diff --git a/nix-system-configs/modules/system/forgejo.nix b/nix-system-configs/modules/system/forgejo.nix index be1991c..f6ed7a0 100644 --- a/nix-system-configs/modules/system/forgejo.nix +++ b/nix-system-configs/modules/system/forgejo.nix @@ -8,79 +8,104 @@ cfg = config.services.forgejo; srv = cfg.settings.server; in { + options.local = { + hostname = lib.mkOption { + type = lib.types.str; + default = "nixos-default"; + description = "System hostname"; + }; + username = lib.mkOption { + type = lib.types.str; + default = "user"; + description = "Primary user username"; + }; + userDescription = lib.mkOption { + type = lib.types.str; + default = "NixOS User"; + description = "Primary user description"; + }; + address = lib.mkOption { + type = lib.types.str; + default = "10.1.1.100"; + description = "Static IP address"; + }; + }; + + config = { local.hostname = "forgejoprg"; local.username = "forgejoprg"; local.userDescription = "Forgejo Admin"; local.address = "10.1.1.4"; - # Enable Fedgejo service - services.nginx = { - enable = true; - virtualHosts."git.prg.local" = { - # Remove forceSSL and enableACME for local network - # forceSSL = true; - # enableACME = true; - extraConfig = '' - client_max_body_size 512M; - ''; - locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; - }; - }; - - # Enable PostgreSQL for Forgejo - services.postgresql.enable = true; - - # Forgejo configuration - services.forgejo = { - enable = true; - database = { - type = "postgres"; - host = "10.1.1.251"; # IP of your database server - name = "forgejo"; - user = "forgejo"; - passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security - }; - lfs.enable = true; - - settings = { - server = { - DOMAIN = "git.prg-radio.org"; - ROOT_URL = "https://git.prg-radio.org/"; - HTTP_PORT = 3000; - # SSH integration - SSH_PORT = lib.head config.services.openssh.ports; + # Enable Fedgejo service + services.nginx = { + enable = true; + virtualHosts."git.prg.local" = { + # Remove forceSSL and enableACME for local network + # forceSSL = true; + # enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; }; - - # Temporarily allow registration to create admin user - service.DISABLE_REGISTRATION = false; - - # Enable Actions support - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - - # Optional: Email configuration - # mailer = { - # ENABLED = false; - # }; }; + + # Enable PostgreSQL for Forgejo + services.postgresql.enable = true; + + # Forgejo configuration + services.forgejo = { + enable = true; + database = { + type = "postgres"; + host = "10.1.1.251"; # IP of your database server + name = "forgejo"; + user = "forgejo"; + passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security + }; + lfs.enable = true; + + settings = { + server = { + DOMAIN = "git.prg-radio.org"; + ROOT_URL = "https://git.prg-radio.org/"; + HTTP_PORT = 3000; + # SSH integration + SSH_PORT = lib.head config.services.openssh.ports; + }; + + # Temporarily allow registration to create admin user + service.DISABLE_REGISTRATION = false; + + # Enable Actions support + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + + # Optional: Email configuration + # mailer = { + # ENABLED = false; + # }; + }; + }; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [3000]; + + imports = [ + # ./secrets/secrets.nix # Add this locally after running add-secrets.zsh + # Optionally import local secrets if present (won't fail if missing) + (lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix) + ./modules/desktop-manager/sway_greetd_homemanager.nix + ./modules/local/hostname_username.nix + ./modules/local/networking_local.nix + ./modules/toolsets/remote_building.nix + ./modules/bootloader/seabios.nix + ./modules/lix-default.nix + ]; + + system.stateVersion = "25.11"; }; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [3000]; - - imports = [ - # ./secrets/secrets.nix # Add this locally after running add-secrets.zsh - # Optionally import local secrets if present (won't fail if missing) - (lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix) - ./modules/desktop-manager/sway_greetd_homemanager.nix - ./modules/local/hostname_username.nix - ./modules/local/networking_local.nix - ./modules/toolsets/remote_building.nix - ./modules/bootloader/seabios.nix - ./modules/lix-default.nix - ]; - - system.stateVersion = "25.11"; } diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix index a249a55..e13ba29 100644 --- a/nix-system-configs/modules/system/traefik.nix +++ b/nix-system-configs/modules/system/traefik.nix @@ -4,99 +4,123 @@ lib, ... }: { + options.local = { + hostname = lib.mkOption { + type = lib.types.str; + default = "nixos-default"; + description = "System hostname"; + }; + username = lib.mkOption { + type = lib.types.str; + default = "user"; + description = "Primary user username"; + }; + userDescription = lib.mkOption { + type = lib.types.str; + default = "NixOS User"; + description = "Primary user description"; + }; + address = lib.mkOption { + type = lib.types.str; + default = "10.1.1.100"; + description = "Static IP address"; + }; + }; + + config = { local.hostname = "nixos-traefik"; local.username = "traefikprg"; local.userDescription = "NixOS PRG Traefik Service"; local.address = "10.1.1.250"; - - services.traefik = { - enable = true; - group = "acme"; - staticConfigOptions = { - entryPoints = { - web = { - address = ":80"; - asDefault = true; - http.redirections.entrypoint = { - to = "websecure"; - scheme = "https"; + services.traefik = { + enable = true; + group = "acme"; + staticConfigOptions = { + entryPoints = { + web = { + address = ":80"; + asDefault = true; + http.redirections.entrypoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { + address = ":443"; + asDefault = true; + http.tls = { + domains = [ + { + main = "prg-radio.org"; + sans = ["*.prg-radio.org"]; + } + ]; + }; }; }; - websecure = { - address = ":443"; - asDefault = true; - http.tls = { - domains = [ - { - main = "prg-radio.org"; - sans = ["*.prg-radio.org"]; - } + log = { + level = "INFO"; + filePath = "${config.services.traefik.dataDir}/traefik.log"; + format = "json"; + }; + api.dashboard = true; + api.insecure = true; + }; + dynamicConfigOptions = { + tls.certificates = [ + { + certFile = "/var/lib/acme/prg-radio.org/cert.pem"; + keyFile = "/var/lib/acme/prg-radio.org/key.pem"; + } + ]; + http.routers = { + forgejo = { + rule = "Host(`git.prg-radio.org`)"; + service = "forgejo"; + entryPoints = ["websecure"]; + tls = {}; + }; + }; + http.services = { + forgejo.loadBalancer = { + servers = [ + {url = "http://10.1.1.4:3000";} ]; }; }; }; - log = { - level = "INFO"; - filePath = "${config.services.traefik.dataDir}/traefik.log"; - format = "json"; - }; - api.dashboard = true; - api.insecure = true; }; - dynamicConfigOptions = { - tls.certificates = [ - { - certFile = "/var/lib/acme/prg-radio.org/cert.pem"; - keyFile = "/var/lib/acme/prg-radio.org/key.pem"; - } - ]; - http.routers = { - forgejo = { - rule = "Host(`git.prg-radio.org`)"; - service = "forgejo"; - entryPoints = ["websecure"]; - tls = {}; - }; - }; - http.services = { - forgejo.loadBalancer = { - servers = [ - {url = "http://10.1.1.4:3000";} - ]; - }; + + security.acme = { + acceptTerms = true; + defaults.email = "dtu.prg@gmail.com"; + certs."prg-radio.org" = { + domain = "*.prg-radio.org"; + group = "acme"; + dnsProvider = "cloudflare"; + environmentFile = "/home/traefikprg/cloudflare/cloudflare.env"; + reloadServices = ["traefik.service"]; }; }; - }; - security.acme = { - acceptTerms = true; - defaults.email = "dtu.prg@gmail.com"; - certs."prg-radio.org" = { - domain = "*.prg-radio.org"; - group = "acme"; - dnsProvider = "cloudflare"; - environmentFile = "/home/traefikprg/cloudflare/cloudflare.env"; - reloadServices = ["traefik.service"]; + systemd.services.traefik = { + after = ["acme-finished-prg-radio.org.target"]; + wants = ["acme-finished-prg-radio.org.target"]; }; + + networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedUDPPorts = [80 443]; + + imports = [ + ./modules/desktop-manager/sway_greetd_homemanager.nix + ./modules/local/hostname_username.nix + ./modules/local/networking_local.nix + ./modules/bootloader/seabios.nix + ./modules/lix-default.nix + # Optionally: ./modules/toolsets/remote_building.nix + ]; + + system.stateVersion = "25.11"; }; - - systemd.services.traefik = { - after = ["acme-finished-prg-radio.org.target"]; - wants = ["acme-finished-prg-radio.org.target"]; - }; - - networking.firewall.allowedTCPPorts = [80 443]; - networking.firewall.allowedUDPPorts = [80 443]; - - imports = [ - ./modules/desktop-manager/sway_greetd_homemanager.nix - ./modules/local/hostname_username.nix - ./modules/local/networking_local.nix - ./modules/bootloader/seabios.nix - ./modules/lix-default.nix - # Optionally: ./modules/toolsets/remote_building.nix - ]; - - system.stateVersion = "25.11"; }