jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: moved nixos modules to dendrite pattern

Browse source
This commit is contained in:
Leyla Becker 2026-04-07 15:39:45 -05:00
parent df8dd110ad
commit 0ea11e0236
219 changed files with 4802 additions and 4820 deletions
Download patch file Download diff file Expand all files Collapse all files

34
modules/nixos/programs/forgejo/database.nix Normal file
View file

@ -0,0 +1,34 @@
{...}: {
flake.nixosModules.forgejo-database = {
lib,
config,
...
}: let
usingPostgres = config.services.forgejo.database.type == "postgres";
in {
config = lib.mkIf config.services.forgejo.enable {
assertions = [
{
assertion = !usingPostgres || config.services.postgresql.enable;
message = "PostgreSQL must be enabled when Forgejo database type is postgres";
}
{
assertion = !(usingPostgres && config.services.forgejo.database.createDatabase) || (builtins.any (db: db == "forgejo") config.services.postgresql.ensureDatabases);
message = "Forgejo built-in database creation failed - expected 'forgejo' in ensureDatabases but got: ${builtins.toString config.services.postgresql.ensureDatabases}";
}
{
assertion = !(usingPostgres && config.services.forgejo.database.createDatabase) || (builtins.any (user: user.name == "forgejo") config.services.postgresql.ensureUsers);
message = "Forgejo built-in user creation failed - expected user 'forgejo' in ensureUsers but got: ${builtins.toString (builtins.map (u: u.name) config.services.postgresql.ensureUsers)}";
}
];
services.forgejo.database.createDatabase = lib.mkDefault usingPostgres;
systemd.services.forgejo = lib.mkIf usingPostgres {
requires = [
config.systemd.services.postgresql.name
];
};
};
};
}

13
modules/nixos/programs/forgejo/default.nix Normal file
View file

@ -0,0 +1,13 @@
{config, ...}: let
mod = config.flake.nixosModules;
in {
flake.nixosModules.forgejo = {
imports = [
mod.forgejo-service
mod.forgejo-database
mod.forgejo-proxy
mod.forgejo-fail2ban
mod.forgejo-storage
];
};
}

43
modules/nixos/programs/forgejo/fail2ban.nix Normal file
View file

@ -0,0 +1,43 @@
{...}: {
flake.nixosModules.forgejo-fail2ban = {
lib,
config,
pkgs,
...
}: {
options.services.forgejo = {
fail2ban = {
enable = lib.mkOption {
type = lib.types.bool;
default = config.services.forgejo.enable && config.services.fail2ban.enable;
};
};
};
config = lib.mkIf config.services.forgejo.fail2ban.enable {
environment.etc = {
"fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>"
'')
);
};
services.fail2ban = {
jails = {
forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable {
enabled = true;
filter = "forgejo";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
};
};
};
}

47
modules/nixos/programs/forgejo/forgejo.nix Normal file
View file

@ -0,0 +1,47 @@
{...}: {
flake.nixosModules.forgejo-service = {
lib,
config,
...
}: let
httpPort = 8081;
sshPort = 22222;
db_user = "forgejo";
in {
config = lib.mkIf config.services.forgejo.enable {
assertions = [
{
assertion = config.services.forgejo.settings.server.BUILTIN_SSH_SERVER_USER == config.users.users.git.name;
message = "Forgejo BUILTIN_SSH_SERVER_USER hardcoded value does not match expected git user name";
}
];
services.forgejo = {
database = {
type = "postgres";
socket = "/run/postgresql";
};
lfs.enable = true;
settings = {
server = {
DOMAIN = config.services.forgejo.reverseProxy.domain;
HTTP_PORT = httpPort;
START_SSH_SERVER = true;
SSH_LISTEN_PORT = sshPort;
SSH_PORT = 22;
BUILTIN_SSH_SERVER_USER = "git";
ROOT_URL = "https://git.jan-leila.com";
};
service = {
DISABLE_REGISTRATION = true;
};
database = {
DB_TYPE = "postgres";
NAME = db_user;
USER = db_user;
};
};
};
};
};
}

44
modules/nixos/programs/forgejo/proxy.nix Normal file
View file

@ -0,0 +1,44 @@
{...}: {
flake.nixosModules.forgejo-proxy = {
lib,
config,
...
}: let
httpPort = 8081;
in {
options.services.forgejo = {
reverseProxy = {
enable = lib.mkOption {
type = lib.types.bool;
default = config.services.forgejo.enable && config.services.reverseProxy.enable;
};
domain = lib.mkOption {
type = lib.types.str;
description = "domain that forgejo will be hosted at";
default = "git.jan-leila.com";
};
extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for forgejo";
default = [];
};
};
};
config = lib.mkIf config.services.forgejo.reverseProxy.enable {
services.reverseProxy.services.forgejo = {
target = "http://localhost:${toString httpPort}";
domain = config.services.forgejo.reverseProxy.domain;
extraDomains = config.services.forgejo.reverseProxy.extraDomains;
settings = {
forwardHeaders.enable = true;
};
};
networking.firewall.allowedTCPPorts = [
config.services.forgejo.settings.server.SSH_LISTEN_PORT
];
};
};
}

23
modules/nixos/programs/forgejo/storage.nix Normal file
View file

@ -0,0 +1,23 @@
{...}: {
flake.nixosModules.forgejo-storage = {
lib,
config,
...
}: let
stateDir = "/var/lib/forgejo";
in {
options.services.forgejo.impermanence.enable = lib.mkOption {
type = lib.types.bool;
default = config.services.forgejo.enable && config.storage.impermanence.enable;
};
config = lib.mkIf config.services.forgejo.enable {
storage.datasets.replicate."system/root" = {
directories."${stateDir}" = lib.mkIf config.services.forgejo.impermanence.enable {
owner.name = "forgejo";
group.name = "forgejo";
};
};
};
};
}