diff --git a/common/_containers/affine.nix b/common/_containers/affine.nix deleted file mode 100644 index fbaf424..0000000 --- a/common/_containers/affine.nix +++ /dev/null @@ -1,135 +0,0 @@ -{ - config, - pkgs, - ... -}: -let - cfg = config.services.affine; -in -{ - options.services.affine = - let - lib = pkgs.lib; - in - { - port = lib.mkOption { - type = lib.types.port; - default = 3010; - description = "Port number for the AFFiNE service"; - }; - dataDir = lib.mkOption { - type = lib.types.path; - default = "/var/lib/affine"; - description = "Directory to store AFFiNE data"; - }; - }; - - config = { - systemd.services.create-affine-network = { - description = "Create Docker network for LibreChat"; - serviceConfig.Type = "oneshot"; - wantedBy = [ "multi-user.target" ]; - script = '' - if ! ${pkgs.docker}/bin/docker network inspect affine-network >/dev/null 2>&1; then - ${pkgs.docker}/bin/docker network create affine-network - fi - ''; - }; - - virtualisation.oci-containers.containers = { - ############# - # AFFiNE # - ############# - # NOTE settings live in `/var/lib/affine` manually right now - # Note to remove limits from user need to mark user as subscriber in the database manually - # docker exec it affine_postgres psql -U affine - # select id, feature, configs from features; - # select * from users; - # select * from user_features; - # feature_id = YOUR FEATURE ID YOU WANT TO ASSIGN (get it from 'List possible feature id's') - # user_id = YOUR USER ID YOU WANT TO CHANGE (get it from 'List users with id's') - # update user_features set feature_id = 35 where user_id = 'xxxxxx-xxxx-xxxxxxx-xxxx-xxxxxxxxxxxx'; - affine = { - user = "root"; - image = "ghcr.io/toeverything/affine-graphql:stable"; - ports = [ - "${toString cfg.port}:${toString cfg.port}" - ]; - dependsOn = [ - "affine_redis" - "affine_postgres" - "affine_migration" - ]; - environment = { - REDIS_SERVER_HOST = "affine_redis"; - DATABASE_URL = "postgresql://affine:password@affine_postgres:5432/affine"; - }; - volumes = [ - "${cfg.dataDir}/storage:/root/.affine/storage" - "${cfg.dataDir}/config:/root/.affine/config" - ]; - extraOptions = [ - "--network=affine-network" - ]; - }; - - affine_migration = { - user = "root"; - image = "ghcr.io/toeverything/affine-graphql:stable"; - dependsOn = [ - "affine_redis" - "affine_postgres" - ]; - volumes = [ - "${cfg.dataDir}/storage:/root/.affine/storage" - "${cfg.dataDir}/config:/root/.affine/config" - ]; - environment = { - REDIS_SERVER_HOST = "affine_redis"; - DATABASE_URL = "postgresql://affine:password@affine_postgres:5432/affine"; - }; - cmd = [ - "sh" - "-c" - "node ./scripts/self-host-predeploy.js" - ]; - extraOptions = [ "--network=affine-network" ]; - }; - - affine_redis = { - user = "root"; - image = "redis"; - extraOptions = [ - "--network=affine-network" - "--health-cmd=\"CMD-SHELL redis-cli ping\"" - "--health-interval=30s" - "--health-timeout=10s" - "--health-retries=3" - "--health-start-period=30s" - ]; - }; - - affine_postgres = { - user = "root"; - image = "postgres:16"; - environment = { - POSTGRES_USER = "affine"; - POSTGRES_PASSWORD = "password"; - POSTGRES_DB = "affine"; - POSTGRES_INITDB_ARGS = "--data-checksums"; - }; - volumes = [ - "${cfg.dataDir}/postgres:/var/lib/postgresql/data" - ]; - extraOptions = [ - "--network=affine-network" - "--health-cmd=\"CMD-SHELL pg_isready -U affine\"" - "--health-interval=10s" - "--health-timeout=5s" - "--health-retries=5" - "--health-start-period=30s" - ]; - }; - }; - }; -} diff --git a/common/_containers/forgejo.nix b/common/_containers/forgejo.nix new file mode 100644 index 0000000..21c0df3 --- /dev/null +++ b/common/_containers/forgejo.nix @@ -0,0 +1,182 @@ +{ + config, + lib, + ... +}: +let + name = "forgejo"; + + hostDataDir = "/var/lib/${name}"; + hostAddress6 = "fc00::1"; + containerAddress6 = "fc00::2"; + + binds = [ + # Postgres data, must use postgres user in container and host + { + host = "${hostDataDir}/postgres"; + # Adjust based on container postgres data dir + container = "/var/lib/postgresql/17"; + user = "postgres"; + uid = config.ids.uids.postgres; + gid = config.ids.gids.postgres; + } + # Postgres backups + { + host = "${hostDataDir}/backups/postgres"; + container = "/var/backup/postgresql"; + user = "postgres"; + uid = config.ids.uids.postgres; + gid = config.ids.gids.postgres; + } + # App data, uses custom user uid + { + host = "${hostDataDir}/data"; + container = "/var/lib/forgejo"; + user = "forgejo"; + uid = 115; + gid = 115; + } + ]; + uniqueUsers = lib.foldl' ( + acc: bind: if lib.lists.any (item: item.user == bind.user) acc then acc else acc ++ [ bind ] + ) [ ] binds; + users = { + users = lib.listToAttrs ( + lib.map (u: { + name = u.user; + value = { + isSystemUser = true; + name = u.user; + uid = u.uid; + group = u.user; + }; + }) uniqueUsers + ); + + groups = lib.listToAttrs ( + lib.map (g: { + name = g.user; + value.gid = g.gid; + }) uniqueUsers + ); + }; +in +{ + # Ensure users exists on host machine with same IDs as container + inherit users; + + # Ensure directories exist on host machine + system.activationScripts.createMediaServerDirs = '' + ${lib.concatStringsSep "\n" ( + lib.map (bind: '' + mkdir -p ${bind.host} + chown -R ${toString bind.user}:${toString bind.gid} ${bind.host} + chmod -R 750 ${bind.host} + '') binds + )} + ''; + + containers.${name} = { + ephemeral = true; + autoStart = true; + privateNetwork = true; + hostAddress6 = hostAddress6; + localAddress6 = containerAddress6; + bindMounts = lib.foldl ( + acc: bind: + { + "${bind.container}" = { + hostPath = bind.host; + isReadOnly = false; + }; + } + // acc + ) { } binds; + config = + { config, pkgs, ... }: + { + system.stateVersion = "24.11"; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 3000 3032 ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + # Ensure users exist on container + inherit users; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_17.withJIT; + enableJIT = true; + authentication = '' + local all all trust + host all all 127.0.0.1/8 trust + host all all ::1/128 trust + host all all fc00::1/128 trust + ''; + }; + + # Backup database + services.postgresqlBackup = { + enable = true; + }; + + services.forgejo = { + enable = true; + dump = { + enable = true; + type = "tar.gz"; + }; + database = { + type = "postgres"; + }; + settings = { + DEFAULT = { + APP_NAME = "Josh's Git"; + }; + server = { + PROTOCOL = "http"; + # DOMAIN = "git.joshuabell.xyz"; + HTTP_ADDR = "0.0.0.0"; + HTTP_PORT = 3000; + + START_SSH_SERVER = true; + # SSH_DOMAIN = "git.joshuabell.xyz"; + SSH_LISTEN_HOST = "0.0.0.0"; + SSH_LISTEN_PORT = 3032; # actual listen port + SSH_PORT = 3032; # used in UI + + LANDING_PAGE = "explore"; + }; + service = { + DISABLE_REGISTRATION = true; + ENABLE_BASIC_AUTHENTICATION = false; + DISABLE_USERS_PAGE = true; + DISABLE_ORGANIZATIONS_PAGE = true; + }; + repository = { + DISABLE_STARS = true; + DEFAULT_PRIVATE = "private"; + }; + admin = { + DISABLE_REGULAR_ORG_CREATION = true; + USER_DISABLED_FEATURES = "deletion"; + }; + other = { + SHOW_FOOTER_POWERED_BY = false; + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + }; + }; + }; + }; +} diff --git a/common/_containers/mathesar.nix b/common/_containers/mathesar.nix deleted file mode 100644 index ae1bec4..0000000 --- a/common/_containers/mathesar.nix +++ /dev/null @@ -1,159 +0,0 @@ -{ - config, - pkgs, - ... -}: -let - cfg = config.services.mathesar; -in -{ - options.services.mathesar = - let - lib = pkgs.lib; - in - { - port = lib.mkOption { - type = lib.types.port; - default = 3081; - description = "Port number for the Mathesar"; - }; - dataDir = lib.mkOption { - type = lib.types.path; - default = "/var/lib/mathesar"; - description = "Directory to store Mathesar data"; - }; - secretKey = lib.mkOption { - type = lib.types.str; - # echo $(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | head -c 50) - # https://docs.djangoproject.com/en/4.2/ref/settings/#secret-key - description = "Secret key for Django security features"; - }; - domainName = lib.mkOption { - type = lib.types.str; - default = "http://10.20.40.104"; - description = "Custom domain(s) for accessing Mathesar"; - }; - postgresDb = lib.mkOption { - type = lib.types.str; - default = "mathesar_django"; - description = "Database name for Mathesar"; - }; - postgresUser = lib.mkOption { - type = lib.types.str; - default = "mathesar"; - description = "Database user for Mathesar"; - }; - postgresPassword = lib.mkOption { - type = lib.types.str; - default = "mathesar"; - description = "Database password for Mathesar"; - }; - postgresHost = lib.mkOption { - type = lib.types.str; - default = "mathesar_db"; - description = "Host running the PostgreSQL database"; - }; - postgresPort = lib.mkOption { - type = lib.types.port; - default = 3082; - description = "Port on which PostgreSQL is running"; - }; - allowedHosts = lib.mkOption { - type = lib.types.str; - default = "*"; - description = "Allowed hosts for Mathesar web service. "; - }; - }; - - config = { - systemd.services.create-mathesar-network = { - description = "Create Docker network for Mathesar"; - serviceConfig.Type = "oneshot"; - wantedBy = [ "multi-user.target" ]; - script = '' - if ! ${pkgs.docker}/bin/docker network inspect mathesar_network >/dev/null 2>&1; then - ${pkgs.docker}/bin/docker network create mathesar_network - fi - ''; - }; - - virtualisation.oci-containers.containers = { - ################ - # mathesar_service - ################ - mathesar_service = { - user = "root"; - image = "mathesar/mathesar:latest"; - dependsOn = [ "mathesar_db" ]; - environment = { - SECRET_KEY = cfg.secretKey; - DOMAIN_NAME = cfg.domainName; - POSTGRES_DB = cfg.postgresDb; - POSTGRES_USER = cfg.postgresUser; - POSTGRES_PASSWORD = cfg.postgresPassword; - POSTGRES_HOST = cfg.postgresHost; - POSTGRES_PORT = (toString cfg.postgresPort); - DJANGO_SETTINGS_MODULE = "config.settings.production"; - # Allowed hosts is * to allow all traffic on service. - # The caddy proxy handles the rest. - ALLOWED_HOSTS = "*"; - }; - volumes = [ - "${cfg.dataDir}/static:/code/static" - "${cfg.dataDir}/media:/code/media" - ]; - extraOptions = [ - "--network=mathesar_network" - "--expose=8000" - ]; - }; - - ################ - # mathesar_db (PostgreSQL Database) - ################ - mathesar_db = { - user = "root"; - image = "postgres:13"; - environment = { - POSTGRES_DB = cfg.postgresDb; - POSTGRES_USER = cfg.postgresUser; - POSTGRES_PASSWORD = cfg.postgresPassword; - PGPORT = toString cfg.postgresPort; - }; - volumes = [ - "${cfg.dataDir}/pgdata:/var/lib/postgresql/data" - ]; - extraOptions = [ - "--network=mathesar_network" - "--expose=${toString cfg.postgresPort}" - ]; - }; - - ############## - # caddy-reverse-proxy - ############## - caddy_reverse_proxy = { - user = "root"; - image = "mathesar/mathesar-caddy:latest"; - ports = [ - "10.20.40.104:${toString cfg.port}:80" - ]; - environment = { - SECRET_KEY = cfg.secretKey; - DOMAIN_NAME = cfg.domainName; - POSTGRES_DB = cfg.postgresDb; - POSTGRES_USER = cfg.postgresUser; - POSTGRES_PASSWORD = cfg.postgresPassword; - POSTGRES_HOST = cfg.postgresHost; - POSTGRES_PORT = toString cfg.postgresPort; - }; - volumes = [ - "${cfg.dataDir}/media:/code/media" - "${cfg.dataDir}/static:/code/static" - "${cfg.dataDir}/caddy:/data" - ]; - extraOptions = [ "--network=mathesar_network" ]; - }; - }; - }; -} diff --git a/common/_containers/pgadmin.nix b/common/_containers/pgadmin.nix deleted file mode 100644 index 064bc9e..0000000 --- a/common/_containers/pgadmin.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ - config, - pkgs, - ... -}: -let - cfg = config.customServices.pgadmin; -in -{ - options.customServices.pgadmin = - let - lib = pkgs.lib; - in - { - port = lib.mkOption { - type = lib.types.port; - default = 3085; - description = "Port number for the PGAdmin interface"; - }; - dataDir = lib.mkOption { - type = lib.types.path; - default = "/var/lib/pgadmin"; - description = "Directory to store PGAdmin data"; - }; - }; - - config = { - virtualisation.oci-containers.containers = { - ############# - # pgadmin # - ############# - # NOTE settings live in `/var/lib/librechat` manually right now - pgadmin = { - user = "root"; - image = "dpage/pgadmin4:latest"; - ports = [ - "${toString cfg.port}:${toString cfg.port}" - ]; - environment = { - PGADMIN_LISTEN_PORT = toString cfg.port; - PGADMIN_DEFAULT_EMAIL = "admin@db.joshuabell.xyz"; - PGADMIN_DEFAULT_PASSWORD = "password"; - }; - volumes = [ - "${cfg.dataDir}:/var/lib/pgadmin" - ]; - extraOptions = [ - "--network=host" - ]; - }; - }; - }; -} diff --git a/common/_containers/template_postgres_app.nix b/common/_containers/template_postgres_app.nix new file mode 100644 index 0000000..c26cc5a --- /dev/null +++ b/common/_containers/template_postgres_app.nix @@ -0,0 +1,154 @@ +{ name }: +{ + config, + lib, + ... +}: +let + # name = "UNIQUE_NAME_ON_HOST"; + + hostDataDir = "/var/lib/${name}"; + hostAddress = "192.168.100.2"; + containerAddress = "192.168.100.10"; + + binds = [ + # Postgres data, must use postgres user in container and host + { + host = "${hostDataDir}/postgres"; + # Adjust based on container postgres data dir + container = "/var/lib/postgresql/17"; + user = "postgres"; + uid = config.ids.uids.postgres; + gid = config.ids.gids.postgres; + } + # Postgres backups + { + host = "${hostDataDir}/backups/postgres"; + container = "/var/backup/postgresql"; + user = "postgres"; + uid = config.ids.uids.postgres; + gid = config.ids.gids.postgres; + } + # App data, uses custom user + # { + # host = "${hostDataDir}/data"; + # container = "/var/lib/forgejo"; + # user = "forgejo"; + # uid = 115; + # gid = 115; + # } + ]; + uniqueUsers = lib.foldl' ( + acc: bind: if lib.lists.any (item: item.user == bind.user) acc then acc else acc ++ [ bind ] + ) [ ] binds; + users = { + users = lib.listToAttrs ( + lib.map (u: { + name = u.user; + value = { + isSystemUser = true; + name = u.user; + uid = u.uid; + group = u.user; + }; + }) uniqueUsers + ); + + groups = lib.listToAttrs ( + lib.map (g: { + name = g.user; + value.gid = g.gid; + }) uniqueUsers + ); + }; +in +{ + # Ensure users exists on host machine with same IDs as container + inherit users; + + # Ensure directories exist on host machine + system.activationScripts.createMediaServerDirs = '' + ${lib.concatStringsSep "\n" ( + lib.map (bind: '' + mkdir -p ${bind.host} + chown -R ${toString bind.user}:${toString bind.gid} ${bind.host} + chmod -R 750 ${bind.host} + '') binds + )} + ''; + + containers.${name} = { + ephemeral = true; + autoStart = true; + privateNetwork = true; + hostAddress = hostAddress; + localAddress = containerAddress; + bindMounts = lib.foldl ( + acc: bind: + { + "${bind.container}" = { + hostPath = bind.host; + isReadOnly = false; + }; + } + // acc + ) { } binds; + config = + { config, pkgs, ... }: + { + system.stateVersion = "24.11"; + + # Ensure users exist on container + inherit users; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_17.withJIT; + enableJIT = true; + extensions = with pkgs.postgresql17Packages; [ + # NOTE add extensions here + pgvector + postgis + ]; + enableTCPIP = true; + authentication = '' + local all all trust + host all all 127.0.0.1/8 trust + host all all ::1/128 trust + host all all 192.168.100.0/24 trust + ''; + # identMap = '' + # # ArbitraryMapName systemUser dbUser + # superuser_map root ${name} + # + # # Let other names login as themselves + # superuser_map /^(.*)$ \1 + # ''; + # ensureDatabases = [ name ]; + # ensureUsers = [ + # { + # name = name; + # ensureDBOwnership = true; + # ensureClauses = { + # login = true; + # superuser = true; + # }; + # } + # ]; + }; + + # Backup database + services.postgresqlBackup = { + enable = true; + }; + + # APP TODO REPLACE THIS WITH SOMETHING + services.pgadmin = { + enable = true; + openFirewall = true; + initialEmail = "admin@test.com"; + initialPasswordFile = (builtins.toFile "password" "password"); + }; + }; + }; +} diff --git a/common/_home_manager/mods/ssh.nix b/common/_home_manager/mods/ssh.nix index 7f2c4ef..a434df6 100644 --- a/common/_home_manager/mods/ssh.nix +++ b/common/_home_manager/mods/ssh.nix @@ -22,6 +22,10 @@ in identityFile = age.secrets.nix2gitjosh.path; user = "git"; }; + "[fc00::2]:3032" = { + identityFile = age.secrets.nix2gitforgejo.path; + user = "forgejo"; + }; # PERSONAL DEVICES "lio" = { identityFile = age.secrets.nix2lio.path; diff --git a/common/flake.nix b/common/flake.nix index e563aff..49a182c 100644 --- a/common/flake.nix +++ b/common/flake.nix @@ -42,6 +42,7 @@ }; containers = { librechat = import ./_containers/librechat.nix; + forgejo = import ./_containers/forgejo.nix; }; }; homeManagerModules = { diff --git a/common/secrets/default.nix b/common/secrets/default.nix index 6efe7d3..dad0858 100644 --- a/common/secrets/default.nix +++ b/common/secrets/default.nix @@ -50,6 +50,10 @@ in file = ./secrets/nix2gitjosh.age; owner = users_cfg.primary; }; + nix2gitforgejo = { + file = ./secrets/nix2gitforgejo.age; + owner = users_cfg.primary; + }; nix2h001 = { file = ./secrets/nix2h001.age; owner = users_cfg.primary; diff --git a/common/secrets/secrets/nix2gitforgejo.age b/common/secrets/secrets/nix2gitforgejo.age new file mode 100644 index 0000000..f19f974 --- /dev/null +++ b/common/secrets/secrets/nix2gitforgejo.age @@ -0,0 +1,40 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USA0amp0 +ZzQ4QzNpcWhYdEYvWEh3N3JrNSt1dHZtVytON3JmdUo3d0pVNGhnCmdIVW4rUUNz +aFVRcjVoTzdrVHNMbFRCV1JGRWxnWndvb0pKUENDTXBiS0EKLT4gc3NoLWVkMjU1 +MTkgSmh2TCtRIGtLWmhRL1pIYnZhTUtoVG95S0tSMUNvTkVEZUVQaFlOVklPVy9D +dG1aVmcKK0RmNnU0UUtra2NDYTFDd0xtMHhPY1JZTGM4aEJxTmFhMFIyUE92VExw +SQotPiBzc2gtZWQyNTUxOSBTcENqQlEgQUQ2Z1VQRDNiNkFVaE9hVXlVYXl0bGt6 +bzBUaE8xQ2R0bEhLdGxyTVlpUQp2WHgrakhycGJNL3pXMjZoSFZiZlZBRkRKR1Bq +SkJNNVM3M1JpRmRTME5zCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBOY1dwMGdYT1lS +N3BJYXFhTFJJdUMvQWRoN0xrZlF6Sm53Zlh3K1gxNHhnCmIzQy8zLzhsblRhRkRM +MC9udWw2WEZqaDVxcklUaS9lVm12SjdNMkVmcWMKLT4gc3NoLWVkMjU1MTkgWHpm +bWFRIFhRSG95TG5YazB1NnFiT1VUcWRQT0lzSkNmbllBclJ1VTVDa3RWZm5WRXMK +VXJyNmZtSDdTSVdvYlorajRsRkJSQ25UTndyK2xIajZaWlNSK0ZlaHAxQQotPiBz +c2gtZWQyNTUxOSBSNSt4ZncgeUhIZlpDdU9ldExiZ0gxaXdVaThCdVJ2bzZ5a3Jz +cUZhN0dIQlkxeUp4ZwpyTkYrSEVTWFNxSTJCSmIxUkw2ek1jRGVnelZ4M1ZLM0tF +UUYxWFZCUktnCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSBUZ3Mya1hGY25hWW1xSzlL +L252a1llaHYwK01zazV2eW5PVXRDaWhlbm1BCkw4WldnY3l2WjZ3MEIxbHVXN01D +aGZKR3QwS3lkQkRxbE51TUhKbWJiREEKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIEVw +WnFZc0FxKzF6b0gzZVZBMy9SWVk5SkFmZlhZdU9lZk9nelFUQVhiVzgKY1dEYUlh +QVZkQXE5ZCs1R0xMNzVyMGJad2JHcmNKdS9EU3NMZ1dqQWFlNAotPiBzc2gtZWQy +NTUxOSB3ZHJaSkEgSURJUWlrMXhCVk5Za2FrMHppMDlUS2pwOG8xN3J3UnR2c3lv +VmFTSmYwNApNdjJKM1llVEFSTGVlYnBPMDVuNjN1WDhJSXRQSlRsekF6K2trRDRH +dW9BCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyA3c00wVWZ2VzJucUtMTU13Wk5YNkdj +d0FqK0lrT054NTBEUnlDRzk3MUFjClhUUldvTDRPMkQzbHpodUl2RHpBVk5uVWhV +OWFwL1dJbWV4dnZHUE5BN0UKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIDhkb01NbzJK +RUhsQ3lJTHRsaDB2eUxNMHNqSk10WVNIbGRwanVDOVJMM0kKeWZEOWt2aU8rcjRG +am9yN1h3RDg5QjVvTEQzamFpcWcvem1tYWFyVGx5WQotPiA1JVRtOHZoLWdyZWFz +ZSAuTTBrdyBJIFZ3RVcgUXxddVcKQkdENjlleGdzWDFwSzY5aStlYkdhbnZKYlFE +VXk3dkRnbkIyMDNmTlE3Y3hSdwotLS0gRDVnM29tMUhBaE9NVjBodHpTZmw3MEVp +Y0EzTFhMUVc2aTRTN1pTbDlPYwpo9GQgoreaSkAZBUoWT/rH46och5cudiPlK1fX +zSL2R5w/qQk9sBfBU4kZfJDsB7eoJlAb9D8qxj+jH558lzj4Kwon8LGopimSKlou +Ow20GpjFOHJCwvBvfReqWxQcqYLuCxUKTQbAn7zW2/aIezptiPsQX1CzrJxG/vc4 +riXQyq17SMMUjeQCnH4vW0QztLKFNAEa1ANsTVMqzgvNoZWMlXMw+j83ciGKFaZv +yaCtiDA2iQFtZhsqzFTI/kbhOPe8KerdoqB9XyX3RJD6j6oyjgfpPxDZl+ODfeTS +9luY7F0dw4n480bs9RJuqocw3QoKm7/OL4IerDdG/6Oce1+hZ/yeqxBvwWEGUoT2 +U7UAEw2KSLqwO8IIqRe+bxF5mNHrKqwiSMNa67K5vN+rcnuLoSzTtoUNs9gXAVo2 +9YZlX0YDt2BB8osRGtWkIeNM95uPmAdRABs+4UtJYq16GN+I4usOEVZaNheZqLv9 +wRaSd6yXrX5IfyUhgsb52PhlUk6E79L8yfWz28qh7pvIpzY0aiMTA7MZGoDp3B/d +1ciIcIXnFJ2OxKasDc0k8EMVFBSSRox84+tG/kJYlg== +-----END AGE ENCRYPTED FILE----- diff --git a/common/secrets/secrets/secrets.nix b/common/secrets/secrets/secrets.nix index fcbfa5a..97c831d 100644 --- a/common/secrets/secrets/secrets.nix +++ b/common/secrets/secrets/secrets.nix @@ -36,6 +36,9 @@ in "nix2bitbucket.age" = { inherit publicKeys; }; + "nix2gitforgejo.age" = { + inherit publicKeys; + }; "nix2gitjosh.age" = { inherit publicKeys; }; diff --git a/hosts/lio/containers.nix b/hosts/lio/containers.nix index a58e16d..715493f 100644 --- a/hosts/lio/containers.nix +++ b/hosts/lio/containers.nix @@ -11,17 +11,38 @@ imports = [ common.nixosModules.containers.librechat + common.nixosModules.containers.forgejo ]; config = { ## Give internet access - # networking.nat.enable = true; - # networking.nat.internalInterfaces = [ "ve-*" ]; - # networking.nat.externalInterface = "eth0"; + networking.nat.enable = true; + networking.nat.internalInterfaces = [ "ve-*" ]; + networking.nat.externalInterface = "ens3"; + networking.nat.enableIPv6 = true; # mathesar # services.mathesar.secretKey = "mImvhwyu0cFmtUNOAyOjm6qozWjEmHyrGIpOTZXWW7lnkj5RP3"; + containers.wasabi = { + ephemeral = true; + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.2"; + localAddress = "192.168.100.11"; + config = + { config, pkgs, ... }: + { + system.stateVersion = "24.11"; + services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 ]; + }; + }; + }; + virtualisation.oci-containers.backend = "docker"; security.acme.acceptTerms = true; diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock index 3fc294c..90500fc 100644 --- a/hosts/lio/flake.lock +++ b/hosts/lio/flake.lock @@ -28,21 +28,17 @@ "common": { "inputs": { "home-manager": "home-manager", - "nixpkgs": "nixpkgs_2", "ragenix": "ragenix" }, "locked": { - "lastModified": 1745444238, - "narHash": "sha256-zT1T9zC7dr+HApuC390eQHPpCJq4vYvOwYSq507DtFA=", - "ref": "refs/heads/master", - "rev": "214e6f289da1e888ff547aff173aaffc8517092b", - "revCount": 399, - "type": "git", - "url": "https://git.joshuabell.xyz/dotfiles" + "lastModified": 1, + "narHash": "sha256-fpl7kTl/r442RV8N8ut08UclEQR1wUs2G+gk4/S71pA=", + "path": "../../common", + "type": "path" }, "original": { - "type": "git", - "url": "https://git.joshuabell.xyz/dotfiles" + "path": "../../common", + "type": "path" } }, "crane": { @@ -107,11 +103,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1744743431, - "narHash": "sha256-iyn/WBYDc7OtjSawbegINDe/gIkok888kQxk3aVnkgg=", + "lastModified": 1745557122, + "narHash": "sha256-eqSo9ugzsqhFgaDFYUZj943nurlX4L6f+AW0skJ4W+M=", "owner": "rycee", "repo": "home-manager", - "rev": "c61bfe3ae692f42ce688b5865fac9e0de58e1387", + "rev": "dd26f75fb4ec1c731d4b1396eaf4439ce40a91c1", "type": "github" }, "original": { @@ -161,22 +157,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1744463964, - "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1741379970, "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=", @@ -192,7 +172,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1744168086, "narHash": "sha256-S9M4HddBCxbbX1CKSyDYgZ8NCVyHcbKnBfoUXeRu2jQ=", @@ -208,7 +188,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1745250177, "narHash": "sha256-NPkMDgRHLVuNHs7y/MK3qYbE/5uo42mskUIygSHEOLM=", @@ -1124,15 +1104,15 @@ "agenix": "agenix", "crane": "crane", "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1741508717, - "narHash": "sha256-iQf1WdNxaApOFHIx4RLMRZ4f8g+8Xp0Z1/E/Mz2rLxY=", + "lastModified": 1744897914, + "narHash": "sha256-GIVU92o2TZBnKQXTb76zpQbWR4zjU2rFqWKNIIpXnqA=", "owner": "yaxitech", "repo": "ragenix", - "rev": "2a2bea99d74927e54adf53cbf113219def67d5c9", + "rev": "40f2e17ecaeab4d78ec323e96a04548c0aaa5223", "type": "github" }, "original": { @@ -1144,13 +1124,13 @@ "root": { "inputs": { "common": "common", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "ros_neovim": "ros_neovim" } }, "ros_neovim": { "inputs": { - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim", "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim", "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring", diff --git a/hosts/lio/flake.nix b/hosts/lio/flake.nix index 0e6b9f3..564197c 100644 --- a/hosts/lio/flake.nix +++ b/hosts/lio/flake.nix @@ -4,8 +4,8 @@ # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # Use relative to get current version for testing - # common.url = "path:../../common"; - common.url = "git+https://git.joshuabell.xyz/dotfiles"; + common.url = "path:../../common"; + # common.url = "git+https://git.joshuabell.xyz/dotfiles"; ros_neovim.url = "git+https://git.joshuabell.xyz/nvim"; }; @@ -31,7 +31,6 @@ ./configuration.nix ./hardware-configuration.nix (import ./containers.nix { inherit common; }) - ./forgejo.nix ( { config, pkgs, ... }: { diff --git a/hosts/lio/forgejo.nix b/hosts/lio/forgejo.nix deleted file mode 100644 index 089fe4c..0000000 --- a/hosts/lio/forgejo.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ - config, - pkgs, - ... -}: -let - -in -{ - options.services.forgejo = { - - }; - - config = { - services.forgejo = { - enable = true; - settings = { - DEFAULT = { - APP_NAME = "appname"; - APP_SLOGAN = "slogan"; - }; - server = { - PROTOCOL = "http"; - # DOMAIN = "git.joshuabell.xyz"; - HTTP_ADDR = "0.0.0.0"; - HTTP_PORT = 3032; - - LANDING_PAGE = "explore"; - }; - service = { - DISABLE_REGISTRATION = "true"; - ENABLE_BASIC_AUTHENTICATION = "false"; - # explore = { - # DISABLE_USERS_PAGE = "true"; - # }; - }; - repository = { - DISABLE_STARS = "true"; - DEFAULT_PRIVATE = "private"; - }; - admin = { - - DISABLE_REGULAR_ORG_CREATION = "true"; - USER_DISABLED_FEATURES = "deletion"; - }; - }; - }; - }; -}