Satria
a48b426cc0
Some checks failed
Activate NixOS Homelab Configuration On Push / build-and-activate (push) Failing after 36s
87 lines
3 KiB
Nix
87 lines
3 KiB
Nix
{ lib, pkgs, homelab, ... }: {
|
|
services = {
|
|
forgejo = {
|
|
enable = true;
|
|
lfs.enable = true;
|
|
stateDir = "/mnt/data/forgejo";
|
|
package = pkgs.forgejo;
|
|
settings = {
|
|
server = {
|
|
DISABLE_SSH = false;
|
|
START_SSH_SERVER = true;
|
|
SSH_DOMAIN = "main.dns.${homelab.domain}";
|
|
SSH_LISTEN_HOST = "0.0.0.0";
|
|
SSH_LISTEN_PORT = 5822;
|
|
SSH_PORT = 5822;
|
|
DOMAIN = "git.${homelab.domain}";
|
|
HTTP_ADDR = "127.0.0.1";
|
|
HTTP_PORT = 5080;
|
|
PROTOCOL = "http";
|
|
ROOT_URL = "https://git.${homelab.domain}";
|
|
LANDING_PAGE = "explore";
|
|
};
|
|
oauth2_client.ENABLE_AUTO_REGISTRATION=true;
|
|
service = {
|
|
DISABLE_REGISTRATION = true;
|
|
ENABLE_OPENID_SIGNIN = false;
|
|
ENABLE_OPENID_SIGNUP = false;
|
|
ENABLE_INTERNAL_SIGNIN = true;
|
|
SHOW_REGISTRATION_BUTTON = false;
|
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
ALLOW_ONLY_INTERNAL_REGISTRATION = false;
|
|
REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = true;
|
|
};
|
|
user.ENABLE_FOLLOWING = false;
|
|
repository = {
|
|
DISABLE_STARS = true;
|
|
DISABLE_FORKS = true;
|
|
ENABLE_PUSH_CREATE_USER = true;
|
|
};
|
|
};
|
|
};
|
|
gitea-actions-runner.instances.nixos-deploy = {
|
|
enable = true;
|
|
name = "nixos-server-runner";
|
|
url = "https://git.proxy.${homelab.domain}";
|
|
tokenFile = "/root/forgejo-token-runner";
|
|
labels = [ "self-hosted:host" "docker" ];
|
|
hostPackages = with pkgs; [ bash coreutils git nix ];
|
|
};
|
|
};
|
|
systemd.services."gitea-runner-nixos-deploy" = {
|
|
restartIfChanged = true;
|
|
serviceConfig = {
|
|
User = lib.mkForce "root";
|
|
Group = lib.mkForce "root";
|
|
|
|
NoNewPrivileges = lib.mkForce false;
|
|
RestrictSUIDSGID = lib.mkForce false;
|
|
PrivateUsers = lib.mkForce false;
|
|
PrivateTmp = lib.mkForce false;
|
|
PrivateDevices = lib.mkForce false;
|
|
ProtectSystem = lib.mkForce false;
|
|
ProtectHome = lib.mkForce false;
|
|
ProtectKernelTunables = lib.mkForce false;
|
|
ProtectKernelModules = lib.mkForce false;
|
|
ProtectKernelLogs = lib.mkForce false;
|
|
ProtectControlGroups = lib.mkForce false;
|
|
RestrictNamespaces = lib.mkForce false;
|
|
RestrictRealtime = lib.mkForce false;
|
|
LockPersonality = lib.mkForce false;
|
|
MemoryDenyWriteExecute = lib.mkForce false;
|
|
ProtectProc = lib.mkForce "default";
|
|
SystemCallArchitectures = lib.mkForce "";
|
|
SystemCallFilter = lib.mkForce [];
|
|
ReadWritePaths = lib.mkForce [];
|
|
ReadOnlyPaths = lib.mkForce [];
|
|
InaccessiblePaths = lib.mkForce [];
|
|
};
|
|
};
|
|
security.sudo.extraRules = [{
|
|
users = [ "gitea-runner" ];
|
|
commands = [{
|
|
command = "/run/current-system/sw/bin/nixos-rebuild";
|
|
options = [ "NOPASSWD" ];
|
|
}];
|
|
}];
|
|
}
|