From 79dba1beb4edd3a0aa557c22cb06446b7021499d Mon Sep 17 00:00:00 2001 From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com> Date: Tue, 24 Feb 2026 22:09:18 +1100 Subject: [PATCH 1/5] feat(forgejo): install --- modules/nixos/bundles/server.nix | 1 + modules/nixos/features/forgejo.nix | 48 ++++++++++++++++++++++++++++++ secrets/secrets.nix | 1 + 3 files changed, 50 insertions(+) create mode 100644 modules/nixos/features/forgejo.nix diff --git a/modules/nixos/bundles/server.nix b/modules/nixos/bundles/server.nix index 7a9f017..66e50bb 100644 --- a/modules/nixos/bundles/server.nix +++ b/modules/nixos/bundles/server.nix @@ -12,6 +12,7 @@ "cryptpad" "fi33.buzz" "gatus" + "forgejo" "homepage-dashboard" "immich" "jellyfin" diff --git a/modules/nixos/features/forgejo.nix b/modules/nixos/features/forgejo.nix new file mode 100644 index 0000000..67e2d6b --- /dev/null +++ b/modules/nixos/features/forgejo.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + ... +}: +let + port = 5027; + certloc = "/var/lib/acme/fi33.buzz"; + hostname = "git.fi33.buzz"; + url = "https://git.fi33.buzz"; +in +{ + services = { + forgejo = { + enable = true; + dump = { + enable = true; + interval = "00:00"; + }; + lfs.enable = true; + settings = { + server = { + # keep-sorted start + DOMAIN = hostname; + HTTP_PORT = port; + ROOT_URL = url; + SSH_PORT = lib.head config.services.openssh.ports; + # keep-sorted end + }; + service.DISABLE_REGISTRATION = true; + }; + }; + + openssh.settings.AllowUsers = [ "forgejo" ]; + + borgbackup.jobs = { + onsite.paths = [ "/var/lib/forgejo" ]; + offsite.paths = [ "/var/lib/forgejo" ]; + }; + + caddy.virtualHosts.${hostname}.extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2bd9a15..795eecb 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,6 +18,7 @@ in "borgbackup-offsite.age".publicKeys = users; "borgbackup-onsite.age".publicKeys = users; "copyparty.age".publicKeys = users; + "forgejo-read-token.age".publicKeys = users; "gatus.age".publicKeys = users; "git_signing_key.age".publicKeys = users; "git_signing_key.pub.age".publicKeys = users; From c6135ee3018d698cb15d3cb060c96f0a36845aef Mon Sep 17 00:00:00 2001 From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com> Date: Tue, 24 Feb 2026 22:16:03 +1100 Subject: [PATCH 2/5] feat(homepage-dashboard): add forgejo --- modules/nixos/features/homepage-dashboard.nix | 13 +++++++++++++ secrets/forgejo-read-token.age | Bin 0 -> 473 bytes 2 files changed, 13 insertions(+) create mode 100644 secrets/forgejo-read-token.age diff --git a/modules/nixos/features/homepage-dashboard.nix b/modules/nixos/features/homepage-dashboard.nix index 3516600..d7ac6ef 100644 --- a/modules/nixos/features/homepage-dashboard.nix +++ b/modules/nixos/features/homepage-dashboard.nix @@ -23,6 +23,7 @@ let secrets = [ # keep-sorted start + "forgejo-read-token" "immich" "jellyfin" "kavita-api" @@ -79,6 +80,18 @@ in } { "Media Management" = [ + { + Forgejo = { + description = "Software forge"; + icon = "forgejo.svg"; + href = "https://git.fi33.buzz/"; + widget = { + type = "gitea"; + url = "https://git.fi33.buzz/"; + key = "@forgejo-read-token@"; + }; + }; + } { Radarr = { description = "Movie organizer/manager"; diff --git a/secrets/forgejo-read-token.age b/secrets/forgejo-read-token.age new file mode 100644 index 0000000000000000000000000000000000000000..dceb6b9a5956b2ca8d840b1d6778e62f8d49ccf6 GIT binary patch literal 473 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH^a;^+2~-HF@XvF~ zHq9#ccQcL53CTD2@h$W!GcQUHt}M?=%d#*D);F;zaxO4;3*|B`@GuWfP0xtPcg+kB zaw@XOb*(ZCG|o$MtjN#t&JGLpH*q$1bN1FROh&iOT)QHuGEgC}GSt*3Dk3s6$E(0H zts>dA+}zdKE7QfGJTM~DCCDtxqOvL?(A=Uh!<8%5$;nhdxyUywDknTNvB0v_C^yg~ zv)nr{Ftao>-@GczDJV_bE77S;+ZEk5pAv7&%0Puo%fgT#{eZ|YzeKk%!}O{oUxN%& zzuY4Ks^HXoR|^+ylWc=5eb4M1r*f{yv|@87{otHTb7$wu^0ESBr>Go#4_7B`KjUE6 zl(0Z2C+&!Ivy%LL$3QM!U0sFZBHv1%@S=*GeE%wce-k5r{~%}oti Date: Mon, 9 Mar 2026 17:41:04 +1100 Subject: [PATCH 3/5] feat(openssh): reconfigure hardening based on nixos wiki reccomendations --- hosts/server/configuration.nix | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 9593963..6df325b 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -42,18 +42,22 @@ }; # hardened openssh - services.openssh = { - allowSFTP = false; - extraConfig = '' - AllowTcpForwarding yes - X11Forwarding no - AllowAgentForwarding no - AllowStreamLocalForwarding no - AuthenticationMethods publickey - ''; - settings = { - KbdInteractiveAuthentication = false; - PasswordAuthentication = false; + services = { + fail2ban.enable = true; + endlessh = { + enable = true; + port = 22; + openFirewall = true; + }; + openssh = { + enable = true; + ports = [ 5011 ]; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + AllowUsers = [ "srv" ]; + }; }; }; From af06b6d5efe86624c964375035f7ccac0e861e89 Mon Sep 17 00:00:00 2001 From: Will Holdsworth Date: Mon, 9 Mar 2026 20:59:29 +1100 Subject: [PATCH 4/5] feat(forgejo): rename forgejo user to git --- modules/nixos/features/forgejo.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/modules/nixos/features/forgejo.nix b/modules/nixos/features/forgejo.nix index 67e2d6b..f6766d9 100644 --- a/modules/nixos/features/forgejo.nix +++ b/modules/nixos/features/forgejo.nix @@ -29,9 +29,11 @@ in }; service.DISABLE_REGISTRATION = true; }; + user = "git"; + group = "git"; }; - openssh.settings.AllowUsers = [ "forgejo" ]; + openssh.settings.AllowUsers = [ "git" ]; borgbackup.jobs = { onsite.paths = [ "/var/lib/forgejo" ]; @@ -45,4 +47,14 @@ in } ''; }; + + users = { + users.git = { + home = "/var/lib/forgejo"; + useDefaultShell = true; + group = "git"; + isSystemUser = true; + }; + groups.git = { }; + }; } From 996f826781d34c791992718716e042e4f19ccb4d Mon Sep 17 00:00:00 2001 From: Will Holdsworth Date: Thu, 12 Mar 2026 18:52:03 +1100 Subject: [PATCH 5/5] feat(forgejo): add gatus monitoring for ssh connection --- modules/nixos/features/forgejo.nix | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/modules/nixos/features/forgejo.nix b/modules/nixos/features/forgejo.nix index f6766d9..ac2d647 100644 --- a/modules/nixos/features/forgejo.nix +++ b/modules/nixos/features/forgejo.nix @@ -8,6 +8,7 @@ let certloc = "/var/lib/acme/fi33.buzz"; hostname = "git.fi33.buzz"; url = "https://git.fi33.buzz"; + sshPort = lib.head config.services.openssh.ports; in { services = { @@ -24,7 +25,7 @@ in DOMAIN = hostname; HTTP_PORT = port; ROOT_URL = url; - SSH_PORT = lib.head config.services.openssh.ports; + SSH_PORT = sshPort; # keep-sorted end }; service.DISABLE_REGISTRATION = true; @@ -35,6 +36,32 @@ in openssh.settings.AllowUsers = [ "git" ]; + gatus.settings.endpoints = [ + { + name = "Forgejo"; + group = "Private Services"; + inherit url; + interval = "5m"; + conditions = [ + "[STATUS] == 200" + "[CONNECTED] == true" + "[RESPONSE_TIME] < 500" + ]; + alerts = [ { type = "ntfy"; } ]; + } + { + name = "Forgejo SSH"; + group = "Private Services"; + url = "ssh://${hostname}:${toString sshPort}"; + interval = "5m"; + conditions = [ + "[CONNECTED] == true" + "[RESPONSE_TIME] < 500" + ]; + alerts = [ { type = "ntfy"; } ]; + } + ]; + borgbackup.jobs = { onsite.paths = [ "/var/lib/forgejo" ]; offsite.paths = [ "/var/lib/forgejo" ];