root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
the_prg_server_configuratio.../nix-system-configs/forgejo/forgejo-insystem.nix
Forgejo NixOS Machine 83bcfbc123 Test pushing of packages
2026-02-06 13:36:27 +01:00

436 lines
11 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration-knot.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
pkgs,
lib,
...
}: let
home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz";
cfg = config.services.forgejo;
srv = cfg.settings.server;
in {
# Home Manager Configuration
imports = [
# Include the results of the hardware scan.
(import "${home-manager}/nixos")
];
networking.hostName = "forgejoprg"; # Define your hostname.
# BE SURE TO FIND AND REPLACE ALL INSTANCES OF THIS HOSTNAME IN THE CONFIGURATION FILES
# Define a user account. Don't forget to set a password with passwd.
users.users.forgejoprg = {
isNormalUser = true;
description = "NixOS Playground";
extraGroups = ["networkmanager" "wheel" "seat"];
packages = with pkgs; [];
initialPassword = "nixos"; # Simple, change on first login
};
home-manager.users.forgejoprg = {pkgs, ...}: {
home.packages = [
pkgs.atool
pkgs.httpie
pkgs.alacritty # Terminal emulator
pkgs.hyfetch # Add fetching packages
pkgs.macchina
pkgs.wayland # Wayland display server
pkgs.wlroots # Wayland compositor library
pkgs.maple-mono.NF # Font for better terminal appearance
pkgs.wl-clipboard # Clipboard utilities for Wayland
pkgs.mako # Wayland Sway Notification Daemon
pkgs.btop # Resource monitor
];
# Set Alacritty as the default terminal emulator
home.sessionVariables = {
TERMINAL = "alacritty";
};
# Use Zsh as the default shell
programs.zsh.enable = true;
# Configure Alacritty as the default terminal emulator
programs.alacritty = {
enable = true;
settings = {
# Window configuration
window = {
opacity = 1.0;
padding = {
x = 10;
y = 10;
};
};
# Font configuration - fixes spacing issues
font = {
normal = {
family = "Maple Mono NF";
style = "Regular";
};
bold = {
family = "Maple Mono NF";
style = "Bold";
};
italic = {
family = "Maple Mono NF";
style = "Italic";
};
bold_italic = {
family = "Maple Mono NF";
style = "Bold Italic";
};
size = 14.0;
};
# Colors (optional - using default Alacritty colors)
colors = {
primary = {
background = "#1e1e2e";
foreground = "#cdd6f4";
};
};
};
};
# Configure Hyfetch system info fetcher
programs.hyfetch = {
enable = true;
settings = {
preset = "lesbian"; # Use lesbian flag preset
mode = "rgb"; # Use RGB color mode
lightness = 0.55; # Set to 55% brightness
backend = "macchina"; # Use macchina as the backend
logo_size = "small"; # Make small logo
pride_month_disable = false; # Enable pride month mode (or true to disable)
pride_month_shown = []; # List of shown pride month flags
color_align = {
mode = "horizontal";
};
};
};
# The state version is required and should stay at the version you
# originally installed.
home.stateVersion = "25.11";
};
# Use Lix instead of Nix
nixpkgs.overlays = [
(final: prev: {
inherit
(prev.lixPackageSets.stable)
nixpkgs-review
nix-eval-jobs
nix-fast-build
colmena
;
})
];
nix.package = pkgs.lixPackageSets.stable.lix;
# Enable Fedgejo service
services.nginx = {
enable = true;
virtualHosts."git.prg.local" = {
# Remove forceSSL and enableACME for local network
# forceSSL = true;
# enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
};
};
# Enable PostgreSQL for Forgejo
services.postgresql.enable = true;
# Forgejo configuration
services.forgejo = {
enable = true;
database = {
type = "postgres";
host = "10.1.1.251"; # IP of your database server
name = "forgejo";
user = "forgejo";
passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security
};
lfs.enable = true;
settings = {
server = {
DOMAIN = "git.prg.local";
ROOT_URL = "http://${srv.DOMAIN}/";
HTTP_PORT = 3000;
# SSH integration
SSH_PORT = lib.head config.services.openssh.ports;
};
# Temporarily allow registration to create admin user
service.DISABLE_REGISTRATION = false;
# Enable Actions support
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
# Optional: Email configuration
# mailer = {
# ENABLED = false;
# };
};
};
# Bootloader - GRUB for Legacy BIOS
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
device = "/dev/vda"; # Install GRUB to the disk
efiSupport = false; # Disable UEFI
};
boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod" "virtio_blk"];
fileSystems."/" = {
device = "/dev/vda1";
fsType = "ext4"; # Use "btrfs" or "xfs" if you formatted it differently
};
# Enable Rsymc
services.rsync.enable = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Enable SSH
services.openssh = {
enable = true;
ports = [22];
settings = {
PasswordAuthentication = false;
AllowUsers = null;
PermitRootLogin = "no";
};
};
# Set your time zone.
time.timeZone = "Europe/Copenhagen";
# Select internationalisation properties.
i18n.defaultLocale = "en_AU.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "et_EE.UTF-8";
LC_IDENTIFICATION = "et_EE.UTF-8";
LC_MEASUREMENT = "et_EE.UTF-8";
LC_MONETARY = "et_EE.UTF-8";
LC_NAME = "et_EE.UTF-8";
LC_NUMERIC = "et_EE.UTF-8";
LC_PAPER = "et_EE.UTF-8";
LC_TELEPHONE = "et_EE.UTF-8";
LC_TIME = "et_EE.UTF-8";
};
# Configure keymap in X11
services.xserver.xkb = {
layout = "us";
variant = "";
};
# Enable Seatd for Wayland sessions
# IMPORTANT: Enable seatd service for River WM
services.seatd = {
enable = true;
logLevel = "info";
};
# Enable the gnome-keyring secrets vault.
# Will be exposed through DBus to programs willing to store secrets.
services.gnome.gnome-keyring.enable = true;
# Enable Sway window manager
programs.sway = {
enable = true;
wrapperFeatures.gtk = true;
};
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd sway";
user = "greeter";
};
};
};
# Configure security to allow seatd access
security.polkit.enable = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Passwordless sudo for wheel group
security.sudo.wheelNeedsPassword = false;
# Hardware U2F support - Passwordless sudo with hardware key
security.pam.u2f = {
enable = true;
settings = {
authfile = "/etc/u2f_keys";
cue = true;
pinverification = 0; # No PIN verification
userpresence = 1; # Require user presence (touch)
};
};
# SSH Agent authentication
security.pam.sshAgentAuth.enable = true;
# Automatic upgrades
system.autoUpgrade = {
enable = true; # Set to true for automatic updates
dates = "daily";
allowReboot = false;
};
# System packages
environment.systemPackages = with pkgs; [
# Network tools
wget
curl
dig
tcpdump
ethtool
iptables
nftables
iproute2
bridge-utils
netcat-gnu
traceroute
mtr
arp-scan
# Monitoring
btop
htop
iotop
# Editors
micro
vim
helix
# System info
fastfetch
lshw
pciutils
usbutils
# Build tools
git
];
# Enable zram swap
zramSwap = {
enable = true;
memoryPercent = 50;
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [3000];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
services.resolved.enable = false;
# Use this clean static network configuration instead:
networking.useDHCP = false;
networking.networkmanager.enable = false; # Disable NetworkManager
networking.interfaces.ens18 = {
ipv4.addresses = [
{
address = "10.1.1.4";
prefixLength = 24;
}
];
};
networking.defaultGateway = {
address = "10.1.1.1";
interface = "ens18";
};
# Explicitly set DNS
networking.nameservers = ["10.1.1.2"];
# THE FOLLOWING CODE BLOCK IS FOR COPYING TO OTHER CONFIGURATIONS, NOT FOR THIS FILE
nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "nixos-build-machine";
system = "x86_64-linux";
sshUser = "nixremote";
sshKey = "/root/.ssh/nixremote";
maxJobs = 4;
speedFactor = 2;
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
}
];
# Generate SSH key for remote building
systemd.services.generate-nixremote-key = {
description = "Generate SSH key for remote Nix builds";
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
if [ ! -f /root/.ssh/nixremote ]; then
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/nixremote -N "" -C "nix-remote-builder"
fi
'';
};
programs.ssh.extraConfig = ''
Host nixos-build-machine
HostName 10.1.1.3
IdentitiesOnly yes
IdentityFile /root/.ssh/nixremote
User nixremoteStrictHostKeyChecking accept-new
'';
# Manual step required: After rebuilding the client, copy /root/.ssh/nixremote.pub
# from the client to the build machine's users.users.nixremote.openssh.authorizedKeys.keys list,
# then rebuild the build machine.
# i.e on the client: run "cat /root.ssh/nixremote.pub"
# and copy the output to the build machine's configuration.nix
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration-knot.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.11"; # Did you read the comment?
}
Reference in a new issue View git blame Copy permalink