root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Local config hell.

Browse source
This commit is contained in:
Root User 2026-02-06 22:02:53 +01:00
parent 9e349b7164
commit 6e399b829a
Signed by: root
GPG key ID: 087F0A95E5766D72
2 changed files with 194 additions and 145 deletions
Download patch file Download diff file Expand all files Collapse all files

159
nix-system-configs/modules/system/forgejo.nix
View file

@ -8,79 +8,104 @@
cfg = config.services.forgejo; cfg = config.services.forgejo;
srv = cfg.settings.server; srv = cfg.settings.server;
in { in {
options.local = {
hostname = lib.mkOption {
type = lib.types.str;
default = "nixos-default";
description = "System hostname";
};
username = lib.mkOption {
type = lib.types.str;
default = "user";
description = "Primary user username";
};
userDescription = lib.mkOption {
type = lib.types.str;
default = "NixOS User";
description = "Primary user description";
};
address = lib.mkOption {
type = lib.types.str;
default = "10.1.1.100";
description = "Static IP address";
};
};
config = {
local.hostname = "forgejoprg"; local.hostname = "forgejoprg";
local.username = "forgejoprg"; local.username = "forgejoprg";
local.userDescription = "Forgejo Admin"; local.userDescription = "Forgejo Admin";
local.address = "10.1.1.4"; local.address = "10.1.1.4";
# Enable Fedgejo service # Enable Fedgejo service
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."git.prg.local" = { virtualHosts."git.prg.local" = {
# Remove forceSSL and enableACME for local network # Remove forceSSL and enableACME for local network
# forceSSL = true; # forceSSL = true;
# enableACME = true; # enableACME = true;
extraConfig = '' extraConfig = ''
client_max_body_size 512M; client_max_body_size 512M;
''; '';
locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
};
};
# Enable PostgreSQL for Forgejo
services.postgresql.enable = true;
# Forgejo configuration
services.forgejo = {
enable = true;
database = {
type = "postgres";
host = "10.1.1.251"; # IP of your database server
name = "forgejo";
user = "forgejo";
passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security
};
lfs.enable = true;
settings = {
server = {
DOMAIN = "git.prg-radio.org";
ROOT_URL = "https://git.prg-radio.org/";
HTTP_PORT = 3000;
# SSH integration
SSH_PORT = lib.head config.services.openssh.ports;
}; };
# Temporarily allow registration to create admin user
service.DISABLE_REGISTRATION = false;
# Enable Actions support
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
# Optional: Email configuration
# mailer = {
# ENABLED = false;
# };
}; };
# Enable PostgreSQL for Forgejo
services.postgresql.enable = true;
# Forgejo configuration
services.forgejo = {
enable = true;
database = {
type = "postgres";
host = "10.1.1.251"; # IP of your database server
name = "forgejo";
user = "forgejo";
passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security
};
lfs.enable = true;
settings = {
server = {
DOMAIN = "git.prg-radio.org";
ROOT_URL = "https://git.prg-radio.org/";
HTTP_PORT = 3000;
# SSH integration
SSH_PORT = lib.head config.services.openssh.ports;
};
# Temporarily allow registration to create admin user
service.DISABLE_REGISTRATION = false;
# Enable Actions support
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
# Optional: Email configuration
# mailer = {
# ENABLED = false;
# };
};
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [3000];
imports = [
# ./secrets/secrets.nix # Add this locally after running add-secrets.zsh
# Optionally import local secrets if present (won't fail if missing)
(lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix)
./modules/desktop-manager/sway_greetd_homemanager.nix
./modules/local/hostname_username.nix
./modules/local/networking_local.nix
./modules/toolsets/remote_building.nix
./modules/bootloader/seabios.nix
./modules/lix-default.nix
];
system.stateVersion = "25.11";
}; };
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [3000];
imports = [
# ./secrets/secrets.nix # Add this locally after running add-secrets.zsh
# Optionally import local secrets if present (won't fail if missing)
(lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix)
./modules/desktop-manager/sway_greetd_homemanager.nix
./modules/local/hostname_username.nix
./modules/local/networking_local.nix
./modules/toolsets/remote_building.nix
./modules/bootloader/seabios.nix
./modules/lix-default.nix
];
system.stateVersion = "25.11";
} }

180
nix-system-configs/modules/system/traefik.nix
View file

@ -4,99 +4,123 @@
lib, lib,
... ...
}: { }: {
options.local = {
hostname = lib.mkOption {
type = lib.types.str;
default = "nixos-default";
description = "System hostname";
};
username = lib.mkOption {
type = lib.types.str;
default = "user";
description = "Primary user username";
};
userDescription = lib.mkOption {
type = lib.types.str;
default = "NixOS User";
description = "Primary user description";
};
address = lib.mkOption {
type = lib.types.str;
default = "10.1.1.100";
description = "Static IP address";
};
};
config = {
local.hostname = "nixos-traefik"; local.hostname = "nixos-traefik";
local.username = "traefikprg"; local.username = "traefikprg";
local.userDescription = "NixOS PRG Traefik Service"; local.userDescription = "NixOS PRG Traefik Service";
local.address = "10.1.1.250"; local.address = "10.1.1.250";
services.traefik = {
services.traefik = { enable = true;
enable = true; group = "acme";
group = "acme"; staticConfigOptions = {
staticConfigOptions = { entryPoints = {
entryPoints = { web = {
web = { address = ":80";
address = ":80"; asDefault = true;
asDefault = true; http.redirections.entrypoint = {
http.redirections.entrypoint = { to = "websecure";
to = "websecure"; scheme = "https";
scheme = "https"; };
};
websecure = {
address = ":443";
asDefault = true;
http.tls = {
domains = [
{
main = "prg-radio.org";
sans = ["*.prg-radio.org"];
}
];
};
}; };
}; };
websecure = { log = {
address = ":443"; level = "INFO";
asDefault = true; filePath = "${config.services.traefik.dataDir}/traefik.log";
http.tls = { format = "json";
domains = [ };
{ api.dashboard = true;
main = "prg-radio.org"; api.insecure = true;
sans = ["*.prg-radio.org"]; };
} dynamicConfigOptions = {
tls.certificates = [
{
certFile = "/var/lib/acme/prg-radio.org/cert.pem";
keyFile = "/var/lib/acme/prg-radio.org/key.pem";
}
];
http.routers = {
forgejo = {
rule = "Host(`git.prg-radio.org`)";
service = "forgejo";
entryPoints = ["websecure"];
tls = {};
};
};
http.services = {
forgejo.loadBalancer = {
servers = [
{url = "http://10.1.1.4:3000";}
]; ];
}; };
}; };
}; };
log = {
level = "INFO";
filePath = "${config.services.traefik.dataDir}/traefik.log";
format = "json";
};
api.dashboard = true;
api.insecure = true;
}; };
dynamicConfigOptions = {
tls.certificates = [ security.acme = {
{ acceptTerms = true;
certFile = "/var/lib/acme/prg-radio.org/cert.pem"; defaults.email = "dtu.prg@gmail.com";
keyFile = "/var/lib/acme/prg-radio.org/key.pem"; certs."prg-radio.org" = {
} domain = "*.prg-radio.org";
]; group = "acme";
http.routers = { dnsProvider = "cloudflare";
forgejo = { environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
rule = "Host(`git.prg-radio.org`)"; reloadServices = ["traefik.service"];
service = "forgejo";
entryPoints = ["websecure"];
tls = {};
};
};
http.services = {
forgejo.loadBalancer = {
servers = [
{url = "http://10.1.1.4:3000";}
];
};
}; };
}; };
};
security.acme = { systemd.services.traefik = {
acceptTerms = true; after = ["acme-finished-prg-radio.org.target"];
defaults.email = "dtu.prg@gmail.com"; wants = ["acme-finished-prg-radio.org.target"];
certs."prg-radio.org" = {
domain = "*.prg-radio.org";
group = "acme";
dnsProvider = "cloudflare";
environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
reloadServices = ["traefik.service"];
}; };
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443];
imports = [
./modules/desktop-manager/sway_greetd_homemanager.nix
./modules/local/hostname_username.nix
./modules/local/networking_local.nix
./modules/bootloader/seabios.nix
./modules/lix-default.nix
# Optionally: ./modules/toolsets/remote_building.nix
];
system.stateVersion = "25.11";
}; };
systemd.services.traefik = {
after = ["acme-finished-prg-radio.org.target"];
wants = ["acme-finished-prg-radio.org.target"];
};
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443];
imports = [
./modules/desktop-manager/sway_greetd_homemanager.nix
./modules/local/hostname_username.nix
./modules/local/networking_local.nix
./modules/bootloader/seabios.nix
./modules/lix-default.nix
# Optionally: ./modules/toolsets/remote_building.nix
];
system.stateVersion = "25.11";
} }