forgeje: use 2222 port for ssh

server: move caddy to seperate module
2024-11-01 12:45:18 +11:00 · 2024-11-01 12:45:18 +11:00 · 90e096262b
commit 90e096262b
parent 52cb6d10bc
9 changed files with 116 additions and 135 deletions
--- a/modules/nixos/server/services/forgejo/default.nix
+++ b/modules/nixos/server/services/forgejo/default.nix
@ -7,6 +7,8 @@
  inherit (lib) mkIf elem;
 in {
  config = mkIf (elem "forgejo" services) {
+    networking.firewall.allowedTCPPorts = [2222];
+
    ooknet.server = {
      webserver.caddy.enable = true;
      database.postgresql.enable = true;
@ -20,12 +22,43 @@ in {
            DOMAIN = "git.${domain}";
            ROOT_URL = "https://git.${domain}";
            HTTP_PORT = 3000;
+            LANDING_PAGE = "explore";
+
+            START_SSH_SERVER = true;
+            SSH_PORT = 2222;
+            SSH_LISTEN_PORT = 2222;
+          };
+          database = {
+            type = "postgres";
+            createDatabase = true;
+          };
+          service = {
+            DISABLE_REGISTRATION = true;
+          };
+          security = {
+            INSTALL_LOCK = true;
          };
        };
      };
      caddy.virtualHosts = {
        "git.${domain}".extraConfig = ''
-          reverse_proxy 127.0.0.1:3000
+          header {
+            Strict-Transport-Security "max-age=31536000;"
+            X-XSS-Protection "1; mode=block"
+            X-Frame-Options "DENY"
+            X-Content-Type-Options "nosniff"
+            -Server
+            Referrer-Policy "no-referrer"
+          }
+
+          # Handle proxying
+          handle_path /* {
+            reverse_proxy localhost:3000 {
+              header_up X-Real-IP {remote_host}
+              header_up X-Forwarded-For {remote_host}
+              header_up X-Forwarded-Proto {scheme}
+            }
+          }
        '';
      };
    };
--- a/modules/nixos/server/services/website/default.nix
+++ b/modules/nixos/server/services/website/default.nix
@ -9,8 +9,7 @@
  inherit (self'.packages) website;
 in {
  config = mkIf (elem "website" services) {
-    users.groups.www = {};
-
+    ooknet.server.webserver.caddy.enable = true;
    systemd.tmpfiles.rules = [
      "d /var/www 0775 caddy www"
      "d /var/www/ooknet.org 0775 caddy www"
@ -40,34 +39,29 @@ in {
    };

    # using caddy because it makes my life easy
-    services.caddy = {
-      enable = true;
-      group = "www";
+    services.caddy.virtualHosts = {
+      "ooknet.org".extraConfig =
+        # sh
+        ''
+          encode zstd gzip

-      virtualHosts = {
-        "ooknet.org".extraConfig =
-          # sh
-          ''
-            encode zstd gzip
-
-            header {
-              Strict-Transport-Security "max-age=31536000;"
-              X-XSS-Protection "1; mode=block"
-              X-Frame-Options "DENY"
-              X-Content-Type-Options "nosniff"
-              -Server
+          header {
+            Strict-Transport-Security "max-age=31536000;"
+            X-XSS-Protection "1; mode=block"
+            X-Frame-Options "DENY"
+            X-Content-Type-Options "nosniff"
+            -Server


-              Referrer-Policy: no-referrer
-            }
+            Referrer-Policy: no-referrer
+          }

-            root * /var/www/ooknet.org/
-            file_server
-          '';
-        "www.ooknet.org".extraConfig = ''
-          redir https://ooknet.org{uri}
+          root * /var/www/ooknet.org/
+          file_server
        '';
-      };
+      "www.ooknet.org".extraConfig = ''
+        redir https://ooknet.org{uri}
+      '';
    };
  };
 }