fix: inconsistent hostnames

fixes #2
2026-01-11 17:24:24 +00:00 · 2026-01-11 17:24:24 +00:00 · 2637817c9c
commit 2637817c9c
parent f037d1dd80
20 changed files with 8 additions and 12 deletions
--- a/hosts/cl-00-00/system/configuration/default.nix
+++ b/hosts/cl-00-00/system/configuration/default.nix
@ -0,0 +1,27 @@
+{ outputs
+, ...
+}:
+
+let
+  modules = outputs.nixosModules;
+in
+{
+  imports = [
+    modules.shells
+
+    ./sops.nix
+    ./forgejo.nix
+    ./gc.nix
+    ./postgres.nix
+    ./ssh.nix
+    ./traefik.nix
+    ./users.nix
+  ];
+
+  custom = {
+    shells.fish = {
+      enable = true;
+      defaultFor = [ "root" "kurisu" ];
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/forgejo.nix
+++ b/hosts/cl-00-00/system/configuration/forgejo.nix
@ -0,0 +1,90 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+
+{
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  
+  services.traefik.dynamicConfigOptions.http = {
+    routers.forgejo = {
+      rule = "Host(`git.dokkae.com`)";
+      service = "forgejo";
+      entryPoints = [ "websecure" ];
+      tls = { certResolver = "letsencrypt"; };
+    };
+
+    services.forgejo = {
+      loadBalancer.servers = [
+        { url = "http://localhost:3000"; }
+      ];
+    };
+  };
+
+  services.forgejo = {
+    enable = true;
+    user = "forgejo";
+    group = "forgejo";
+    
+    database = {
+      type = "postgres";
+      host = "/run/postgresql";
+      name = "forgejo";
+      user = "forgejo";
+    };
+
+    lfs.enable = false;
+
+    settings = {
+      server = {
+        DOMAIN = "localhost";
+        PROTOCOL = "http";
+        HTTP_PORT = 3000;
+
+        # Used for web-displayed URL references.
+        ROOT_URL = "https://git.dokkae.com/";
+
+        # SSH Settings
+        SSH_DOMAIN = "ssh.dokkae.com";
+        SSH_PORT = 22;
+        START_SSH_SERVER = false;
+      };
+
+      services = {
+        # Can be temporarily disabled to allow registration of an admin user.
+        # Admin account can manually create new users via web interface.
+        DISABLE_REGISTRATION = true;
+      };
+
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+
+      # Optional email server configuration.
+      # Test mails can be sent via: Profile Picture > Site Administration > Configuration >  Mailer Configuration
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "smtp.gmail.com";
+        FROM = "noreply@git.dokkae.com";
+        USER = "finnliry@gmail.com";
+        PROTOCOL = "smtps";
+        SMTP_PORT = 465;
+      };
+    };
+
+    secrets = {
+      mailer.PASSWD = config.sops.secrets."forgejo/mailer/password".path;
+    };
+  };
+
+  systemd.services.forgejo.preStart = let
+    adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+    pwdPath = config.sops.secrets."forgejo/admin/dokkae.cat/password".path;
+    user = "dokkae.cat";
+  in ''
+    PASSWORD="$(cat "${pwdPath}" | tr -d '\n')"
+    ${adminCmd} create --admin --email "finnliry@gmail.com" --username ${user} --password "$PASSWORD" || true
+  '';
+}
--- a/hosts/cl-00-00/system/configuration/gc.nix
+++ b/hosts/cl-00-00/system/configuration/gc.nix
@ -0,0 +1,13 @@
+{ ...
+}:
+
+{
+  nix.gc = {
+    # Enable automatic garbage collection
+    automatic = true;
+    # Run daily at 03:00 AM
+    dates = "03:00";
+    # Keep only the latest generations (safety net for rollbacks)
+    options = "--delete-older-than 7d";
+  };
+}
--- a/hosts/cl-00-00/system/configuration/postgres.nix
+++ b/hosts/cl-00-00/system/configuration/postgres.nix
@ -0,0 +1,31 @@
+{ pkgs
+, ...
+}:
+
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_18;
+
+    ensureDatabases = [
+      "forgejo"
+    ];
+
+    ensureUsers = [
+      { name = "forgejo"; ensureDBOwnership = true; }
+    ];
+
+    authentication = ''
+      # Socket connections
+      local     forgejo     forgejo                       peer
+
+      # Localhost connections
+      host      forgejo     forgejo     127.0.0.1/32      trust
+      host      forgejo     forgejo     ::1/128           trust
+
+      # Deny everything else
+      host      all         all         0.0.0.0/0         reject
+      host      all         all         ::0/0             reject
+    '';
+  };
+}
--- a/hosts/cl-00-00/system/configuration/sops.nix
+++ b/hosts/cl-00-00/system/configuration/sops.nix
@ -0,0 +1,41 @@
+{ inputs
+, ...
+}:
+
+{
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = ../../secrets/default.yaml;
+    defaultSopsFormat = "yaml";
+
+    gnupg.sshKeyPaths = [ ];
+    age.sshKeyPaths = [
+      "/persist/etc/ssh/ssh_host_ed25519_key"
+    ];
+
+    secrets = {
+      "users/admin/password_hash" = {
+        owner = "admin";
+        neededForUsers =  true;
+      };
+      "users/kurisu/password_hash" = {
+        owner = "kurisu";
+        neededForUsers =  true;
+      };
+
+      "forgejo/admin/dokkae.cat/password" = {
+        owner = "forgejo";
+        group = "forgejo";
+        mode = "400";
+      };
+      "forgejo/mailer/password" = {
+        owner = "forgejo";
+        group = "forgejo";
+        mode = "400";
+      };
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/ssh.nix
+++ b/hosts/cl-00-00/system/configuration/ssh.nix
@ -0,0 +1,13 @@
+{ ...
+}:
+
+{
+  services.openssh = {
+    enable = true;
+
+    settings = {
+      PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = false;
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/traefik.nix
+++ b/hosts/cl-00-00/system/configuration/traefik.nix
@ -0,0 +1,39 @@
+{ ...
+}:
+
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.traefik = {
+    enable = true;
+    dataDir = "/var/lib/traefik";
+
+    staticConfigOptions = {
+      global = {
+        checkNewVersion = false;
+        sendAnonymousUsage = false;
+      };
+      
+      entryPoints = {
+        web = {
+          address = ":80";
+          http.redirections.entrypoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+        websecure.address = ":443";
+      };
+
+      certificatesResolvers = {
+        letsencrypt = {
+          acme = {
+            email = "finnliry+acme-cl-00-00@gmail.com";
+            storage = "/var/lib/traefik/acme.json";
+            httpChallenge = { entryPoint = "web"; };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/users.nix
+++ b/hosts/cl-00-00/system/configuration/users.nix
@ -0,0 +1,38 @@
+{ config
+, ...
+}:
+
+{
+  users = {
+    mutableUsers = false;
+
+    users = {
+      root = {
+        # Disables password based authentication
+        hashedPassword = "!";
+      };
+
+      admin = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+
+        hashedPasswordFile = config.sops.secrets."users/admin/password_hash".path;
+
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZa7mIXvsHouMb3I9gq2uQjNZKsMV43bpWc7yX/RH/X finnliry@gmail.com"
+        ];
+      };
+
+      kurisu = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+
+        hashedPasswordFile = config.sops.secrets."users/kurisu/password_hash".path;
+
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZa7mIXvsHouMb3I9gq2uQjNZKsMV43bpWc7yX/RH/X finnliry@gmail.com"
+        ];
+      };
+    };
+  };
+}