hyl.st / helm
this repo has no description
2
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix forgejo

Anish Lakhwara e7a04a6b fc55ab35

+74 -13
+74 -13
hosts/profiles/gitea/default.nix
··· 1 - { self, config, lib, pkgs, ... }: 1 + { 2 + self, 3 + config, 4 + lib, 5 + pkgs, 6 + ... 7 + }: 2 8 3 9 { 4 10 age.secrets.gitea-dbpass.file = "${self}/secrets/gitea-dbpass.age"; ··· 55 61 isSystemUser = true; 56 62 }; 57 63 58 - users.groups.gitea = {}; 64 + users.groups.gitea = { }; 59 65 60 66 environment.systemPackages = [ pkgs.pandoc ]; 61 67 services.postgresql = { ··· 69 75 # gitea-users postgres gitea 70 76 # ''; 71 77 ensureDatabases = [ "gitea" ]; 72 - ensureUsers = [{ 73 - name = "gitea"; 74 - ensureDBOwnership = true; 75 - }]; 78 + ensureUsers = [ 79 + { 80 + name = "gitea"; 81 + ensureDBOwnership = true; 82 + } 83 + ]; 76 84 # TODO 77 - # initialScript 85 + # initialScript 78 86 # set password for gitea user 79 87 }; 80 88 89 + # Anubis proof-of-work bot protection in front of Forgejo 90 + services.anubis.instances."gitea" = { 91 + settings = { 92 + TARGET = "http://localhost:3001"; 93 + BIND = "/run/anubis/anubis-gitea/anubis.sock"; 94 + METRICS_BIND = "/run/anubis/anubis-gitea/metrics.sock"; 95 + }; 96 + botPolicy = { 97 + bots = [ 98 + # Allow git CLI clients through without challenge 99 + { 100 + name = "git-client"; 101 + user_agent_regex = "^git/"; 102 + action = "ALLOW"; 103 + } 104 + # Allow Go module fetches (go get) 105 + { 106 + name = "go-http-client"; 107 + user_agent_regex = "^Go-http-client"; 108 + action = "ALLOW"; 109 + } 110 + # Allow well-known paths and static assets 111 + { 112 + name = "well-known"; 113 + path_regex = "^/.well-known/.*$"; 114 + action = "ALLOW"; 115 + } 116 + { 117 + name = "favicon"; 118 + path_regex = "^/favicon\\.ico$"; 119 + action = "ALLOW"; 120 + } 121 + { 122 + name = "robots-txt"; 123 + path_regex = "^/robots\\.txt$"; 124 + action = "ALLOW"; 125 + } 126 + # Challenge browser-like user agents (scrapers, bots pretending to be browsers) 127 + { 128 + name = "generic-browser"; 129 + user_agent_regex = "Mozilla"; 130 + action = "CHALLENGE"; 131 + } 132 + ]; 133 + }; 134 + }; 135 + 136 + # nginx needs access to the Anubis unix socket 137 + users.users.nginx.extraGroups = [ config.users.groups.anubis.name ]; 138 + 81 139 services.nginx = { 82 - enable = true; # Enable Nginx 140 + enable = true; 83 141 recommendedGzipSettings = true; 84 142 recommendedOptimisation = true; 85 143 recommendedProxySettings = true; 86 144 recommendedTlsSettings = true; 87 145 virtualHosts."git.sealight.xyz" = { 88 - # Gitea hostname 89 - enableACME = true; # Use ACME certs 90 - forceSSL = true; # Force SSL 91 - locations."/".proxyPass = "http://localhost:3001/"; # Proxy Gitea 146 + enableACME = true; 147 + forceSSL = true; 148 + locations."/".proxyPass = "http://unix:${config.services.anubis.instances.gitea.settings.BIND}"; 92 149 }; 93 150 }; 94 - networking.firewall.allowedTCPPorts = [ 80 443 22 ]; 151 + networking.firewall.allowedTCPPorts = [ 152 + 80 153 + 443 154 + 22 155 + ]; 95 156 }