ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use forgejo in local system config

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-10-09 18:36:46 -05:00
parent 58348b3c83
commit af6af71f5c
15 changed files with 65 additions and 317 deletions
Download patch file Download diff file Expand all files Collapse all files

196
common/_containers/forgejo.nix
View file

@ -1,196 +0,0 @@
{
config,
lib,
...
}:
let
name = "forgejo";
hostDataDir = "/var/lib/${name}";
hostAddress = "10.0.0.1";
containerAddress = "10.0.0.2";
hostAddress6 = "fc00::1";
containerAddress6 = "fc00::2";
binds = [
# Postgres data, must use postgres user in container and host
{
host = "${hostDataDir}/postgres";
# Adjust based on container postgres data dir
container = "/var/lib/postgresql/17";
user = "postgres";
uid = config.ids.uids.postgres;
gid = config.ids.gids.postgres;
}
# Postgres backups
{
host = "${hostDataDir}/backups/postgres";
container = "/var/backup/postgresql";
user = "postgres";
uid = config.ids.uids.postgres;
gid = config.ids.gids.postgres;
}
# App data, uses custom user uid
{
host = "${hostDataDir}/data";
container = "/var/lib/forgejo";
user = "forgejo";
uid = 115;
gid = 115;
}
];
uniqueUsers = lib.foldl' (
acc: bind: if lib.lists.any (item: item.user == bind.user) acc then acc else acc ++ [ bind ]
) [ ] binds;
users = {
users = lib.listToAttrs (
lib.map (u: {
name = u.user;
value = {
isSystemUser = true;
name = u.user;
uid = u.uid;
group = u.user;
};
}) uniqueUsers
);
groups = lib.listToAttrs (
lib.map (g: {
name = g.user;
value.gid = g.gid;
}) uniqueUsers
);
};
in
{
# Ensure users exists on host machine with same IDs as container
inherit users;
# Ensure directories exist on host machine
system.activationScripts.createMediaServerDirs = ''
${lib.concatStringsSep "\n" (
lib.map (bind: ''
mkdir -p ${bind.host}
chown -R ${toString bind.user}:${toString bind.gid} ${bind.host}
chmod -R 750 ${bind.host}
'') binds
)}
'';
containers.${name} = {
ephemeral = true;
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = containerAddress;
hostAddress6 = hostAddress6;
localAddress6 = containerAddress6;
bindMounts = lib.foldl (
acc: bind:
{
"${bind.container}" = {
hostPath = bind.host;
isReadOnly = false;
};
}
// acc
) { } binds;
config =
{ config, pkgs, ... }:
{
system.stateVersion = "24.11";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
3000
3032
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
# Ensure users exist on container
inherit users;
services.postgresql = {
enable = true;
package = pkgs.postgresql_17.withJIT;
enableJIT = true;
authentication = ''
local all all trust
host all all 127.0.0.1/8 trust
host all all ::1/128 trust
host all all fc00::1/128 trust
'';
};
# Backup database
services.postgresqlBackup = {
enable = true;
};
services.forgejo = {
enable = true;
dump = {
enable = false;
type = "tar.gz";
};
database = {
type = "postgres";
};
settings = {
DEFAULT = {
APP_NAME = "Josh's Git";
};
server = {
PROTOCOL = "http";
DOMAIN = "git.joshuabell.xyz";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 3000;
START_SSH_SERVER = true;
SSH_DOMAIN = "git.joshuabell.xyz";
SSH_LISTEN_HOST = "0.0.0.0";
SSH_LISTEN_PORT = 3032; # actual listen port
SSH_PORT = 3032; # used in UI
BUILTIN_SSH_SERVER_USER = "git";
LANDING_PAGE = "explore";
};
service = {
DISABLE_REGISTRATION = true;
ENABLE_BASIC_AUTHENTICATION = false;
DISABLE_USERS_PAGE = true;
DISABLE_ORGANIZATIONS_PAGE = true;
};
repository = {
# ENABLE_PUSH_CREATE_USER = true;
# ENABLE_PUSH_CREATE_ORG = true;
DISABLE_STARS = true;
DEFAULT_PRIVATE = "private";
};
admin = {
DISABLE_REGULAR_ORG_CREATION = true;
USER_DISABLED_FEATURES = "deletion";
};
other = {
SHOW_FOOTER_POWERED_BY = false;
SHOW_FOOTER_VERSION = false;
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
};
migrations = {
ALLOWED_DOMAINS = "*.github.com,github.com";
ALLOW_LOCALNETWORKS = true;
};
};
};
};
};
}

7
common/_containers/obsidian_sync.md
View file

@ -1,7 +0,0 @@
docker run \
-e hostname=https://obsidiansync.joshuabell.xyz \
-e database=obsidian_sync \
-e username=obsidian_admin \
-e password=$REPLACE \
docker.io/oleduc/docker-obsidian-livesync-couchdb:master \
deno -A /scripts/generate_setupuri.ts

61
common/_containers/obsidian_sync.nix
View file

@ -1,61 +0,0 @@
{
config,
pkgs,
...
}:
let
cfg = config.services.obsidian_sync;
in
{
options.services.obsidian_sync =
let
lib = pkgs.lib;
in
{
port = lib.mkOption {
type = lib.types.port;
default = 5984;
description = "Port number for Obsidian Sync CouchDB server";
};
dataDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/obsidian_sync";
description = "Directory to store Obsidian Sync data";
};
serverUrl = lib.mkOption {
type = lib.types.str;
description = "URL of the Obsidian Sync server";
};
dockerEnvFiles = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [ ];
description = "List of environment files to be used by the Obsidian Sync container. When provided you must supply chouchdb user/password env files they will not be supplied by default.";
};
};
config = {
virtualisation.oci-containers.containers = {
#############
# obsidian_sync #
#############
obsidian_sync = {
user = "root";
image = "docker.io/oleduc/docker-obsidian-livesync-couchdb:master";
ports = [
"${toString cfg.port}:${toString cfg.port}"
];
environment = {
SERVER_URL = cfg.serverUrl;
COUCHDB_DATABASE = "obsidian_sync";
COUCHDB_USER = pkgs.lib.mkIf (cfg.dockerEnvFiles == [ ]) "adminu";
COUCHDB_PASSWORD = pkgs.lib.mkIf (cfg.dockerEnvFiles == [ ]) "Password123";
};
environmentFiles = cfg.dockerEnvFiles;
volumes = [
"${cfg.dataDir}/data:/opt/couchdb/data"
"${cfg.dataDir}/config:/opt/couchdb/etc/local.d"
];
};
};
};
}

3
common/flake.nix
View file

@ -56,9 +56,6 @@
}; };
}; };
}; };
containers = {
forgejo = import ./_containers/forgejo.nix;
};
}; };
homeManagerModules = { homeManagerModules = {
zsh = import ./_home_manager/mods/zsh.nix; zsh = import ./_home_manager/mods/zsh.nix;

30
hosts/h001/containers/default.nix
View file

@ -1,13 +1,9 @@
{ inputs }:
let
common = inputs.common;
in
{ {
... ...
}: }:
{ {
imports = [ imports = [
common.nixosModules.containers.forgejo ./forgejo.nix
./opengist.nix ./opengist.nix
./homarr.nix ./homarr.nix
./zitadel.nix ./zitadel.nix
@ -55,14 +51,7 @@ in
virtualisation.oci-containers.backend = "podman"; virtualisation.oci-containers.backend = "podman";
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin@joshuabell.xyz";
services.nginx = { services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = { virtualHosts = {
"localhost" = { "localhost" = {
locations."/" = { locations."/" = {
@ -70,13 +59,6 @@ in
}; };
}; };
# forgejo http traffic
"git.joshuabell.xyz" = {
locations."/" = {
proxyPass = "http://10.0.0.2:3000";
};
};
"_" = { "_" = {
default = true; default = true;
locations."/" = { locations."/" = {
@ -84,16 +66,6 @@ in
}; };
}; };
}; };
# STREAMS
# Forgejo ssh
streamConfig = ''
server {
listen 3032;
proxy_pass 10.0.0.2:3032;
}
'';
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

19
hosts/h001/containers/forgejo.nix
View file

@ -65,6 +65,25 @@ let
}; };
in in
{ {
services.nginx = {
virtualHosts = {
# forgejo http traffic
"git.joshuabell.xyz" = {
locations."/" = {
proxyPass = "http://10.0.0.2:3000";
};
};
};
# STREAMS
# Forgejo ssh
streamConfig = ''
server {
listen 3032;
proxy_pass 10.0.0.2:3032;
}
'';
};
# Ensure users exists on host machine with same IDs as container # Ensure users exists on host machine with same IDs as container
inherit users; inherit users;

2
hosts/h001/containers/opengist.nix
View file

@ -29,6 +29,8 @@ in
''; '';
services.nginx.virtualHosts."gist.joshuabell.xyz" = { services.nginx.virtualHosts."gist.joshuabell.xyz" = {
# enableACME = true;
# forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyWebsockets = true; proxyWebsockets = true;

2
hosts/h001/containers/zitadel.nix
View file

@ -68,6 +68,8 @@ in
options = { }; options = { };
config = { config = {
services.nginx.virtualHosts."sso.joshuabell.xyz" = { services.nginx.virtualHosts."sso.joshuabell.xyz" = {
# enableACME = true;
# forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyWebsockets = true; proxyWebsockets = true;

2
hosts/h001/flake.nix
View file

@ -43,7 +43,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./mods ./mods
./nginx.nix ./nginx.nix
(import ./containers { inherit inputs; }) ./containers
( (
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {

2
hosts/h001/mods/n8n.nix
View file

@ -6,6 +6,8 @@
config = { config = {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"n8n.joshuabell.xyz" = { "n8n.joshuabell.xyz" = {
# enableACME = true;
# forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyWebsockets = true; proxyWebsockets = true;

40
hosts/h001/mods/nixarr.nix
View file

@ -47,35 +47,39 @@
services.nginx = { services.nginx = {
virtualHosts = { virtualHosts = {
"jellyfin.joshuabell.xyz" = { "jellyfin.joshuabell.xyz" = {
enableACME = true;
# forceSSL = true;
locations."/" = { locations."/" = {
proxyWebsockets = true; proxyWebsockets = true;
proxyPass = "http://localhost:8096"; proxyPass = "http://localhost:8096";
}; };
}; };
"media.joshuabell.xyz" = { "media.joshuabell.xyz" = {
enableACME = true;
# forceSSL = true;
locations."/" = { locations."/" = {
proxyWebsockets = true; proxyWebsockets = true;
proxyPass = "http://localhost:5055"; proxyPass = "http://localhost:5055";
}; };
}; };
"10.12.14.10" = { # "10.12.14.10" = {
locations."/" = { # locations."/" = {
proxyWebsockets = true; # proxyWebsockets = true;
proxyPass = "http://localhost:8096"; # proxyPass = "http://localhost:8096";
}; # };
}; # };
"jellyfin.h001.local.joshuabell.xyz" = { # "jellyfin.h001.local.joshuabell.xyz" = {
locations."/" = { # locations."/" = {
proxyWebsockets = true; # proxyWebsockets = true;
proxyPass = "http://localhost:8096"; # proxyPass = "http://localhost:8096";
}; # };
}; # };
"media.h001.local.joshuabell.xyz" = { # "media.h001.local.joshuabell.xyz" = {
locations."/" = { # locations."/" = {
proxyWebsockets = true; # proxyWebsockets = true;
proxyPass = "http://localhost:5055"; # proxyPass = "http://localhost:5055";
}; # };
}; # };
}; };
}; };
}; };

6
hosts/h001/mods/oauth2-proxy.nix
View file

@ -45,11 +45,15 @@ in
}; };
services.nginx.virtualHosts."sso-proxy.joshuabell.xyz" = { services.nginx.virtualHosts."sso-proxy.joshuabell.xyz" = {
# enableACME = true;
# forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyWebsockets = true; proxyWebsockets = true;
recommendedProxySettings = true;
proxyPass = "http://127.0.0.1:4180"; proxyPass = "http://127.0.0.1:4180";
extraConfig = ''
proxy_set_header X-Forwarded-Proto https;
'';
}; };
}; };
}; };

2
hosts/h001/mods/openwebui.nix
View file

@ -17,6 +17,8 @@ in
options = { }; options = { };
config = { config = {
services.nginx.virtualHosts."chat.joshuabell.xyz" = { services.nginx.virtualHosts."chat.joshuabell.xyz" = {
# enableACME = true;
# forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyWebsockets = true; proxyWebsockets = true;

3
hosts/h001/mods/trilium.nix
View file

@ -1,6 +1,5 @@
{ {
inputs, inputs,
lib,
... ...
}: }:
let let
@ -45,6 +44,8 @@ in
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"notes.joshuabell.xyz" = { "notes.joshuabell.xyz" = {
# enableACME = true;
# forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyWebsockets = true; proxyWebsockets = true;

7
hosts/h001/nginx.nix
View file

@ -8,7 +8,14 @@ let
}; };
in in
{ {
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin@joshuabell.xyz";
services.nginx = { services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "500m"; clientMaxBodySize = "500m";
virtualHosts = { virtualHosts = {
"10.12.14.10" = { "10.12.14.10" = {