kylekrein/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Migrated Gitlab -> Forgejo

Browse source
This commit is contained in:
Aleksandr Lebedev 2025-10-07 00:37:50 +02:00
parent 987e1681c0
commit 858a25b692
9 changed files with 130 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

35
systems/x86_64-linux/kylekrein-server/default.nix
View file

@ -93,9 +93,20 @@ with lib.custom; {
respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}`
reverse_proxy * http://localhost:6167
'';
virtualHosts."gitlab.kylekrein.com".extraConfig = ''
reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket
virtualHosts."uptime.kylekrein.com".extraConfig = ''
reverse_proxy * http://localhost:4621
'';
#virtualHosts."gitlab.kylekrein.com".extraConfig = ''
# reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket
#'';
};
services.uptime-kuma = {
enable = true;
settings = {
PORT = "4621";
HOST = "127.0.0.1";
};
appriseSupport = true;
};
#Chat host
@ -103,17 +114,17 @@ with lib.custom; {
networking.firewall.allowedUDPPorts = [3478 5349];
#sops.secrets."services/conduwuit" = {mode = "0755";};
sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
#sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
#sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
#sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
#sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
#sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
#sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
#sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
#sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
#sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
services.gitlab = {
enable = true;
enable = false;
host = "gitlab.kylekrein.com";
https = true;
port = 443;

2
systems/x86_64-linux/stargate/duckdns.nix
View file

@ -29,7 +29,7 @@
${pkgs.coreutils}/bin/mkdir -p /etc/fail2ban/jail.d
${pkgs.coreutils}/bin/cat > /etc/fail2ban/jail.d/duckdns-ignore.local <<EOF
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.178.1/24 $REALV4 $REALV6
ignoreip = 127.0.0.1/8 ::1 192.168.178.1/24 91.99.0.169 $REALV4 $REALV6
EOF
'';
in ''

1
systems/x86_64-linux/stargate/services/fail2ban.nix
View file

@ -23,6 +23,7 @@
ignoreIP = [
# Whitelist some subnets
"192.168.178.0/24"
"91.99.0.169"
"kylekrein.duckdns.org"
];
bantime = "24h"; # Ban IPs for one day on the first ban

59
systems/x86_64-linux/stargate/services/forgejo.nix Normal file
View file

@ -0,0 +1,59 @@
{
lib,
pkgs,
config,
...
}: let
cfg = config.services.forgejo;
srv = cfg.settings.server;
in {
services.nginx = {
virtualHosts.${cfg.settings.server.DOMAIN} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
};
};
services.forgejo = {
enable = true;
database.type = "postgres";
# Enable support for Git Large File Storage
lfs.enable = true;
settings = {
server = {
DOMAIN = "git.kylekrein.com";
# You need to specify this to remove the port from URLs in the web UI.
ROOT_URL = "https://${srv.DOMAIN}/";
HTTP_PORT = 9777;
};
# You can temporarily allow registration to create an admin user.
service.DISABLE_REGISTRATION = true;
# Add support for actions, based on act: https://github.com/nektos/act
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
# Sending emails is completely optional
# You can send a test email from the web UI at:
# Profile Picture > Site Administration > Configuration > Mailer Configuration
mailer = {
ENABLED = true;
SMTP_ADDR = "mail.notthebees.org";
FROM = "noreply@${srv.DOMAIN}";
USER = "noreply@${srv.DOMAIN}";
};
};
secrets = {
mailer.PASSWD = config.sops.secrets."services/forgejo/mailer".path;
};
};
sops.secrets."services/forgejo/mailer" = {
mode = "400";
owner = "forgejo";
};
}

37
systems/x86_64-linux/stargate/services/gitlab.nix
View file

@ -1,37 +0,0 @@
{
pkgs,
lib,
config,
...
}: {
sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
services.gitlab = {
enable = true;
host = "gitlab.kylekrein.com";
https = true;
port = 443;
statePath = "/var/lib/gitlab/state";
backup.startAt = "3:00";
databasePasswordFile = config.sops.secrets."services/gitlab/dbPassword".path;
initialRootPasswordFile = config.sops.secrets."services/gitlab/rootPassword".path;
secrets = {
secretFile = config.sops.secrets."services/gitlab/secret".path;
otpFile = config.sops.secrets."services/gitlab/otpsecret".path;
dbFile = config.sops.secrets."services/gitlab/dbsecret".path;
jwsFile = config.sops.secrets."services/gitlab/oidcKeyBase".path; #pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
activeRecordSaltFile = config.sops.secrets."services/gitlab/activeRecordSalt".path;
activeRecordPrimaryKeyFile = config.sops.secrets."services/gitlab/activeRecordPrimaryKey".path;
activeRecordDeterministicKeyFile = config.sops.secrets."services/gitlab/activeRecordDeterministicKey".path;
};
};
systemd.services.gitlab-backup.environment.BACKUP = "dump";
}

34
systems/x86_64-linux/stargate/services/metatube.nix Normal file
View file

@ -0,0 +1,34 @@
{...}: {
virtualisation.oci-containers.containers.metatube = {
image = "jvt038/metatube:latest";
autoStart = true;
ports = [
"0.0.0.0:1488:5000"
];
environment = {
PORT = "5000";
HOST = "0.0.0.0";
};
volumes = [
"/zstorage/media:/media:rw"
"/var/lib/metatube/downloads:/downloads:rw"
"/var/lib/metatube/database:/database:rw"
"/var/lib/metatube/migrations:/config/migrations:rw"
];
extraOptions = [
"--device=/dev/dri"
];
};
systemd.tmpfiles.rules = [
"d /var/lib/metatube 0755 root root -"
"d /var/lib/metatube/downloads 0755 root root -"
"d /var/lib/metatube/database 0755 root root -"
"d /var/lib/metatube/migrations 0755 root root -"
];
networking.firewall.allowedTCPPorts = [1488];
}

14
systems/x86_64-linux/stargate/services/nginx.nix
View file

@ -48,13 +48,13 @@ in {
# locations = matrixLocations;
#};
"gitlab.kylekrein.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
#"git.kylekrein.com" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
# };
#};
"immich.kylekrein.com" = {
enableACME = true;