Merge pull request 'feat(forgejo): add gatus monitoring for ssh connection' (#136 ) from 127 into 100

Reviewed-on: #136
feat(forgejo): add gatus monitoring for ssh connection
2026-03-12 18:53:39 +11:00 · 2026-03-12 18:52:03 +11:00 · 2026-03-09 20:59:29 +11:00 · 2026-03-09 19:34:20 +11:00 · 2026-03-09 19:34:20 +11:00 · 2026-03-09 19:33:56 +11:00
6 changed files with 118 additions and 12 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@ -42,18 +42,22 @@
  };
  # hardened openssh
-  services.openssh = {
+  services = {
-    allowSFTP = false;
+    fail2ban.enable = true;
-    extraConfig = ''
+    endlessh = {
-      AllowTcpForwarding yes
+      enable = true;
-      X11Forwarding no
+      port = 22;
-      AllowAgentForwarding no
+      openFirewall = true;
-      AllowStreamLocalForwarding no
+    };
-      AuthenticationMethods publickey
+    openssh = {
-    '';
+      enable = true;
-    settings = {
+      ports = [ 5011 ];
-      KbdInteractiveAuthentication = false;
+      settings = {
-      PasswordAuthentication = false;
+        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitRootLogin = "no";
        AllowUsers = [ "srv" ];
      };
    };
  };
--- a/modules/nixos/bundles/server.nix
+++ b/modules/nixos/bundles/server.nix
@ -12,6 +12,7 @@
    "cryptpad"
    "fi33.buzz"
    "gatus"
    "forgejo"
    "homepage-dashboard"
    "immich"
    "jellyfin"
--- a/modules/nixos/features/forgejo.nix
+++ b/modules/nixos/features/forgejo.nix
@ -0,0 +1,87 @@
 {
  config,
  lib,
  ...
 }:
 let
  port = 5027;
  certloc = "/var/lib/acme/fi33.buzz";
  hostname = "git.fi33.buzz";
  url = "https://git.fi33.buzz";
  sshPort = lib.head config.services.openssh.ports;
 in
 {
  services = {
    forgejo = {
      enable = true;
      dump = {
        enable = true;
        interval = "00:00";
      };
      lfs.enable = true;
      settings = {
        server = {
          # keep-sorted start
          DOMAIN = hostname;
          HTTP_PORT = port;
          ROOT_URL = url;
          SSH_PORT = sshPort;
          # keep-sorted end
        };
        service.DISABLE_REGISTRATION = true;
      };
      user = "git";
      group = "git";
    };
    openssh.settings.AllowUsers = [ "git" ];
    gatus.settings.endpoints = [
      {
        name = "Forgejo";
        group = "Private Services";
        inherit url;
        interval = "5m";
        conditions = [
          "[STATUS] == 200"
          "[CONNECTED] == true"
          "[RESPONSE_TIME] < 500"
        ];
        alerts = [ { type = "ntfy"; } ];
      }
      {
        name = "Forgejo SSH";
        group = "Private Services";
        url = "ssh://${hostname}:${toString sshPort}";
        interval = "5m";
        conditions = [
          "[CONNECTED] == true"
          "[RESPONSE_TIME] < 500"
        ];
        alerts = [ { type = "ntfy"; } ];
      }
    ];
    borgbackup.jobs = {
      onsite.paths = [ "/var/lib/forgejo" ];
      offsite.paths = [ "/var/lib/forgejo" ];
    };
    caddy.virtualHosts.${hostname}.extraConfig = ''
      reverse_proxy localhost:${toString port}
      tls ${certloc}/cert.pem ${certloc}/key.pem {
        protocols tls1.3
      }
    '';
  };
  users = {
    users.git = {
      home = "/var/lib/forgejo";
      useDefaultShell = true;
      group = "git";
      isSystemUser = true;
    };
    groups.git = { };
  };
 }
--- a/modules/nixos/features/homepage-dashboard.nix
+++ b/modules/nixos/features/homepage-dashboard.nix
@ -23,6 +23,7 @@ let
  secrets = [
    # keep-sorted start
    "forgejo-read-token"
    "immich"
    "jellyfin"
    "kavita-api"
@ -79,6 +80,18 @@ in
        }
        {
          "Media Management" = [
            {
              Forgejo = {
                description = "Software forge";
                icon = "forgejo.svg";
                href = "https://git.fi33.buzz/";
                widget = {
                  type = "gitea";
                  url = "https://git.fi33.buzz/";
                  key = "@forgejo-read-token@";
                };
              };
            }
            {
              Radarr = {
                description = "Movie organizer/manager";
--- a/secrets/forgejo-read-token.age
+++ b/secrets/forgejo-read-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -18,6 +18,7 @@ in
  "borgbackup-offsite.age".publicKeys = users;
  "borgbackup-onsite.age".publicKeys = users;
  "copyparty.age".publicKeys = users;
  "forgejo-read-token.age".publicKeys = users;
  "gatus.age".publicKeys = users;
  "git_signing_key.age".publicKeys = users;
  "git_signing_key.pub.age".publicKeys = users;
Author	SHA1	Message	Date
Will Holdsworth	6bac995f02	Merge pull request 'feat(forgejo): add gatus monitoring for ssh connection' (#136 ) from 127 into 100 Reviewed-on: #136	2026-03-12 18:53:39 +11:00
Will Holdsworth	996f826781	feat(forgejo): add gatus monitoring for ssh connection	2026-03-12 18:52:03 +11:00
Will Holdsworth	af06b6d5ef	feat(forgejo): rename forgejo user to git	2026-03-09 20:59:29 +11:00
Will Holdsworth	383989516c	feat(openssh): reconfigure hardening based on nixos wiki reccomendations	2026-03-09 19:34:20 +11:00
wi11-holdsworth	c6135ee301	feat(homepage-dashboard): add forgejo	2026-03-09 19:34:20 +11:00
wi11-holdsworth	79dba1beb4	feat(forgejo): install	2026-03-09 19:33:56 +11:00