From 83bcfbc123c3dca6b7b01a7bfb869cc22ff70c19 Mon Sep 17 00:00:00 2001 From: Forgejo NixOS Machine Date: Fri, 6 Feb 2026 13:36:27 +0100 Subject: [PATCH] Test pushing of packages --- .../forgejo/forgejo-insystem.nix | 436 ++++++++++++++++++ .../forgejo/forgejo-localconfig.nix | 436 ++++++++++++++++++ 2 files changed, 872 insertions(+) create mode 100644 nix-system-configs/forgejo/forgejo-insystem.nix create mode 100644 nix-system-configs/forgejo/forgejo-localconfig.nix diff --git a/nix-system-configs/forgejo/forgejo-insystem.nix b/nix-system-configs/forgejo/forgejo-insystem.nix new file mode 100644 index 0000000..82c1864 --- /dev/null +++ b/nix-system-configs/forgejo/forgejo-insystem.nix @@ -0,0 +1,436 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration-knot.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + pkgs, + lib, + ... +}: let + home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; + cfg = config.services.forgejo; + srv = cfg.settings.server; +in { + # Home Manager Configuration + imports = [ + # Include the results of the hardware scan. + (import "${home-manager}/nixos") + ]; + + networking.hostName = "forgejoprg"; # Define your hostname. + # BE SURE TO FIND AND REPLACE ALL INSTANCES OF THIS HOSTNAME IN THE CONFIGURATION FILES + # Define a user account. Don't forget to set a password with ‘passwd’. + + users.users.forgejoprg = { + isNormalUser = true; + description = "NixOS Playground"; + extraGroups = ["networkmanager" "wheel" "seat"]; + packages = with pkgs; []; + initialPassword = "nixos"; # Simple, change on first login + }; + + home-manager.users.forgejoprg = {pkgs, ...}: { + home.packages = [ + pkgs.atool + pkgs.httpie + pkgs.alacritty # Terminal emulator + pkgs.hyfetch # Add fetching packages + pkgs.macchina + pkgs.wayland # Wayland display server + pkgs.wlroots # Wayland compositor library + pkgs.maple-mono.NF # Font for better terminal appearance + pkgs.wl-clipboard # Clipboard utilities for Wayland + pkgs.mako # Wayland Sway Notification Daemon + pkgs.btop # Resource monitor + ]; + + # Set Alacritty as the default terminal emulator + home.sessionVariables = { + TERMINAL = "alacritty"; + }; + + # Use Zsh as the default shell + programs.zsh.enable = true; + + # Configure Alacritty as the default terminal emulator + programs.alacritty = { + enable = true; + settings = { + # Window configuration + window = { + opacity = 1.0; + padding = { + x = 10; + y = 10; + }; + }; + + # Font configuration - fixes spacing issues + font = { + normal = { + family = "Maple Mono NF"; + style = "Regular"; + }; + bold = { + family = "Maple Mono NF"; + style = "Bold"; + }; + italic = { + family = "Maple Mono NF"; + style = "Italic"; + }; + bold_italic = { + family = "Maple Mono NF"; + style = "Bold Italic"; + }; + size = 14.0; + }; + + # Colors (optional - using default Alacritty colors) + colors = { + primary = { + background = "#1e1e2e"; + foreground = "#cdd6f4"; + }; + }; + }; + }; + + # Configure Hyfetch system info fetcher + programs.hyfetch = { + enable = true; + settings = { + preset = "lesbian"; # Use lesbian flag preset + mode = "rgb"; # Use RGB color mode + lightness = 0.55; # Set to 55% brightness + backend = "macchina"; # Use macchina as the backend + logo_size = "small"; # Make small logo + pride_month_disable = false; # Enable pride month mode (or true to disable) + pride_month_shown = []; # List of shown pride month flags + color_align = { + mode = "horizontal"; + }; + }; + }; + + # The state version is required and should stay at the version you + # originally installed. + home.stateVersion = "25.11"; + }; + + # Use Lix instead of Nix + nixpkgs.overlays = [ + (final: prev: { + inherit + (prev.lixPackageSets.stable) + nixpkgs-review + nix-eval-jobs + nix-fast-build + colmena + ; + }) + ]; + nix.package = pkgs.lixPackageSets.stable.lix; + + # Enable Fedgejo service + services.nginx = { + enable = true; + virtualHosts."git.prg.local" = { + # Remove forceSSL and enableACME for local network + # forceSSL = true; + # enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; + }; + }; + + # Enable PostgreSQL for Forgejo + services.postgresql.enable = true; + + # Forgejo configuration + services.forgejo = { + enable = true; + database = { + type = "postgres"; + host = "10.1.1.251"; # IP of your database server + name = "forgejo"; + user = "forgejo"; + passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security + }; + lfs.enable = true; + + settings = { + server = { + DOMAIN = "git.prg.local"; + ROOT_URL = "http://${srv.DOMAIN}/"; + HTTP_PORT = 3000; + # SSH integration + SSH_PORT = lib.head config.services.openssh.ports; + }; + + # Temporarily allow registration to create admin user + service.DISABLE_REGISTRATION = false; + + # Enable Actions support + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + + # Optional: Email configuration + # mailer = { + # ENABLED = false; + # }; + }; + }; + + # Bootloader - GRUB for Legacy BIOS + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.grub = { + enable = true; + device = "/dev/vda"; # Install GRUB to the disk + efiSupport = false; # Disable UEFI + }; + boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod" "virtio_blk"]; + +fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; # Use "btrfs" or "xfs" if you formatted it differently +}; + + + + # Enable Rsymc + services.rsync.enable = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Enable SSH + services.openssh = { + enable = true; + ports = [22]; + settings = { + PasswordAuthentication = false; + AllowUsers = null; + PermitRootLogin = "no"; + }; + }; + + # Set your time zone. + time.timeZone = "Europe/Copenhagen"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_AU.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "et_EE.UTF-8"; + LC_IDENTIFICATION = "et_EE.UTF-8"; + LC_MEASUREMENT = "et_EE.UTF-8"; + LC_MONETARY = "et_EE.UTF-8"; + LC_NAME = "et_EE.UTF-8"; + LC_NUMERIC = "et_EE.UTF-8"; + LC_PAPER = "et_EE.UTF-8"; + LC_TELEPHONE = "et_EE.UTF-8"; + LC_TIME = "et_EE.UTF-8"; + }; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + # Enable Seatd for Wayland sessions + # IMPORTANT: Enable seatd service for River WM + services.seatd = { + enable = true; + logLevel = "info"; + }; + + # Enable the gnome-keyring secrets vault. + # Will be exposed through DBus to programs willing to store secrets. + services.gnome.gnome-keyring.enable = true; + + # Enable Sway window manager + programs.sway = { + enable = true; + wrapperFeatures.gtk = true; + }; + + services.greetd = { + enable = true; + settings = { + default_session = { + command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd sway"; + user = "greeter"; + }; + }; + }; + + # Configure security to allow seatd access + security.polkit.enable = true; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # Passwordless sudo for wheel group + security.sudo.wheelNeedsPassword = false; + + # Hardware U2F support - Passwordless sudo with hardware key + security.pam.u2f = { + enable = true; + settings = { + authfile = "/etc/u2f_keys"; + cue = true; + pinverification = 0; # No PIN verification + userpresence = 1; # Require user presence (touch) + }; + }; + + # SSH Agent authentication + security.pam.sshAgentAuth.enable = true; + + # Automatic upgrades + system.autoUpgrade = { + enable = true; # Set to true for automatic updates + dates = "daily"; + allowReboot = false; + }; + + # System packages + environment.systemPackages = with pkgs; [ + # Network tools + wget + curl + dig + tcpdump + ethtool + iptables + nftables + iproute2 + bridge-utils + netcat-gnu + traceroute + mtr + arp-scan + + # Monitoring + btop + htop + iotop + + # Editors + micro + vim + helix + + # System info + fastfetch + lshw + pciutils + usbutils + + # Build tools + git + ]; + + # Enable zram swap + zramSwap = { + enable = true; + memoryPercent = 50; + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [3000]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + services.resolved.enable = false; + + # Use this clean static network configuration instead: + networking.useDHCP = false; + networking.networkmanager.enable = false; # Disable NetworkManager + + networking.interfaces.ens18 = { + ipv4.addresses = [ + { + address = "10.1.1.4"; + prefixLength = 24; + } + ]; + }; + + networking.defaultGateway = { + address = "10.1.1.1"; + interface = "ens18"; + }; + + # Explicitly set DNS + networking.nameservers = ["10.1.1.2"]; + + # THE FOLLOWING CODE BLOCK IS FOR COPYING TO OTHER CONFIGURATIONS, NOT FOR THIS FILE + nix.distributedBuilds = true; + nix.buildMachines = [ + { + hostName = "nixos-build-machine"; + system = "x86_64-linux"; + sshUser = "nixremote"; + sshKey = "/root/.ssh/nixremote"; + maxJobs = 4; + speedFactor = 2; + supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; + } + ]; + + # Generate SSH key for remote building + systemd.services.generate-nixremote-key = { + description = "Generate SSH key for remote Nix builds"; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + if [ ! -f /root/.ssh/nixremote ]; then + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/nixremote -N "" -C "nix-remote-builder" + fi + ''; + }; + + programs.ssh.extraConfig = '' + Host nixos-build-machine + HostName 10.1.1.3 + IdentitiesOnly yes + IdentityFile /root/.ssh/nixremote + User nixremoteStrictHostKeyChecking accept-new + ''; + + # Manual step required: After rebuilding the client, copy /root/.ssh/nixremote.pub + # from the client to the build machine's users.users.nixremote.openssh.authorizedKeys.keys list, + # then rebuild the build machine. + # i.e on the client: run "cat /root.ssh/nixremote.pub" + # and copy the output to the build machine's configuration.nix + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration-knot.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "25.11"; # Did you read the comment? +} diff --git a/nix-system-configs/forgejo/forgejo-localconfig.nix b/nix-system-configs/forgejo/forgejo-localconfig.nix new file mode 100644 index 0000000..82c1864 --- /dev/null +++ b/nix-system-configs/forgejo/forgejo-localconfig.nix @@ -0,0 +1,436 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration-knot.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + pkgs, + lib, + ... +}: let + home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; + cfg = config.services.forgejo; + srv = cfg.settings.server; +in { + # Home Manager Configuration + imports = [ + # Include the results of the hardware scan. + (import "${home-manager}/nixos") + ]; + + networking.hostName = "forgejoprg"; # Define your hostname. + # BE SURE TO FIND AND REPLACE ALL INSTANCES OF THIS HOSTNAME IN THE CONFIGURATION FILES + # Define a user account. Don't forget to set a password with ‘passwd’. + + users.users.forgejoprg = { + isNormalUser = true; + description = "NixOS Playground"; + extraGroups = ["networkmanager" "wheel" "seat"]; + packages = with pkgs; []; + initialPassword = "nixos"; # Simple, change on first login + }; + + home-manager.users.forgejoprg = {pkgs, ...}: { + home.packages = [ + pkgs.atool + pkgs.httpie + pkgs.alacritty # Terminal emulator + pkgs.hyfetch # Add fetching packages + pkgs.macchina + pkgs.wayland # Wayland display server + pkgs.wlroots # Wayland compositor library + pkgs.maple-mono.NF # Font for better terminal appearance + pkgs.wl-clipboard # Clipboard utilities for Wayland + pkgs.mako # Wayland Sway Notification Daemon + pkgs.btop # Resource monitor + ]; + + # Set Alacritty as the default terminal emulator + home.sessionVariables = { + TERMINAL = "alacritty"; + }; + + # Use Zsh as the default shell + programs.zsh.enable = true; + + # Configure Alacritty as the default terminal emulator + programs.alacritty = { + enable = true; + settings = { + # Window configuration + window = { + opacity = 1.0; + padding = { + x = 10; + y = 10; + }; + }; + + # Font configuration - fixes spacing issues + font = { + normal = { + family = "Maple Mono NF"; + style = "Regular"; + }; + bold = { + family = "Maple Mono NF"; + style = "Bold"; + }; + italic = { + family = "Maple Mono NF"; + style = "Italic"; + }; + bold_italic = { + family = "Maple Mono NF"; + style = "Bold Italic"; + }; + size = 14.0; + }; + + # Colors (optional - using default Alacritty colors) + colors = { + primary = { + background = "#1e1e2e"; + foreground = "#cdd6f4"; + }; + }; + }; + }; + + # Configure Hyfetch system info fetcher + programs.hyfetch = { + enable = true; + settings = { + preset = "lesbian"; # Use lesbian flag preset + mode = "rgb"; # Use RGB color mode + lightness = 0.55; # Set to 55% brightness + backend = "macchina"; # Use macchina as the backend + logo_size = "small"; # Make small logo + pride_month_disable = false; # Enable pride month mode (or true to disable) + pride_month_shown = []; # List of shown pride month flags + color_align = { + mode = "horizontal"; + }; + }; + }; + + # The state version is required and should stay at the version you + # originally installed. + home.stateVersion = "25.11"; + }; + + # Use Lix instead of Nix + nixpkgs.overlays = [ + (final: prev: { + inherit + (prev.lixPackageSets.stable) + nixpkgs-review + nix-eval-jobs + nix-fast-build + colmena + ; + }) + ]; + nix.package = pkgs.lixPackageSets.stable.lix; + + # Enable Fedgejo service + services.nginx = { + enable = true; + virtualHosts."git.prg.local" = { + # Remove forceSSL and enableACME for local network + # forceSSL = true; + # enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; + }; + }; + + # Enable PostgreSQL for Forgejo + services.postgresql.enable = true; + + # Forgejo configuration + services.forgejo = { + enable = true; + database = { + type = "postgres"; + host = "10.1.1.251"; # IP of your database server + name = "forgejo"; + user = "forgejo"; + passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security + }; + lfs.enable = true; + + settings = { + server = { + DOMAIN = "git.prg.local"; + ROOT_URL = "http://${srv.DOMAIN}/"; + HTTP_PORT = 3000; + # SSH integration + SSH_PORT = lib.head config.services.openssh.ports; + }; + + # Temporarily allow registration to create admin user + service.DISABLE_REGISTRATION = false; + + # Enable Actions support + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + + # Optional: Email configuration + # mailer = { + # ENABLED = false; + # }; + }; + }; + + # Bootloader - GRUB for Legacy BIOS + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.grub = { + enable = true; + device = "/dev/vda"; # Install GRUB to the disk + efiSupport = false; # Disable UEFI + }; + boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod" "virtio_blk"]; + +fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; # Use "btrfs" or "xfs" if you formatted it differently +}; + + + + # Enable Rsymc + services.rsync.enable = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Enable SSH + services.openssh = { + enable = true; + ports = [22]; + settings = { + PasswordAuthentication = false; + AllowUsers = null; + PermitRootLogin = "no"; + }; + }; + + # Set your time zone. + time.timeZone = "Europe/Copenhagen"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_AU.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "et_EE.UTF-8"; + LC_IDENTIFICATION = "et_EE.UTF-8"; + LC_MEASUREMENT = "et_EE.UTF-8"; + LC_MONETARY = "et_EE.UTF-8"; + LC_NAME = "et_EE.UTF-8"; + LC_NUMERIC = "et_EE.UTF-8"; + LC_PAPER = "et_EE.UTF-8"; + LC_TELEPHONE = "et_EE.UTF-8"; + LC_TIME = "et_EE.UTF-8"; + }; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + # Enable Seatd for Wayland sessions + # IMPORTANT: Enable seatd service for River WM + services.seatd = { + enable = true; + logLevel = "info"; + }; + + # Enable the gnome-keyring secrets vault. + # Will be exposed through DBus to programs willing to store secrets. + services.gnome.gnome-keyring.enable = true; + + # Enable Sway window manager + programs.sway = { + enable = true; + wrapperFeatures.gtk = true; + }; + + services.greetd = { + enable = true; + settings = { + default_session = { + command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd sway"; + user = "greeter"; + }; + }; + }; + + # Configure security to allow seatd access + security.polkit.enable = true; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # Passwordless sudo for wheel group + security.sudo.wheelNeedsPassword = false; + + # Hardware U2F support - Passwordless sudo with hardware key + security.pam.u2f = { + enable = true; + settings = { + authfile = "/etc/u2f_keys"; + cue = true; + pinverification = 0; # No PIN verification + userpresence = 1; # Require user presence (touch) + }; + }; + + # SSH Agent authentication + security.pam.sshAgentAuth.enable = true; + + # Automatic upgrades + system.autoUpgrade = { + enable = true; # Set to true for automatic updates + dates = "daily"; + allowReboot = false; + }; + + # System packages + environment.systemPackages = with pkgs; [ + # Network tools + wget + curl + dig + tcpdump + ethtool + iptables + nftables + iproute2 + bridge-utils + netcat-gnu + traceroute + mtr + arp-scan + + # Monitoring + btop + htop + iotop + + # Editors + micro + vim + helix + + # System info + fastfetch + lshw + pciutils + usbutils + + # Build tools + git + ]; + + # Enable zram swap + zramSwap = { + enable = true; + memoryPercent = 50; + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [3000]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + services.resolved.enable = false; + + # Use this clean static network configuration instead: + networking.useDHCP = false; + networking.networkmanager.enable = false; # Disable NetworkManager + + networking.interfaces.ens18 = { + ipv4.addresses = [ + { + address = "10.1.1.4"; + prefixLength = 24; + } + ]; + }; + + networking.defaultGateway = { + address = "10.1.1.1"; + interface = "ens18"; + }; + + # Explicitly set DNS + networking.nameservers = ["10.1.1.2"]; + + # THE FOLLOWING CODE BLOCK IS FOR COPYING TO OTHER CONFIGURATIONS, NOT FOR THIS FILE + nix.distributedBuilds = true; + nix.buildMachines = [ + { + hostName = "nixos-build-machine"; + system = "x86_64-linux"; + sshUser = "nixremote"; + sshKey = "/root/.ssh/nixremote"; + maxJobs = 4; + speedFactor = 2; + supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; + } + ]; + + # Generate SSH key for remote building + systemd.services.generate-nixremote-key = { + description = "Generate SSH key for remote Nix builds"; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + if [ ! -f /root/.ssh/nixremote ]; then + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/nixremote -N "" -C "nix-remote-builder" + fi + ''; + }; + + programs.ssh.extraConfig = '' + Host nixos-build-machine + HostName 10.1.1.3 + IdentitiesOnly yes + IdentityFile /root/.ssh/nixremote + User nixremoteStrictHostKeyChecking accept-new + ''; + + # Manual step required: After rebuilding the client, copy /root/.ssh/nixremote.pub + # from the client to the build machine's users.users.nixremote.openssh.authorizedKeys.keys list, + # then rebuild the build machine. + # i.e on the client: run "cat /root.ssh/nixremote.pub" + # and copy the output to the build machine's configuration.nix + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration-knot.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "25.11"; # Did you read the comment? +}