diff --git a/assets/forgejo/apple-touch-icon.png b/assets/forgejo/apple-touch-icon.png
new file mode 100644
index 0000000..f082d31
Binary files /dev/null and b/assets/forgejo/apple-touch-icon.png differ
diff --git a/assets/forgejo/avatar_default.png b/assets/forgejo/avatar_default.png
new file mode 100644
index 0000000..d6cc008
Binary files /dev/null and b/assets/forgejo/avatar_default.png differ
diff --git a/assets/forgejo/favicon.png b/assets/forgejo/favicon.png
new file mode 100644
index 0000000..a9d8b5e
Binary files /dev/null and b/assets/forgejo/favicon.png differ
diff --git a/assets/forgejo/favicon.svg b/assets/forgejo/favicon.svg
new file mode 100644
index 0000000..a54a92a
--- /dev/null
+++ b/assets/forgejo/favicon.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/assets/forgejo/logo.png b/assets/forgejo/logo.png
new file mode 100644
index 0000000..0ee15c9
Binary files /dev/null and b/assets/forgejo/logo.png differ
diff --git a/assets/forgejo/logo.svg b/assets/forgejo/logo.svg
new file mode 100644
index 0000000..a54a92a
--- /dev/null
+++ b/assets/forgejo/logo.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index 217b7cc..b69eec2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -65,6 +65,9 @@
# racket
"*.rkt"
"**/rashrc"
+
+ # custom assets
+ "*.png"
];
settings.on-unmatched = "fatal";
};
diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix
index df92f1c..8464cb5 100644
--- a/hosts/kazuki/default.nix
+++ b/hosts/kazuki/default.nix
@@ -15,7 +15,6 @@
./storage.nix
./ntfy.nix
./zitadel.nix
- ./forgejo.nix
./prometheus.nix
];
diff --git a/hosts/kazuki/forgejo.nix b/hosts/kazuki/forgejo.nix
deleted file mode 100644
index 9f200e2..0000000
--- a/hosts/kazuki/forgejo.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{ config, ... }:
-{
- age.secrets.rab-lol-cf = {
- file = ../../secrets/rab-lol-cf.age;
- owner = config.services.nginx.user;
- };
-
- services.forgejo = {
- enable = true;
- settings = {
- server = {
- DOMAIN = "git.rab.lol";
- ROOT_URL = "https://git.rab.lol/";
- };
- oauth2_client = {
- REGISTER_EMAIL_CONFIRM = false;
- ENABLE_AUTO_REGISTRATION = true;
- ACCOUNT_LINKING = "auto";
- UPDATE_AVATAR = true;
- };
- service = {
- DISABLE_REGISTRATION = false;
- ALLOW_ONLY_INTERNAL_REGISTRATION = false;
- ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
- };
- federation.ENABLED = true;
- };
- repositoryRoot = "/storage-box/forgejo/repos";
- lfs = {
- enable = true;
- contentDir = "/storage-box/forgejo/lfs";
- };
- };
-
- services.nginx = {
- enable = true;
- recommendedProxySettings = true;
- recommendedGzipSettings = true;
- recommendedOptimisation = true;
- recommendedTlsSettings = true;
- virtualHosts."git.rab.lol" = {
- forceSSL = true;
- enableACME = true;
- acmeRoot = null;
- locations."/" = {
- proxyPass = "http://127.0.0.1:3000";
- extraConfig = ''
- proxy_set_header Connection $http_connection;
- proxy_set_header Upgrade $http_upgrade;
- '';
- };
- };
- };
-
- users.users.nginx.extraGroups = [ "acme" ];
- security.acme.acceptTerms = true;
- security.acme.certs."git.rab.lol" = {
- dnsProvider = "cloudflare";
- credentialsFile = config.age.secrets.rab-lol-cf.path;
- email = "nikodem@rabulinski.com";
- };
-}
diff --git a/modules/system/containers.nix b/modules/system/containers.nix
index a0942f9..26e7e7e 100644
--- a/modules/system/containers.nix
+++ b/modules/system/containers.nix
@@ -85,6 +85,12 @@ let
services.openssh.hostKeys = [ ];
system.stateVersion = lib.mkDefault config.system.stateVersion;
+
+ networking.useHostResolvConf = false;
+ networking.nameservers = [
+ "1.1.1.1"
+ "1.0.0.1"
+ ];
};
bindMounts = {
@@ -95,6 +101,11 @@ let
privateNetwork = lib.mkForce true;
}
) config.settei.containers;
+
+ networking.nat = lib.mkIf (config.settei.containers != { }) {
+ enable = true;
+ internalInterfaces = [ "ve-+" ];
+ };
};
darwinConfig = lib.optionalAttrs (!isLinux) {
diff --git a/secrets/kanidm-admin-pass.age b/secrets/kanidm-admin-pass.age
new file mode 100644
index 0000000..2b229b2
--- /dev/null
+++ b/secrets/kanidm-admin-pass.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw W4+Z4WjOyUl4mWPqVykNWRhf2/8qfVOSM7QCFPNMZTA
+0ndQjslMwjQqguN25nBQtCchpCLhoD/vrxh1yNVeTNw
+-> ssh-ed25519 GKhvwg H8XcFJDZTA3IzxmK6wbB+PVM2gCZ4ysAPjL5j0LgeE0
+kehTMRIVOZ5ubtO7w8WF+gU3sjYXMQtd5hH+wcv3uSE
+--- 72ntrRbWq8pdkk/GrsVupTttfY9t+w3l+2KQbQyNn/I
+iyd�$vVl TK$4G[�M�I[#tz:��r9~�ES�A6}
\ No newline at end of file
diff --git a/secrets/kanidm-idm-admin-pass.age b/secrets/kanidm-idm-admin-pass.age
new file mode 100644
index 0000000..0eac321
--- /dev/null
+++ b/secrets/kanidm-idm-admin-pass.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw 8zYeVXx36dpC8TxMdoM1GdERoNNj902KwTF4h/r4inM
+n3mYra0BeM4gWsZ7Roilu14o/GajX1iWw0fcy0q31yc
+-> ssh-ed25519 GKhvwg cqd7YmVpbxqZxaVluHDZ8Yw0gNfJCKMmoWa4mEoXym8
+Gbcj+PJaqyPRRGX4olr7mmJ5IoEGlQaogYbj7i9E/98
+--- LoQPWI+m8s3NjalUh0+xdW54c8lgddBmhPoIiPbmR8I
+���Җ��܉Y
+9��!4��2DVP9N]G;?ЉS '
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 57943fa..552e4e3 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -97,4 +97,12 @@ in
keys.system.ude
keys.other.bootstrap
];
+ "kanidm-admin-pass.age".publicKeys = [
+ keys.system.kazuki
+ keys.other.bootstrap
+ ];
+ "kanidm-idm-admin-pass.age".publicKeys = [
+ keys.system.kazuki
+ keys.other.bootstrap
+ ];
}
diff --git a/services/default.nix b/services/default.nix
index 1837462..6da3b28 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -2,5 +2,7 @@
imports = [
./attic.nix
./forgejo-runner.nix
+ ./kanidm.nix
+ ./forgejo.nix
];
}
diff --git a/services/forgejo.nix b/services/forgejo.nix
new file mode 100644
index 0000000..665550d
--- /dev/null
+++ b/services/forgejo.nix
@@ -0,0 +1,86 @@
+{
+ services.forgejo = {
+ host = "kazuki";
+ ports = [ 3000 ];
+ config =
+ { config, pkgs, ... }:
+ {
+ age.secrets.rab-lol-cf = {
+ file = ../secrets/rab-lol-cf.age;
+ owner = config.services.nginx.user;
+ };
+
+ services.forgejo = {
+ enable = true;
+ package = pkgs.forgejo;
+ settings = {
+ server = {
+ DOMAIN = "git.rab.lol";
+ ROOT_URL = "https://git.rab.lol/";
+ };
+ security = {
+ DISABLE_GIT_HOOKS = false;
+ };
+ oauth2_client = {
+ REGISTER_EMAIL_CONFIRM = false;
+ ENABLE_AUTO_REGISTRATION = true;
+ ACCOUNT_LINKING = "auto";
+ UPDATE_AVATAR = true;
+ };
+ service = {
+ DISABLE_REGISTRATION = false;
+ ALLOW_ONLY_INTERNAL_REGISTRATION = false;
+ ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+ };
+ federation.ENABLED = true;
+ };
+ repositoryRoot = "/storage-box/forgejo/repos";
+ lfs = {
+ enable = true;
+ contentDir = "/storage-box/forgejo/lfs";
+ };
+ };
+
+ systemd.tmpfiles.rules =
+ let
+ cfg = config.services.forgejo;
+ imgDir = pkgs.runCommand "forgejo-img-dir" {} ''
+ cp -R ${../assets/forgejo} "$out"
+ '';
+ in
+ [
+ "d '${cfg.customDir}/public' 0750 ${cfg.user} ${cfg.group} - -"
+ "d '${cfg.customDir}/public/assets' 0750 ${cfg.user} ${cfg.group} - -"
+ "L+ '${cfg.customDir}/public/assets/img' - - - - ${imgDir}"
+ ];
+
+ services.nginx = {
+ enable = true;
+ recommendedProxySettings = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+ virtualHosts."git.rab.lol" = {
+ forceSSL = true;
+ enableACME = true;
+ acmeRoot = null;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:3000";
+ extraConfig = ''
+ proxy_set_header Connection $http_connection;
+ proxy_set_header Upgrade $http_upgrade;
+ '';
+ };
+ };
+ };
+
+ users.users.nginx.extraGroups = [ "acme" ];
+ security.acme.acceptTerms = true;
+ security.acme.certs."git.rab.lol" = {
+ dnsProvider = "cloudflare";
+ credentialsFile = config.age.secrets.rab-lol-cf.path;
+ email = "nikodem@rabulinski.com";
+ };
+ };
+ };
+}
diff --git a/services/kanidm.nix b/services/kanidm.nix
new file mode 100644
index 0000000..b288e14
--- /dev/null
+++ b/services/kanidm.nix
@@ -0,0 +1,85 @@
+{
+ services.kanidm =
+ let
+ port = 8443;
+ domain = "auth.rabulinski.com";
+ in
+ {
+ host = "kazuki";
+ ports = [ port ];
+ config =
+ { config, pkgs, ... }:
+ let
+ cert = config.security.acme.certs.${domain};
+ in
+ {
+ age.secrets.rabulinski-com-cf = {
+ file = ../secrets/rabulinski-com-cf.age;
+ owner = config.services.nginx.user;
+ };
+ age.secrets.kanidm-admin-pass = {
+ file = ../secrets/kanidm-admin-pass.age;
+ owner = "kanidm";
+ };
+ age.secrets.kanidm-idm-admin-pass = {
+ file = ../secrets/kanidm-idm-admin-pass.age;
+ owner = "kanidm";
+ };
+
+ services.kanidm = {
+ enableServer = true;
+ package = pkgs.kanidmWithSecretProvisioning;
+ serverSettings = {
+ bindaddress = "127.0.0.1:${toString port}";
+ inherit domain;
+ origin = "https://${domain}";
+ trust_x_forward_for = true;
+ tls_chain = "${cert.directory}/fullchain.pem";
+ tls_key = "${cert.directory}/key.pem";
+ };
+ provision = {
+ enable = true;
+ idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-pass.path;
+ adminPasswordFile = config.age.secrets.kanidm-admin-pass.path;
+ };
+ };
+
+ systemd.services.kanidm.serviceConfig = {
+ SupplementaryGroups = [ cert.group ];
+ };
+
+ users.users.nginx.extraGroups = [ "acme" ];
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+
+ services.nginx = {
+ enable = true;
+ recommendedProxySettings = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+ virtualHosts."auth.rabulinski.com" = {
+ forceSSL = true;
+ enableACME = true;
+ acmeRoot = null;
+ locations."/" = {
+ proxyPass = "https://localhost:${toString port}";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_ssl_verify off;
+ proxy_ssl_name ${domain};
+ '';
+ };
+ };
+ };
+
+ security.acme.certs.${domain} = {
+ dnsProvider = "cloudflare";
+ credentialsFile = config.age.secrets.rabulinski-com-cf.path;
+ reloadServices = [ "kanidm" ];
+ };
+ };
+ };
+}