diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 6df325b..9593963 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -42,22 +42,18 @@ }; # hardened openssh - services = { - fail2ban.enable = true; - endlessh = { - enable = true; - port = 22; - openFirewall = true; - }; - openssh = { - enable = true; - ports = [ 5011 ]; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = "no"; - AllowUsers = [ "srv" ]; - }; + services.openssh = { + allowSFTP = false; + extraConfig = '' + AllowTcpForwarding yes + X11Forwarding no + AllowAgentForwarding no + AllowStreamLocalForwarding no + AuthenticationMethods publickey + ''; + settings = { + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; }; }; diff --git a/modules/nixos/bundles/server.nix b/modules/nixos/bundles/server.nix index 66e50bb..7a9f017 100644 --- a/modules/nixos/bundles/server.nix +++ b/modules/nixos/bundles/server.nix @@ -12,7 +12,6 @@ "cryptpad" "fi33.buzz" "gatus" - "forgejo" "homepage-dashboard" "immich" "jellyfin" diff --git a/modules/nixos/features/forgejo.nix b/modules/nixos/features/forgejo.nix deleted file mode 100644 index f6766d9..0000000 --- a/modules/nixos/features/forgejo.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ - config, - lib, - ... -}: -let - port = 5027; - certloc = "/var/lib/acme/fi33.buzz"; - hostname = "git.fi33.buzz"; - url = "https://git.fi33.buzz"; -in -{ - services = { - forgejo = { - enable = true; - dump = { - enable = true; - interval = "00:00"; - }; - lfs.enable = true; - settings = { - server = { - # keep-sorted start - DOMAIN = hostname; - HTTP_PORT = port; - ROOT_URL = url; - SSH_PORT = lib.head config.services.openssh.ports; - # keep-sorted end - }; - service.DISABLE_REGISTRATION = true; - }; - user = "git"; - group = "git"; - }; - - openssh.settings.AllowUsers = [ "git" ]; - - borgbackup.jobs = { - onsite.paths = [ "/var/lib/forgejo" ]; - offsite.paths = [ "/var/lib/forgejo" ]; - }; - - caddy.virtualHosts.${hostname}.extraConfig = '' - reverse_proxy localhost:${toString port} - tls ${certloc}/cert.pem ${certloc}/key.pem { - protocols tls1.3 - } - ''; - }; - - users = { - users.git = { - home = "/var/lib/forgejo"; - useDefaultShell = true; - group = "git"; - isSystemUser = true; - }; - groups.git = { }; - }; -} diff --git a/modules/nixos/features/homepage-dashboard.nix b/modules/nixos/features/homepage-dashboard.nix index d7ac6ef..3516600 100644 --- a/modules/nixos/features/homepage-dashboard.nix +++ b/modules/nixos/features/homepage-dashboard.nix @@ -23,7 +23,6 @@ let secrets = [ # keep-sorted start - "forgejo-read-token" "immich" "jellyfin" "kavita-api" @@ -80,18 +79,6 @@ in } { "Media Management" = [ - { - Forgejo = { - description = "Software forge"; - icon = "forgejo.svg"; - href = "https://git.fi33.buzz/"; - widget = { - type = "gitea"; - url = "https://git.fi33.buzz/"; - key = "@forgejo-read-token@"; - }; - }; - } { Radarr = { description = "Movie organizer/manager"; diff --git a/secrets/forgejo-read-token.age b/secrets/forgejo-read-token.age deleted file mode 100644 index dceb6b9..0000000 Binary files a/secrets/forgejo-read-token.age and /dev/null differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 795eecb..2bd9a15 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,7 +18,6 @@ in "borgbackup-offsite.age".publicKeys = users; "borgbackup-onsite.age".publicKeys = users; "copyparty.age".publicKeys = users; - "forgejo-read-token.age".publicKeys = users; "gatus.age".publicKeys = users; "git_signing_key.age".publicKeys = users; "git_signing_key.pub.age".publicKeys = users;