7
hosts/myputer/default.nix
View file

@ -135,7 +135,8 @@ in {
colmena-new colmena-new
gitkraken gitkraken
keyguard # bitwarden client app # NOTE: downloadthing this causes my PC to freak!! ("too many open files" error)
#keyguard # bitwarden client app
]; ];
}; };
@ -210,6 +211,10 @@ in {
wget wget
tree tree
unzip unzip
# Cryptography
openssl
libargon2
]; ];
# DEBUG: configuring xdg portal here instead? # DEBUG: configuring xdg portal here instead?