From 79dba1beb4edd3a0aa557c22cb06446b7021499d Mon Sep 17 00:00:00 2001 From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com> Date: Tue, 24 Feb 2026 22:09:18 +1100 Subject: [PATCH 1/4] feat(forgejo): install --- modules/nixos/bundles/server.nix | 1 + modules/nixos/features/forgejo.nix | 48 ++++++++++++++++++++++++++++++ secrets/secrets.nix | 1 + 3 files changed, 50 insertions(+) create mode 100644 modules/nixos/features/forgejo.nix diff --git a/modules/nixos/bundles/server.nix b/modules/nixos/bundles/server.nix index 7a9f017..66e50bb 100644 --- a/modules/nixos/bundles/server.nix +++ b/modules/nixos/bundles/server.nix @@ -12,6 +12,7 @@ "cryptpad" "fi33.buzz" "gatus" + "forgejo" "homepage-dashboard" "immich" "jellyfin" diff --git a/modules/nixos/features/forgejo.nix b/modules/nixos/features/forgejo.nix new file mode 100644 index 0000000..67e2d6b --- /dev/null +++ b/modules/nixos/features/forgejo.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + ... +}: +let + port = 5027; + certloc = "/var/lib/acme/fi33.buzz"; + hostname = "git.fi33.buzz"; + url = "https://git.fi33.buzz"; +in +{ + services = { + forgejo = { + enable = true; + dump = { + enable = true; + interval = "00:00"; + }; + lfs.enable = true; + settings = { + server = { + # keep-sorted start + DOMAIN = hostname; + HTTP_PORT = port; + ROOT_URL = url; + SSH_PORT = lib.head config.services.openssh.ports; + # keep-sorted end + }; + service.DISABLE_REGISTRATION = true; + }; + }; + + openssh.settings.AllowUsers = [ "forgejo" ]; + + borgbackup.jobs = { + onsite.paths = [ "/var/lib/forgejo" ]; + offsite.paths = [ "/var/lib/forgejo" ]; + }; + + caddy.virtualHosts.${hostname}.extraConfig = '' + reverse_proxy localhost:${toString port} + tls ${certloc}/cert.pem ${certloc}/key.pem { + protocols tls1.3 + } + ''; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2bd9a15..795eecb 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,6 +18,7 @@ in "borgbackup-offsite.age".publicKeys = users; "borgbackup-onsite.age".publicKeys = users; "copyparty.age".publicKeys = users; + "forgejo-read-token.age".publicKeys = users; "gatus.age".publicKeys = users; "git_signing_key.age".publicKeys = users; "git_signing_key.pub.age".publicKeys = users; From c6135ee3018d698cb15d3cb060c96f0a36845aef Mon Sep 17 00:00:00 2001 From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com> Date: Tue, 24 Feb 2026 22:16:03 +1100 Subject: [PATCH 2/4] feat(homepage-dashboard): add forgejo --- modules/nixos/features/homepage-dashboard.nix | 13 +++++++++++++ secrets/forgejo-read-token.age | Bin 0 -> 473 bytes 2 files changed, 13 insertions(+) create mode 100644 secrets/forgejo-read-token.age diff --git a/modules/nixos/features/homepage-dashboard.nix b/modules/nixos/features/homepage-dashboard.nix index 3516600..d7ac6ef 100644 --- a/modules/nixos/features/homepage-dashboard.nix +++ b/modules/nixos/features/homepage-dashboard.nix @@ -23,6 +23,7 @@ let secrets = [ # keep-sorted start + "forgejo-read-token" "immich" "jellyfin" "kavita-api" @@ -79,6 +80,18 @@ in } { "Media Management" = [ + { + Forgejo = { + description = "Software forge"; + icon = "forgejo.svg"; + href = "https://git.fi33.buzz/"; + widget = { + type = "gitea"; + url = "https://git.fi33.buzz/"; + key = "@forgejo-read-token@"; + }; + }; + } { Radarr = { description = "Movie organizer/manager"; diff --git a/secrets/forgejo-read-token.age b/secrets/forgejo-read-token.age new file mode 100644 index 0000000000000000000000000000000000000000..dceb6b9a5956b2ca8d840b1d6778e62f8d49ccf6 GIT binary patch literal 473 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH^a;^+2~-HF@XvF~ zHq9#ccQcL53CTD2@h$W!GcQUHt}M?=%d#*D);F;zaxO4;3*|B`@GuWfP0xtPcg+kB zaw@XOb*(ZCG|o$MtjN#t&JGLpH*q$1bN1FROh&iOT)QHuGEgC}GSt*3Dk3s6$E(0H zts>dA+}zdKE7QfGJTM~DCCDtxqOvL?(A=Uh!<8%5$;nhdxyUywDknTNvB0v_C^yg~ zv)nr{Ftao>-@GczDJV_bE77S;+ZEk5pAv7&%0Puo%fgT#{eZ|YzeKk%!}O{oUxN%& zzuY4Ks^HXoR|^+ylWc=5eb4M1r*f{yv|@87{otHTb7$wu^0ESBr>Go#4_7B`KjUE6 zl(0Z2C+&!Ivy%LL$3QM!U0sFZBHv1%@S=*GeE%wce-k5r{~%}oti Date: Mon, 9 Mar 2026 17:41:04 +1100 Subject: [PATCH 3/4] feat(openssh): reconfigure hardening based on nixos wiki reccomendations --- hosts/server/configuration.nix | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 9593963..6df325b 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -42,18 +42,22 @@ }; # hardened openssh - services.openssh = { - allowSFTP = false; - extraConfig = '' - AllowTcpForwarding yes - X11Forwarding no - AllowAgentForwarding no - AllowStreamLocalForwarding no - AuthenticationMethods publickey - ''; - settings = { - KbdInteractiveAuthentication = false; - PasswordAuthentication = false; + services = { + fail2ban.enable = true; + endlessh = { + enable = true; + port = 22; + openFirewall = true; + }; + openssh = { + enable = true; + ports = [ 5011 ]; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + AllowUsers = [ "srv" ]; + }; }; }; From af06b6d5efe86624c964375035f7ccac0e861e89 Mon Sep 17 00:00:00 2001 From: Will Holdsworth Date: Mon, 9 Mar 2026 20:59:29 +1100 Subject: [PATCH 4/4] feat(forgejo): rename forgejo user to git --- modules/nixos/features/forgejo.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/modules/nixos/features/forgejo.nix b/modules/nixos/features/forgejo.nix index 67e2d6b..f6766d9 100644 --- a/modules/nixos/features/forgejo.nix +++ b/modules/nixos/features/forgejo.nix @@ -29,9 +29,11 @@ in }; service.DISABLE_REGISTRATION = true; }; + user = "git"; + group = "git"; }; - openssh.settings.AllowUsers = [ "forgejo" ]; + openssh.settings.AllowUsers = [ "git" ]; borgbackup.jobs = { onsite.paths = [ "/var/lib/forgejo" ]; @@ -45,4 +47,14 @@ in } ''; }; + + users = { + users.git = { + home = "/var/lib/forgejo"; + useDefaultShell = true; + group = "git"; + isSystemUser = true; + }; + groups.git = { }; + }; }