hosts/kazuki/forgejo: init

hosts/kazuki/default.nix

@@ -18,6 +18,7 @@
         ./attic.nix
         ./ntfy.nix
         ./zitadel.nix
+        ./forgejo.nix
       ];
 
       nixpkgs.hostPlatform = "aarch64-linux";

hosts/kazuki/forgejo.nix

@@ -0,0 +1,62 @@
+{ config, ... }:
+{
+  age.secrets.rab-lol-cf = {
+    file = ../../secrets/rab-lol-cf.age;
+    owner = config.services.nginx.user;
+  };
+
+  services.forgejo = {
+    enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.rab.lol";
+        ROOT_URL = "https://git.rab.lol/";
+      };
+      oauth2_client = {
+        REGISTER_EMAIL_CONFIRM = false;
+        ENABLE_AUTO_REGISTRATION = true;
+        ACCOUNT_LINKING = "auto";
+        UPDATE_AVATAR = true;
+      };
+      service = {
+        DISABLE_REGISTRATION = false;
+        ALLOW_ONLY_INTERNAL_REGISTRATION = false;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+      };
+      federation.ENABLED = true;
+    };
+    repositoryRoot = "/storage-box/forgejo/repos";
+    lfs = {
+      enable = true;
+      contentDir = "/storage-box/forgejo/lfs";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    virtualHosts."git.rab.lol" = {
+      forceSSL = true;
+      enableACME = true;
+      acmeRoot = null;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3000";
+        extraConfig = ''
+          proxy_set_header Connection $http_connection;
+          proxy_set_header Upgrade $http_upgrade;
+        '';
+      };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+  security.acme.acceptTerms = true;
+  security.acme.certs."git.rab.lol" = {
+    dnsProvider = "cloudflare";
+    credentialsFile = config.age.secrets.rab-lol-cf.path;
+    email = "nikodem@rabulinski.com";
+  };
+}

secrets/attic-creds.age

@@ -1,8 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw 2qksYjzfcPZzHnREXVW29MhWvazYIMiVRWVfPgqNuRg
-9dz5OzreQRec3sRJRtdz43LXHNTtDewu4fWOEZ3GXUE
--> ssh-ed25519 GKhvwg iS687XOI4dbrHhG5l6VPpq9iZaTJH4xF2EpLVXxyvjU
-Tmdotb9hjGsuiH5aLIC8Pot4jZ6hGuy/muECh5BRn/Y
---- 9fZK/ccW2l2pYo8b8SWdMcuXodrRNRg8GHZ563XvCy0
-äi´˜åíì®
7›sU°¼¹’qô'';ípÔ®œsG˜9jEräê‹õsrj¤Ûs«~hÖUiýu™ PÝ¿¥VÜpIÉš<C389>¥¬É¹û­ˆRœ<v16çž)sUÕP¤¶^†•5rt ã×ÞewK¤óy“ú”è”)`‘Œ
-D3ëÀ*aüöýÞ!Ùbw¶¬UÏÿøTâ2N]‡aå
+-> ssh-ed25519 84j9mw 0DJjRtW0WqGWZ8NWVQYGKgGxXeMdddizs/WUWfSx5Uw
+VLFkBGSOjhQB5riMjsQ2U6WqsATZgQQ80TVrE6qOXv8
+-> ssh-ed25519 GKhvwg HGe3GocuRC1rVdQv+zpxf2Yky0ISJsKC8YOuLGdX+i8
+lT4rVeBD2zhTm3KWDmH46NscXHCiN6vKf6t4B6LXUPI
+--- 3G4VY3jPnN3o6jfv1GsQx3v2xW1QYeVwVmEA6VDo1ro
+SÄ•úËÇ2¬·Ó¨n›’j§2BVşđ
+dQôŢü/ŐX><3E>ő[Ęu#Aśë3ÇŇČhvó´7&™YĂgČ{˝)j—Ě;RÝŽm¨Ćt22l5v'¤ců+<2B>Ëp—\6ÔVJ—F <46>ŹŢ?˘™!K	ŘLőĄ
ÓÝ€6ŤkŃDóTj´ëđXł —%1˝h'Ł0riűž[

secrets/github-token.age

@@ -1,13 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 IFuY+w KxBuZIqLX9AD6ZbmBBSby4tAcmPI5hYTTEK4R719lwU
-HIBcTY6arP79lGSA/darvIeOtDGxo1qtO4dodYtAVpQ
--> ssh-ed25519 84j9mw koQjhSrpJLoMMrnrqDZtWbbla3DEbkMzrLqT9dWXP04
-Bk/O9e64nPuLit4rTpaMYcaYL0DSN2MdkGl03r8Oor4
--> ssh-ed25519 ioPMHA Onl/uaahcw61i9P0L3iFDbpspirzSA4L+m14WYUzFwY
-A1zhIe3x+J8UpZWoF6VJvlyuuquu0O16r5qMvPJV9x4
--> ssh-ed25519 5A7peQ PJ2ODZjmY8RRrg036L4nvTEWPJgN6WMh6Dg4fvRUynA
-K4Rr55KyjH/hJ+Mb82nMwVRzrgfbZSMO9Imt0zbrmSg
--> ssh-ed25519 GKhvwg aA7+TesIIfUcNUFaLlftkX7Tz68Hm8OgMD0tUqhZUBg
-+fLyX0krrMC5FpzwfzTsywgFTK5uRe4KFMdL5fDZUkI
---- TPzhwBPekXX1mmDbTOkWW9nB6ck7dymeIjkFHaq43V8
-X˜à²Üz-ï8MȨªm`Õp(ýO€ÿâÕ/ˆjø3ì$@8‚"ȳBÖèX½(Þkhljüšã¡8£HéEPì¤ïb
+-> ssh-ed25519 IFuY+w nyBEszEusqQE6jM7y9G4KCyzNHawdyy+hTfm9LsuRCY
+1bbg4kmmv9m2Gwp+3x8zvqFOkmTKt898/sGCUK9rpGE
+-> ssh-ed25519 84j9mw 5s2PNoIOMWf2gBwzmRHmssMOuvu2kv43316E20McKh8
+FyA+VjPgPynvMQfxm3d2+SOEpsJFIKJE8pbXeIkOfGI
+-> ssh-ed25519 ioPMHA 4N9PsYYaeqJDbxpQpyCgvR/JWwLPDCAi65YB6M0uT0U
+mFCqo1htPi2WRKiJz/t8Y7TMD/p7X81HsHGG0KIsROQ
+-> ssh-ed25519 5A7peQ ZjRTqjDou2xS638dR8AWKCv5uKTSmOSJ/4rkfFckhjY
+yUJABvMDLN0C15XBmnZJZ88khXAXLUP+aEqH5DlJcKY
+-> ssh-ed25519 GKhvwg w1OKhVPY89J/pbrrXIHVifV++5e1tLqlSL9yM/2rqX0
+VF0cvmdtCZAlPgIqcNZYp7ANPhvDqlFE7h018lCbWyg
+--- YWa0wXlaYVF+g06+w/u/h+NURlfMY8lauf5ZtrrhrF4
+3¦Í…P׆øæôÃ?4ƒ·)òçméñ f.ùªª±§þå²’`<60><><EFBFBD>Á½aF<61>CjŒ"JÂÑwd鱇œùBÆŒ+{dK´µ•

secrets/leet-nrab-lol-pass.age

@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw /4EXihTNwoJjJHmCldhT+67ZMuTLNLmf5oDGQ8ZDxV4
-VDRX6MRCs8Xp01yA3/9AzaN96uM0HI24w8Fpd5TGwJw
--> ssh-ed25519 GKhvwg R0So7TPGmZ6e4syoLb8l1vgW+/FWUIufIsbpmRDnxjk
-UKvX1UMpHicSEMmFMOBkKQ1lo15DgRfIxCo2azTX6Ac
---- L8BkLO3WSy/aKJ9x4uvp5uJDEmXm4hCNutQ8B8Jiio0
-ĉ%rg‘D/߉×gh¢TÆÓ»•%¼¾o
nJý¨“•$W0·i|Ù{òÑñ¿!‚bpT“œŠíe*K™	 ð£éX­íÔu®iXŸ:~O\X#(¼¡Q)R@s
A
+-> ssh-ed25519 84j9mw ZuGILSHnMIMy/GDEjkAriTBKBykkytcIVo63DPd4MhA
+aa/sGLpf+GrLzo8Jf3JWAPI0Uk96SH/CvGhynNJVx6E
+-> ssh-ed25519 GKhvwg STHVqp1zYhQzu73INk2Cmkuf8X8kJPLtGSY8LJze/Tc
+Ny1C5CAnqSCcunIbM8if8oQ2VlerIIW5Dqds/Ztektw
+--- gaHP+odPfw8A4f5NJkYOuvvYRWwo5EzRZVkXp6E7dfI
+NëÑfO÷=¢¨ÿª+T3þT 0w<ˆnXrˆ\—ùä˜XZ´MãX n˜Ò*ªóÞɯòGœ’¼!¡ßG^ ß2ÞúÓÑqê’ô˜/w†ü
+ª½“}FPy‹<79>

secrets/legion-niko-pass.age

@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 ioPMHA wC40k2E26e/5foBXXf43FFKYGSlnoQyFzjJtQRshJw0
-F7LlDuPFfyKjKTT9orFBBUqcmON7DSFrsqHC24x/7jc
--> ssh-ed25519 GKhvwg LvajdH8hQ9LQ09qgzIjxYyQfoyJJr649Ks41rmFNWEA
-8kLSIbryosex94KkLqJILIUWplrf5vtf59QjJdprOTY
---- 0XLL9dP31jyO/WdtwUu+C38NqCVcOjkdHKhB82rPUiQ
-}î§æ5Úày(i~íB+…‰0<11>q¼:!Í-V1Ð΋‰ˆóçŒ"ÎÓ§F>ÀlÍ	“ UäæB¼œÈ7"†eË<>âìo§ˆ»%p<>•+‘CÞ§˜Ú:,,åüWü¶þT¦Ó3
+-> ssh-ed25519 ioPMHA K64Chk5/f0PpwHg5IzsUNYr5lQxpjIIQTe6ls9lnmBo
+J37Cz80gmkT7GX3Yvbwl5Q708wpj9oixjMCmyWb3MDQ
+-> ssh-ed25519 GKhvwg r46Ti9DfXxyEnXRtLonwA4JnNeQVLKDIMcXYCUe7j2U
+VWacAQw/pc2uaLZy7/I078hbwmuD/Hut8XH7XAHW9bQ
+--- bGfqo9trmubXG+4Y3SWmqh8BSyuHpw3+udGllY740S8
+ó¢<EFBFBD>Ådúã_-•z3(	1 ä°<>aõ
+T’þü»@c!Ô<>|à=ªngu¡ðuK	®	Æ·ôÞ²rDrëÍW-fý-—+DÌKžñC`»ÂRý™ÐÆ:Â5mHȲrd³.Ctˆ"J

secrets/miyagi-niko-pass.age

@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 g2vRWw 3mHAcu63Cw+hKbRkAQMlddIg071e+ggdU7lGWF3Lmmw
-K3NBGhpyON3JLa8kb46dJD6mY+4ZHYDO5v78uYUY96s
--> ssh-ed25519 GKhvwg hm8EAsFbWe1OykH/uovSvmPJdVIQd91rcWvgjfIEPwg
-Wn1ywatZ7KCfxOhvoLXUGAA15nAobR6Qs+5xuOb51rM
---- NS6E6N7YAmP+kTht3ZiqVEuyNsJzIumut4sppS7L6dQ
-a9ë¼3ÌØjm¶á;0pýû’lÀ;¨nçŽc CJÐë³HÔúH×ñ ìëʴÄ/ôM¶0¬¾º,kJoZŽ<5A>!¢‹¢´­µ?:^°D72ñÚZ5ao¡'Í4óžÙT09‹
+-> ssh-ed25519 g2vRWw //TMaNWwTNS5wE3Hg/SEwqriIaOiOUE5remdVF449Vk
+8K3isM05ep9HJ58TlNE9bmiIuqJPoq3lI/3AbUrLw8Q
+-> ssh-ed25519 GKhvwg GANoFnELye0945KaMuS7xw6CGPhI5vigD+vScnpbQxI
+CSx0E7fOB8A5MSc1ySywNFj5mkkdi6DDUc+ObaW/kew
+--- +BiFZI/o5loCYZ95bkY4zQYr2y6SYc2bmnRuAMg2MPM
+"D1ŠMh»›`dcó…Þl©U;]PuÍ×Õ¼	/?¸Éì5«\\ì½D»ô¯È1l6øz‘ÍÕNé¼Sì™Æ
+N;<+^BpømÕšÁy»
ñ¦s°Z;ûúVª«¥ÉÝj’

secrets/ntfy-alert-pass.age

@@ -1,17 +1,17 @@
 age-encryption.org/v1
--> ssh-ed25519 H0Rg/A 5qbQNdu7cPFz8Ckk/rkmOUEjGxvQ/xLJjJanW3yW7EY
-wffzBgQfjnV4T9EoSPUXpBBjax0kn9EYvuxJ8MjsQ+A
--> ssh-ed25519 84j9mw hNlKz0lO4IRdU9QbZVUnFbfYyVxi4pNN/rF/iZMj33o
-naM1DVoftYQiqb6aiCKOHW9neR2WvRLACA64C5gMOus
--> ssh-ed25519 5A7peQ D3PbqVToxRnoMB8PLKWXR1i+Wj+lBfAOZWIJbZhXMVM
-dvIRFfytQB3HYT3l/XIYQGgKlTsCLiqGu7a8TntgLwE
--> ssh-ed25519 ioPMHA 8tnQt8aDlpi4EY3KXkSWU9hwiG87QEjbf5WSxtdXqWU
-ZL0RnU9K7rlRvBf62up+PWIA4lyp7uXmghJiIoaSDUQ
--> ssh-ed25519 g2vRWw dq2T5cV7ChXrOjzHV2oNEvBf8X83prauzODhWz4nVz8
-qVmcA4cx/0NQ5DCpRaDt+OzjGWmmKX+Tjt5eayO5+3k
--> ssh-ed25519 IFuY+w +S7iVY0JQsmL2JdZY7AcypCkL8CcHDZZqPPFdsaznCs
-3vMjLGHEtpIrYOEZU4P8doxgYK+SIwnlVlpiWoodjxE
--> ssh-ed25519 GKhvwg 7NXLTP8qYxF3C2QAlmAQ8XeVknJ7z6LBd2r/N0SxMHo
-GAICwB3Q+qYoGN9GYPp0qaTx+QdQxLC50T+lIMiPPfg
---- y/GvxOXuOevIogx9o+ZwmiicfOF8NMmydrKUB5GSjTg
-žaE|:¦ŒÜËHÑø8Æf´é¾!Öj›6Hþ•
Sºì™lažüPôMd‚½_]w>,H%ÙA‚ñÖEšJ¯dQ
+-> ssh-ed25519 H0Rg/A 0fS4hFGApCXEVxeS2vjMjh0AK2yp6I7kj3jNR4PoJGY
++3vGwadl7JfgYAqoNRD2Qi1Y9fMb8JpPKEQdikvsVgI
+-> ssh-ed25519 84j9mw 1aHwFWtpDG2DQHdwVwpEgJK5qGwo0ln0Z3ZJywUXYV4
+sKcMQdZBVp4oeX3tEmlWIqZt5xUIuMVQp0uLYc97QVA
+-> ssh-ed25519 5A7peQ Zt+U88BWZhKgbSyG6dAuYU88NfQF8kw1T+lw/8Al/xg
+LJRq04OR460RfUgKYwDm81a9AcXZWSuWrZkihVvo8MM
+-> ssh-ed25519 ioPMHA IAnt9wu0vk3q0TiebE7Ojf+KI4nrwe+i8zdwgejn52E
+77SJKJIjJ8sr4hdmWAPxRh42JZQo5CImhqclNi2p8Ak
+-> ssh-ed25519 g2vRWw e4vo2n6AnW2fcT6mul0ytIpfGTcR+tqCWwGVllScwhI
+P1LkRmJY98/UZwiJi+SdsIkckqg9dX1aGXQkhSpxJGg
+-> ssh-ed25519 IFuY+w mITC+Jg5WMc9Ufy6Fkba8mao71/kP0meW/RjSPER/3I
+Lly7RvQ4Bb0ZAvfXhWNgLLAmt2ABMrx8hdWx8mWXPzw
+-> ssh-ed25519 GKhvwg /+C8xTcFTG8LmKOzs05wQsCtxyAM7pCbX+FevBJ1bGM
+ZdAtZtQldGtvdmHbysyd0saoiYGoUj1o9F77jbG7YnE
+--- G1O9di6cDML/82E7WkdBSRcTrmEbDWG3u6jP9H5OpBQ
++OÍ0¾×ì.Ÿ÷Ó-ÎáwÚÝ]¥Í˜	bmy«tUË"£@+yø6ÂbØñ‡oF­8Å‘pÅ°Ü9dü

secrets/ntfy-niko-pass.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw NPno3Ox+binqR7DxgPLHoPxfp7aScR4bEyR4Sck6VEo
-jnQrnf7CrWL5nhj/GFEV5mXP8SFQV2EkL9NCV5mhgxU
--> ssh-ed25519 GKhvwg v8SFsdzsloII81FQZ89krfNaWEKtfJAK0VuYXHSzfR0
-j3sOP5IzAINcai+kGjkCX93bkmM7FWSxj8TseWirOrI
---- WsXIVgFQVz5CmYA7d28aanO6iaHb1DP/bcwwmNrdGQw
-#<!«0†<hŠ¿G]IâS—Ï„ʪê“æ´3®†}:zì—®>ÉÖÅðŒÀHÜD×9
+-> ssh-ed25519 84j9mw tR4gg/XeVdS8xCIuHxN25uaRKu6a09DSW26SI3AWDlM
+uC2gJ9UWDE6uVXkUDlaVZlWAH5iLDgagkN+54msvyoY
+-> ssh-ed25519 GKhvwg q27QskTYhI5gjIKKpNHn5V2FRmhIg8QFJ8m0TPZiwSY
+/0RIbiG/nwxKDJ613BLoCNvjej6f65mr1xwCN7/aueI
+--- XU82wFZVE+zTZ/mGhnoxqWrdUOv3n6VOwQizZSHPLfw
+«ÁěĎ"˝ô˛čů1ëKË×Ä˝°˝.Ž J<>'!nlO]>ˇďĹYç
ąEűëÝX‘

secrets/rab-lol-cf.age

@@ -1,7 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 ioPMHA OalLSgF0zP+HWMvce3JMzuPzkMfKB6mfObp9DCMBE1M
-YaQXa2PGhrpSPgbHODvN80m6ovnaz+ZezS3OsW1YYcc
--> ssh-ed25519 GKhvwg uUOhm+rQ/BL8uX85R+thBcRWNupUrMj/wYZ/rzhjugU
-XAm8FqJ4G4sUwibp8vC/cyZIrsrk2GNp7rVIfM/phBI
---- bvhcnA92V3feL8yv3Nx5aBKZi64Eg47zT2MS9I1hL0c
-›;á ĄÖ°Á$Q§±^G5@LĐí9|˛k?ľFÁ?BĘ0ésĘĄśĆ^,UŠŹ[9&żčĂáŢúyýh‚„ŰOÍéÄ0.ăŁ"~PŘPń±‚üĘüúŔA†
+-> ssh-ed25519 ioPMHA efHpBvtB+mXXa7RoRdqePHGOmsY5BXVOgGsfOhPm30w
+2GvumVVuuLGEarpdauTCrB61aLtVtrkM3/pPlWIODnk
+-> ssh-ed25519 84j9mw rqj6xvESlvrfcjhVEWCbpd//vvdKjrTjt3ZDPeLHowQ
+dcUD131zvVQGiUYQWt9A51CnIpLGNSGinSZk7HSGHoc
+-> ssh-ed25519 GKhvwg cIji8zRSGWEbC/xxS8C4jyDCpQsFv05j2Yo8UjaHSAk
++c/tIYPigZdPQWKvGYaoA6AYRAB83XlEEdfucihB984
+--- TEQTQ/lm/JqyyWU2sC10qHl4AL/2IP9yCUfhXG4LdP4
+ŮČ®żöˇS¨Fâ-dc‹D€\<5C>?hî Qg@W’âî
+xA|M*Űr—t0Üű~Ń°XaŇ{¸ÎĂy/ŹëWUѸˇ¤Y˛‹ë ¬¨{đ×°}TAxDç

secrets/secrets.nix

@@ -74,6 +74,7 @@ in
   ];
   "rab-lol-cf.age".publicKeys = [
     keys.system.legion
+    keys.system.kazuki
     keys.other.bootstrap
   ];
   "rabulinski-com-cf.age".publicKeys = [

secrets/storage-box-creds.age

@@ -1,7 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw Hnei3vVAC9dL9O1H9GIVL0WqR8/rinZ04AM8vwacgwg
-vPzKjQDCPKdwEHvdDibg6i/LeDjFwXBnINkzwlh0hBk
--> ssh-ed25519 GKhvwg PAvDfn/sTrH8lhbHZ/l9hmyjNXIPSdN7MCOYkD1ZC1g
-Bh+PCt3X89RJZMS6XCQRFCC9dW4BWlWPbZgdzVniW9E
---- Ad8wu6O3CZUDHmsxhaFiVcpTLHtMmSVENddCD2Ns4r0
-»•åMgÒÎðÊÜóD_&òý‹¹ët¯ª]Vœ„"Riá<>K)·?e<>©v
™)¦ëƒ	zãÒÖ¤“9DNº<ì*1‰Gl
+-> ssh-ed25519 84j9mw voingQjX/CjAjo63KLaRPFaG74IpxcRb0qv+r2b5wzo
+ccWzQQSJW7cc8RiS9PzN2U5Xj0+Z7804tPsaGrq09KA
+-> ssh-ed25519 GKhvwg 2z8J0YRxQ4WP1G/W7DxRK7z1b6UBjodvN8ECP4fLg1U
+wRG4U9oAJ2KtPUHg5l0yDmmHatmwXOrn2nJlOQJMlpE
+--- qs7kR5AIkwQ8NtDjYnmKZmCl4+1G6MFBNB3Mu3J9Y1M
+<EFBFBD>ø™
+æ8[ÅÎWÑ•®Sàõòݸ’<C2B8>„<EFBFBD>î]&èZaؼuŸÇæžEBÕå!®pŽÖÏ´åÌ4pYݱ"
+QYê<EFBFBD>qSƬ`œ