felschr/nixos-config
1
1
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat(home-server): add forgejo admin user

Browse source
This commit is contained in:
Felix Schröter 2025-01-17 13:58:03 +01:00
parent e45c34c465
commit 933d7b6994
Signed by: felschr
GPG key ID: 671E39E6744C807D
4 changed files with 40 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
secrets/forgejo/admin-password.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 OAZQhA Qs+kBM/8cOSTJ9TsZ4WhcYGyj07RRP//jEXA/LrSeQA
lJ328T6kcUea2pkS/M/GFV7/x7dym7870/7ZlsRHMKU
-> ssh-ed25519 72ij7w fHAFoSMZxmLTyUHlXF3/7uQgx844CBK8WeNtLrq4vBo
P05jEPm+s6nzmoGjZatrL0WT3iY6iQEXqp0kh9mNRfs
--- r5uZPQFW02c8VbgrHSuESjgHm1hHRAT2mtzzbrd2Srs
¼{B=.d¯ì1e€ëJVzo<7A>»j‡RJô¾ «ß  ,Öœí9^"Æ“þÐþÚ†ñÔFgdÇ”2eEi@

4
secrets/secrets.nix
View file

@ -124,6 +124,10 @@ in
felschr felschr
home-server home-server
]; ];
"forgejo/admin-password.age".publicKeys = [
felschr
home-server
];
"hass/secrets.age".publicKeys = [ "hass/secrets.age".publicKeys = [
felschr felschr
home-server home-server

26
services/forgejo/default.nix
View file

@ -1,10 +1,22 @@
{ config, pkgs, ... }: {
config,
pkgs,
lib,
...
}:
let let
domain = "git.felschr.com"; domain = "git.felschr.com";
sshPort = 2222; sshPort = 2222;
cfg = config.services.forgejo;
in in
{ {
age.secrets.forgejo-admin-password = {
file = ../../secrets/forgejo/admin-password.age;
owner = cfg.user;
inherit (cfg) group;
};
services.forgejo = { services.forgejo = {
enable = true; enable = true;
database.type = "postgres"; database.type = "postgres";
@ -42,4 +54,16 @@ in
''; '';
locations."/".proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}"; locations."/".proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
}; };
systemd.services.forgejo.preStart =
let
adminCmd = "${lib.getExe cfg.package} admin user";
passwordFile = config.age.secrets.forgejo-admin-password.path;
user = "felschr";
in
''
${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${passwordFile})" || true
## uncomment this line to change an admin user which was already created
# ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${passwordFile})" || true
'';
} }

8
system/server.nix
View file

@ -15,14 +15,14 @@
table inet allow-incoming-traffic { table inet allow-incoming-traffic {
chain allow-incoming { chain allow-incoming {
type filter hook input priority -100; policy accept; type filter hook input priority -100; policy accept;
tcp dport {80, 443} meta mark set 0x80000; tcp dport {80, 443, 2222} meta mark set 0x80000;
udp dport {80, 443} meta mark set 0x80000; udp dport {80, 443, 2222} meta mark set 0x80000;
} }
chain allow-outgoing { chain allow-outgoing {
type route hook output priority -100; policy accept; type route hook output priority -100; policy accept;
tcp sport {80, 443} meta mark set 0x80000; tcp sport {80, 443, 2222} meta mark set 0x80000;
udp sport {80, 443} meta mark set 0x80000; udp sport {80, 443, 2222} meta mark set 0x80000;
} }
} }
''; '';