From 933d7b6994f6e9cfa875abea592125da695993ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Fri, 17 Jan 2025 13:58:03 +0100 Subject: [PATCH] feat(home-server): add forgejo admin user --- secrets/forgejo/admin-password.age | 7 +++++++ secrets/secrets.nix | 4 ++++ services/forgejo/default.nix | 26 +++++++++++++++++++++++++- system/server.nix | 8 ++++---- 4 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 secrets/forgejo/admin-password.age diff --git a/secrets/forgejo/admin-password.age b/secrets/forgejo/admin-password.age new file mode 100644 index 0000000..f669e5c --- /dev/null +++ b/secrets/forgejo/admin-password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 OAZQhA Qs+kBM/8cOSTJ9TsZ4WhcYGyj07RRP//jEXA/LrSeQA +lJ328T6kcUea2pkS/M/GFV7/x7dym7870/7ZlsRHMKU +-> ssh-ed25519 72ij7w fHAFoSMZxmLTyUHlXF3/7uQgx844CBK8WeNtLrq4vBo +P05jEPm+s6nzmoGjZatrL0WT3iY6iQEXqp0kh9mNRfs +--- r5uZPQFW02c8VbgrHSuESjgHm1hHRAT2mtzzbrd2Srs +"{B=.d1eJVzojRJ  ,֜9^"ƓچFgdǛ2eEi@ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index b5254ac..12acea1 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -124,6 +124,10 @@ in felschr home-server ]; + "forgejo/admin-password.age".publicKeys = [ + felschr + home-server + ]; "hass/secrets.age".publicKeys = [ felschr home-server diff --git a/services/forgejo/default.nix b/services/forgejo/default.nix index 45ffc61..eb9cbbf 100644 --- a/services/forgejo/default.nix +++ b/services/forgejo/default.nix @@ -1,10 +1,22 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: let domain = "git.felschr.com"; sshPort = 2222; + cfg = config.services.forgejo; in { + age.secrets.forgejo-admin-password = { + file = ../../secrets/forgejo/admin-password.age; + owner = cfg.user; + inherit (cfg) group; + }; + services.forgejo = { enable = true; database.type = "postgres"; @@ -42,4 +54,16 @@ in ''; locations."/".proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}"; }; + + systemd.services.forgejo.preStart = + let + adminCmd = "${lib.getExe cfg.package} admin user"; + passwordFile = config.age.secrets.forgejo-admin-password.path; + user = "felschr"; + in + '' + ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${passwordFile})" || true + ## uncomment this line to change an admin user which was already created + # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${passwordFile})" || true + ''; } diff --git a/system/server.nix b/system/server.nix index c13c713..2d466a8 100644 --- a/system/server.nix +++ b/system/server.nix @@ -15,14 +15,14 @@ table inet allow-incoming-traffic { chain allow-incoming { type filter hook input priority -100; policy accept; - tcp dport {80, 443} meta mark set 0x80000; - udp dport {80, 443} meta mark set 0x80000; + tcp dport {80, 443, 2222} meta mark set 0x80000; + udp dport {80, 443, 2222} meta mark set 0x80000; } chain allow-outgoing { type route hook output priority -100; policy accept; - tcp sport {80, 443} meta mark set 0x80000; - udp sport {80, 443} meta mark set 0x80000; + tcp sport {80, 443, 2222} meta mark set 0x80000; + udp sport {80, 443, 2222} meta mark set 0x80000; } } '';